# Installing Authentik on CasaOS (Big Bear Template)

## Overview

This article outlines the successful installation of **Authentik** on an Ubuntu server running **CasaOS** (192.168.0.152). Authentik is a complex application consisting of four separate containers that must communicate over a shared internal network.

---

## 1. Pre-Installation Cleanup

To prevent database corruption or "ghost" network conflicts, start with a clean environment.

- **Remove Existing Apps:** Uninstall any previous Authentik or Postgres attempts via the CasaOS dashboard.
- **Clear AppData:** Use the Files app to delete the `AppData/big-bear-authentik` folder.
- **Prune Ghost Networks:** If an installation fails with a "Label" or "Network" error, use a terminal to run:

```
docker network prune
```

*(Enter 'y' when prompted to remove unused custom networks.)*

---

## 2. Installation via Big Bear App Store

Navigate to the App Store in CasaOS and select **Authentik** from the Big Bear repository. Before clicking "Install," you must adjust the settings for all four components.

### A. Component: big-bear-authentik (Server)

- **Network:** Select `big-bear-authentik` (or the longest available big-bear network name).
- **Ports:** Add a new port mapping: 
    - **Host:** 9000
    - **Container:** 9000
    - **Protocol:** TCP
- **Web UI:** Ensure the URL is set to `http://[IP]:9000`.

### B. Components: DB, Redis, and Worker

Navigate to the tabs for `big-bear-authentik-db`, `big-bear-authentik-redis`, and `big-bear-authentik-worker`.

- **Crucial Step:** Change the **Network** on every single tab to match the one selected for the Server (`big-bear-authentik`).
- **Internal Communication:** Do **not** map host ports for the DB or Redis; they communicate internally over the shared bridge network.

---

## 3. Post-Installation & Troubleshooting

### The "Authentik Starting" Screen

Upon first boot, the server will display a black screen stating "authentik starting."

- **Cause:** The server is running initial database migrations and building internal tables.
- **Action:** Wait **3–5 minutes**. Do not restart the containers during this phase.

### Database "Unhealthy" Status

If the DB is marked unhealthy, it is usually due to a password mismatch in the environment variables.

- **Fix:** Ensure `POSTGRES_PASSWORD` in the DB tab matches the `AUTHENTIK_POSTGRESQL__PASSWORD` in both the Server and Worker tabs.

---

## 4. Initial Admin Account Setup

Authentik does not ship with a default password for the `akadmin` user. You must trigger the initial setup flow.

1. Navigate to: `http://192.168.0.152:9000/if/flow/initial-setup/`
2. Set a strong master password for the **akadmin** account.
3. Log in at the standard portal using: 
    - **Username:** akadmin
    - **Password:** (The one you just created)

---

## Summary of "What Worked"

<table id="bkmrk-requirement-value-%2F-" style="width: 100%; border-collapse: collapse; margin-top: 10px;"><thead><tr style="background-color: #f4f4f4;"><th style="border: 1px solid #ddd; padding: 10px; text-align: left;">Requirement</th><th style="border: 1px solid #ddd; padding: 10px; text-align: left;">Value / Selection</th></tr></thead><tbody><tr><td style="border: 1px solid #ddd; padding: 10px;">**Shared Network**</td><td style="border: 1px solid #ddd; padding: 10px;">big-bear-authentik (Set on all 4 tabs)</td></tr><tr><td style="border: 1px solid #ddd; padding: 10px;">**Primary Port**</td><td style="border: 1px solid #ddd; padding: 10px;">9000 (Mapped for HTTP access)</td></tr><tr><td style="border: 1px solid #ddd; padding: 10px;">**Worker Command**</td><td style="border: 1px solid #ddd; padding: 10px;">worker</td></tr><tr><td style="border: 1px solid #ddd; padding: 10px;">**Setup URL**</td><td style="border: 1px solid #ddd; padding: 10px;">/if/flow/initial-setup/</td></tr></tbody></table>