docs: complete Authentik SSO setup for all kitestacks.com services (v1.3.898)

- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject - Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost - OpenProject upgraded v13→v15 with data preserved; compose volume path fixed - Cloudflare tunnel updates for proxy services still pending Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 20:32:51 -05:00 · 2026-06-08 20:32:51 -05:00 · 34ae9423ef
commit 34ae9423ef
parent 608f8de681
5 changed files with 102 additions and 32 deletions
--- a/apps/authentik/AUTHENTIK.md
+++ b/apps/authentik/AUTHENTIK.md
@ -22,14 +22,18 @@ Both server and worker are on the `kitestacks` external Docker network.

 ## Configured Applications

-| App | Provider ID | Status |
-|-----|-------------|--------|
-| Grafana | 1 | Configured |
-| Kavita | 2 | Configured |
-| Open WebUI | 3 | Configured |
-| Forgejo | 4 | Configured |
+| App | Provider Type | Client ID | Status |
+|-----|--------------|-----------|--------|
+| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
+| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
+| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
+| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
+| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
+| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |

-> SSO verification pending — not yet tested end-to-end.
+> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.

 ## All Services Running on Server

@ -43,7 +47,7 @@ Both server and worker are on the `kitestacks` external Docker network.
 | homepage | nginx | 3005 |
 | homepage-test | gethomepage | 3007 |
 | kitestacks-portal | nginx | 3008 |
-| openproject | openproject:13 | 8080 |
+| openproject | openproject:15 | 80 |
 | kite-litellm | litellm | 4000 |
 | bookstack | bookstack | 6875 |
 | authentik | server:latest | 9001 |
@ -60,20 +64,15 @@ Tunnel is token-based — ingress rules live in the Cloudflare dashboard:

 No local `config.yml` — all routing configured via the dashboard.

-## Pending Integrations
+## Pending

-Services not yet added to Authentik SSO:
+- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:9000`
+- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:80`
+- [ ] Test SSO end-to-end for all services
+- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

- [ ] Bookstack
- [ ] OpenProject
- [ ] Portainer
- [ ] Homepage
- [ ] Shaarli
- [ ] Uptime Kuma
+## Excluded from SSO

-## Next Steps
-
-1. Confirm public domain from Cloudflare tunnel dashboard
-2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
-3. Add remaining services (see Pending Integrations above)
-4. Set up SSH key auth on the server (currently password only)
+- Portainer — admin tool, excluded by design
+- Prometheus / Node Exporter — internal metrics, excluded by design
+- Homepage — public landing page, no auth needed