From fe7dccfcc0cceee72ce6ec0a8b7fafaa816e5505 Mon Sep 17 00:00:00 2001 From: kenpat Date: Mon, 15 Jun 2026 09:19:32 -0500 Subject: [PATCH] 2026-06-15: resume Uptime Kuma Authentik SSO setup --- project-kitestacks-migration.md | 33 +++++++++++++++++++++++++++++++-- 1 file changed, 31 insertions(+), 2 deletions(-) diff --git a/project-kitestacks-migration.md b/project-kitestacks-migration.md index 9dce622..795cc38 100644 --- a/project-kitestacks-migration.md +++ b/project-kitestacks-migration.md @@ -378,8 +378,37 @@ above. Prometheus + Uptime Kuma: DEFERRED - neither has native OAuth, need a forward-auth proxy (oauth2-proxy or Authentik embedded outpost) - deferred per user's "ok lets do smaller app level" (hold new infra until Oracle VPS decided). Cloudflare itself: no SSO concept applicable (it's Cloudflare's own dashboard -login) - was always about the portal's Cloudflare card placement, see "Portal UI -changes" note above. +managed outside the lab login) - was always about the portal's Cloudflare card +placement, see "Portal UI changes" note above. + +### Uptime Kuma + Authentik SSO resumed on monk (2026-06-15) +User confirmed the next task is setting up Uptime Kuma with Authentik SSO in +the main KiteStacks lab, and explicitly requested saving progress to +`~/claude-memory` and pushing to the Forgejo `kenpat/claude-memory` repo as we +go. + +Verified current live state on monk before making changes: +- `uptime-kuma` container is running and healthy, published on host port + `3001`, image `louislam/uptime-kuma:latest`. +- Installed Uptime Kuma version inside the container is `1.23.17`. +- Uptime Kuma compose file is + `~/kitestacks-live/docker/uptime-kuma/docker-compose.yml`, using external + Docker volume `uptime-kuma:/app/data` and networks `default` + external + `kitestacks`. +- Uptime Kuma SQLite DB path inside container is `/app/data/kuma.db`; tables + include `user`, `setting`, `monitor`, `heartbeat`, `status_page`, + `notification`, `api_key`, and related monitor/status tables. No obvious + native OAuth/OIDC tables were present in the initial schema list. +- Grafana is already configured for Authentik generic OAuth in + `~/kitestacks-live/docker/grafana/docker-compose.yml` with Authentik public + authorize URL and internal token/userinfo URLs. +- `authentik` is healthy; `authentik-worker` currently shows unhealthy in + `docker ps` even though it has been running for ~35h. Check logs/health + before relying on new Authentik-side automation. + +Important security hygiene: local git remote for `~/claude-memory` contains an +HTTP token in the URL; do not print it in summaries. Prefer redacted URLs in +handoffs. ### Oracle VPS migration - PLANNED, upcoming (stated 2026-06-11) User confirmed on 2026-06-11: "we are going to switch things soon from hetzner