Hello
I am about to switch from openHAB to HASS and I already struggle to integrate it with my Authentik / Traefik combination. I found the guide: Integrate with Home Assistant | authentik
I have already set up a domain wide forward auth and also included HASS there now as an external service. Since it is a docker-based installation i also tried using labels for traefik as i do in some other containers but that leaves me with the problem of not being able to use network mode: host - which i need for mdns etc.
I have to sign in with my username / pw again after a successfull authentication with authentik - is there a way around that?
I have some problems setting up o-auth - specifically spotify but i am sure it will adapt to other services as well. i added https://hass.myfqdn/auth/external/callback to my developer dashboad and copied the secret and id and i get an invalid url error - i think i need an exception for my authentik middleware. can you help me there? i have no idea on how to achieve this.
Thank you
docker-compose.yml:
networks:
frontend:
external: true
backend:
external: true
services:
homeassistant:
image: ghcr.io/home-assistant/home-assistant:stable
container_name: homeassistant
environment:
- PUID=1000 #matches docker (vm) user (in termianl: id- -u 'USER')
- PGID=1000
- TZ=Europe/Berlin
volumes:
- ./config:/config
network_mode: host
# networks:
# - frontend
# ports:
# - 8123:8123 #optional
# labels:
# - traefik.enable=true
# - traefik.http.services.hass.loadbalancer.server.port=8123
# - traefik.http.routers.hass.rule=Host(`hass.${DOMAIN}`)
# - traefik.http.routers.hass.entrypoints=websecure
# - traefik.http.routers.hass.tls=true
# - traefik.http.routers.hass.tls.certresolver=cloudflare
#- traefik.http.routers.hass.middlewares=authentik-middleware@file
# devices
# - /path/to/device:/path/to/device #optional
restart: unless-stopped
configuration.yml:
# Loads default set of integrations. Do not remove.
default_config:
# Load frontend themes from the themes folder
frontend:
themes: !include_dir_merge_named themes
automation: !include automations.yaml
script: !include scripts.yaml
scene: !include scenes.yaml
homeassistant:
external_url: "https://hass.myfqdn"
internal_url: "http://192.168.1.112:8123"
# auth_providers:
# - type: header
# name: Authentik
http:
use_x_forwarded_for: true
trusted_proxies:
- 172.19.0.0/16
- 192.168.1.0/24 # Traefik runs externally (not in the docker network)
ip_ban_enabled: true
login_attempts_threshold: 20
in traefik:
external.yml:
http:
hass:
rule: "Host(`hass.mydomain`)"
service: hass
entryPoints:
- websecure
tls:
certResolver: cloudflare
services:
hass:
loadBalancer:
# serversTransport: insecureTransport
servers:
- url: "http://192.168.1.112:8123"
the authentik.yml:
http:
middlewares:
authentik-middleware:
forwardAuth:
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version