Authentik: change install to UV & increase resources to 10GB RAM (#4364)

Author: MickLesk

ct/authentik.sh

@@ -9,7 +9,7 @@ APP="Authentik"
 var_tags="${var_tags:-identity-provider}"
 var_disk="${var_disk:-12}"
 var_cpu="${var_cpu:-6}"
-var_ram="${var_ram:-8192}"
+var_ram="${var_ram:-10240}"
 var_os="${var_os:-debian}"
 var_version="${var_version:-12}"
 var_unprivileged="${var_unprivileged:-1}"
@@ -29,6 +29,13 @@ function update_script() {
   fi
   RELEASE=$(curl -fsSL https://api.github.com/repos/goauthentik/authentik/releases/latest | grep "tarball_url" | awk '{print substr($2, 2, length($2)-3)}')
   if [[ "${RELEASE}" != "$(cat /opt/${APP}_version.txt)" ]] || [[ ! -f /opt/${APP}_version.txt ]]; then
+    NODE_VERSION="22"
+    PG_VERSION="16"
+    setup_uv
+    install_postgresql
+    install_node_and_modules
+    install_go
+
     msg_info "Stopping ${APP}"
     systemctl stop authentik-server
     systemctl stop authentik-worker
@@ -54,17 +61,14 @@ function update_script() {
     go build -o /opt/authentik/authentik-server /opt/authentik/cmd/server/
     msg_ok "Built ${APP} server"
 
-    msg_info "Installing Python Dependencies"
+    msg_info "Building Authentik"
     cd /opt/authentik
-    $STD poetry install --only=main --no-ansi --no-interaction --no-root
-    $STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt
-    $STD pip install --no-cache-dir -r requirements.txt
-    $STD pip install .
-    msg_ok "Installed Python Dependencies"
+    $STD uv sync --frozen --no-install-project --no-dev
+    uv run python -m lifecycle.migrate
+    ln -s /opt/authentik/.venv/bin/gunicorn /usr/local/bin/gunicorn
+    ln -s /opt/authentik/.venv/bin/celery /usr/local/bin/celery
+    msg_ok "Authentik built"
 
-    msg_info "Updating ${APP} to v${RELEASE} (Patience)"
-    cp -r /opt/authentik/authentik/blueprints /opt/authentik/blueprints
-    $STD bash /opt/authentik/lifecycle/ak migrate
     echo "${RELEASE}" >/opt/${APP}_version.txt
     msg_ok "Updated ${APP} to v${RELEASE}"
 

frontend/public/json/authentik.json

@@ -20,7 +20,7 @@
             "script": "ct/authentik.sh",
             "resources": {
                 "cpu": 6,
-                "ram": 8192,
+                "ram": 10240,
                 "hdd": 12,
                 "os": "debian",
                 "version": "12"
@@ -33,7 +33,11 @@
     },
     "notes": [
         {
-            "text": "Authentik is very resource-heavy, it is recommended to use at least 8GB RAM anytime!",
+            "text": "Authentik is very resource-heavy, it is recommended to use at least 10GB RAM anytime!",
+            "type": "warning"
+        },
+        {
+            "text": "Some updates don't work due to massive dependency errors, it's recommended to do a backup before updating or a pg_dump and a new LXC.",
             "type": "warning"
         }
     ]

install/authentik-install.sh

@@ -15,7 +15,6 @@ update_os
 
 msg_info "Installing Dependencies (Patience)"
 $STD apt-get install -y \
-  gpg \
   pkg-config \
   libffi-dev \
   build-essential \
@@ -33,9 +32,15 @@ $STD apt-get install -y \
   libxmlsec1-openssl \
   libmaxminddb0 \
   python3-pip \
+  redis-server \
   git
 msg_ok "Installed Dependencies"
 
+setup_uv
+PG_VERSION="16" install_postgresql
+NODE_VERSION="22" install_node_and_modules
+install_go
+
 msg_info "Installing yq"
 cd /tmp
 YQ_LATEST="$(curl -fsSL https://api.github.com/repos/mikefarah/yq/releases/latest | grep -Po '"tag_name": "\K.*?(?=")')"
@@ -56,46 +61,8 @@ cat <<EOF >/etc/GeoIP.conf
 EOF
 msg_ok "Installed GeoIP"
 
-msg_info "Setting up Python 3"
-cd /tmp
-curl -fsSL "https://www.python.org/ftp/python/3.12.1/Python-3.12.1.tgz" -o "Python.tgz"
-tar -zxf Python.tgz
-cd Python-3.12.1
-$STD ./configure --enable-optimizations
-$STD make altinstall
-cd ~
-$STD update-alternatives --install /usr/bin/python3 python3 /usr/local/bin/python3.12 1
-msg_ok "Setup Python 3"
-
-msg_info "Setting up Node.js Repository"
-mkdir -p /etc/apt/keyrings
-curl -fsSL https://deb.nodesource.com/gpgkey/nodesource-repo.gpg.key | gpg --dearmor -o /etc/apt/keyrings/nodesource.gpg
-echo "deb [signed-by=/etc/apt/keyrings/nodesource.gpg] https://deb.nodesource.com/node_22.x nodistro main" >/etc/apt/sources.list.d/nodesource.list
-msg_ok "Set up Node.js Repository"
-
-msg_info "Installing Node.js"
-$STD apt-get update
-$STD apt-get install -y nodejs
-msg_ok "Installed Node.js"
-
-msg_info "Installing Golang"
-set +o pipefail
-temp_file=$(mktemp)
-golang_tarball=$(curl -fsSL https://go.dev/dl/ | grep -oP 'go[\d\.]+\.linux-amd64\.tar\.gz' | head -n 1)
-curl -fsSL "https://golang.org/dl/${golang_tarball}" -o "$temp_file"
-tar -C /usr/local -xzf "$temp_file"
-ln -sf /usr/local/go/bin/go /usr/local/bin/go
-rm -f "$temp_file"
-set -o pipefail
-msg_ok "Installed Golang"
-
-msg_info "Installing Redis"
-$STD apt-get install -y redis-server
-systemctl enable -q --now redis-server
-msg_ok "Installed Redis"
-
 msg_info "Installing PostgreSQL"
-$STD apt-get install -y postgresql postgresql-contrib
+$STD apt-get install -y postgresql-16 postgresql-contrib-16
 DB_NAME="authentik"
 DB_USER="authentik"
 DB_PASS="$(openssl rand -base64 18 | cut -c1-13)"
@@ -111,71 +78,110 @@ RELEASE=$(curl -fsSL https://api.github.com/repos/goauthentik/authentik/releases
 mkdir -p /opt/authentik
 curl -fsSL "${RELEASE}" -o "authentik.tar.gz"
 tar -xzf authentik.tar.gz -C /opt/authentik --strip-components 1 --overwrite
+export NODE_OPTIONS="--max-old-space-size=4096"
 cd /opt/authentik/website
 $STD npm install
 $STD npm run build-bundled
+
 cd /opt/authentik/web
 $STD npm install
 $STD npm run build
-echo "${RELEASE}" >/opt/${APPLICATION}_version.txt
+
 cd /opt/authentik
 $STD go mod download
 $STD go build -o /go/authentik ./cmd/server
 $STD go build -o /opt/authentik/authentik-server /opt/authentik/cmd/server/
-cd /opt/authentik
-$STD pip3 install --upgrade pip
-$STD pip3 install poetry poetry-plugin-export
-ln -s /usr/local/bin/poetry /usr/bin/poetry
-$STD poetry install --only=main --no-ansi --no-interaction --no-root
-$STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt
-$STD pip install --no-cache-dir -r requirements.txt
-$STD pip install .
+$STD uv sync --frozen --no-install-project --no-dev
+#$STD pip3 install --no-cache-dir --upgrade pip
+#$STD pip3 install --upgrade pip
+#$STD pip3 install poetry poetry-plugin-export
+
+#ln -s /usr/local/bin/poetry /usr/bin/poetry
+#$STD poetry install --only=main --no-ansi --no-interaction --no-root
+#$STD poetry export --without-hashes --without-urls -f requirements.txt --output requirements.txt
+#$STD pip install --no-cache-dir -r requirements.txt
+#$STD pip install .
 mkdir -p /etc/authentik
 mv /opt/authentik/authentik/lib/default.yml /etc/authentik/config.yml
 $STD yq -i ".secret_key = \"$(openssl rand -hex 32)\"" /etc/authentik/config.yml
 $STD yq -i ".postgresql.password = \"${DB_PASS}\"" /etc/authentik/config.yml
 $STD yq -i ".geoip = \"/opt/authentik/tests/GeoLite2-City-Test.mmdb\"" /etc/authentik/config.yml
 cp -r /opt/authentik/authentik/blueprints /opt/authentik/blueprints
 $STD yq -i ".blueprints_dir = \"/opt/authentik/blueprints\"" /etc/authentik/config.yml
-ln -s /usr/bin/python3 /usr/bin/python
-ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn
-ln -s /usr/local/bin/celery /usr/bin/celery
-$STD bash /opt/authentik/lifecycle/ak migrate
-cd ~
+#ln -s /usr/bin/python3 /usr/bin/python
+#ln -s /usr/local/bin/gunicorn /usr/bin/gunicorn
+#ln -s /usr/local/bin/celery /usr/bin/celery
+#$STD bash /opt/authentik/lifecycle/ak migrate
+cd /opt/authentik
+uv run python -m lifecycle.migrate
+ln -s /opt/authentik/.venv/bin/gunicorn /usr/local/bin/gunicorn
+ln -s /opt/authentik/.venv/bin/celery /usr/local/bin/celery
+echo "${RELEASE}" >/opt/${APPLICATION}_version.txt
 msg_ok "Installed authentik"
 
 msg_info "Creating Services"
 cat <<EOF >/etc/systemd/system/authentik-server.service
 [Unit]
-Description = authentik Server
+Description=authentik Go Server (API Gateway)
+After=network.target
+Wants=redis.service postgresql.service
 
 [Service]
-ExecStart=/opt/authentik/authentik-server
 WorkingDirectory=/opt/authentik/
+ExecStart=/opt/authentik/authentik-server
 Restart=always
 RestartSec=5
+Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings
 
 [Install]
 WantedBy=multi-user.target
 EOF
 
 cat <<EOF >/etc/systemd/system/authentik-worker.service
 [Unit]
-Description = authentik Worker
+Description=authentik Celery Worker
+After=network.target redis.service postgresql.service
+Requires=redis.service
 
 [Service]
-Environment=DJANGO_SETTINGS_MODULE="authentik.root.settings"
-ExecStart=celery -A authentik.root.celery worker -Ofair --max-tasks-per-child=1 --autoscale 3,1 -E -B -s /tmp/celerybeat-schedule -Q authentik,authentik_scheduled,authentik_events
-WorkingDirectory=/opt/authentik/authentik
+Type=simple
+WorkingDirectory=/opt/authentik
+ExecStart=/opt/authentik/.venv/bin/celery \
+  -A authentik.root.celery worker \
+  -Ofair \
+  --max-tasks-per-child=1 \
+  --autoscale 3,1 \
+  -Q authentik,authentik_scheduled,authentik_events \
+  -E
 Restart=always
 RestartSec=5
+Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings
 
 [Install]
 WantedBy=multi-user.target
 EOF
-systemctl enable -q --now authentik-server
-sleep 2
-systemctl enable -q --now authentik-worker
+
+cat <<EOF >/etc/systemd/system/authentik-celery-beat.service
+[Unit]
+Description=authentik Celery Beat Scheduler
+After=network.target
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/authentik
+ExecStart=/opt/authentik/.venv/bin/celery \
+  -A authentik.root.celery beat \
+  -s /tmp/celerybeat-schedule
+Restart=always
+RestartSec=5
+#User=authentik
+Environment=DJANGO_SETTINGS_MODULE=authentik.root.settings
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+systemctl enable -q --now authentik-server authentik-worker authentik-celery-beat
 msg_ok "Created Services"
 
 motd_ssh