kenpat/kitestacks-homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1

docs: complete Authentik SSO setup for all kitestacks.com services (v1.3.898)

Browse source 
- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject
- Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
- OpenProject upgraded v13→v15 with data preserved; compose volume path fixed
- Cloudflare tunnel updates for proxy services still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Kenpat7177 2026-06-08 20:32:51 -05:00
parent 608f8de681
commit 34ae9423ef
5 changed files with 102 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

16
CHANGELOG.md
View file

@ -2,6 +2,22 @@
All notable changes to KiteStacks Homelab are documented here. All notable changes to KiteStacks Homelab are documented here.
## [v1.3.898] — 2026-06-08
### Changed
- Completed Authentik SSO configuration for all kitestacks.com services
- Filled OIDC client secrets for Kavita (`appsettings.json`) and OpenProject (`.env`)
- Created Authentik OAuth2/OIDC providers for OpenProject; Proxy Providers for Shaarli, Uptime Kuma, LiteLLM
- All three proxy apps assigned to Authentik Embedded Outpost
- Upgraded OpenProject from `community:13``openproject:15` (data preserved)
- Fixed `apps/openproject/docker-compose.yml` volume path to bind-mount existing data directory
- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
### Pending
- Cloudflare tunnel route updates for Shaarli, Uptime Kuma, LiteLLM, OpenProject
---
## [v1.3.897] — 2026-06-08 19:22:51 ## [v1.3.897] — 2026-06-08 19:22:51
### Changed ### Changed

2
README.md
View file

@ -1,6 +1,6 @@
# KiteStacks Homelab # KiteStacks Homelab
<!-- version: 1.3.897 --> <!-- version: 1.3.898 -->
Private GitOps repository for the KiteStacks homelab. Private GitOps repository for the KiteStacks homelab.

43
apps/authentik/AUTHENTIK.md
View file

@ -22,14 +22,18 @@ Both server and worker are on the `kitestacks` external Docker network.
## Configured Applications ## Configured Applications
| App | Provider ID | Status | | App | Provider Type | Client ID | Status |
|-----|-------------|--------| |-----|--------------|-----------|--------|
| Grafana | 1 | Configured | | Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
| Kavita | 2 | Configured | | Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
| Open WebUI | 3 | Configured | | Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
| Forgejo | 4 | Configured | | Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
> SSO verification pending — not yet tested end-to-end. > Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.
## All Services Running on Server ## All Services Running on Server
@ -43,7 +47,7 @@ Both server and worker are on the `kitestacks` external Docker network.
| homepage | nginx | 3005 | | homepage | nginx | 3005 |
| homepage-test | gethomepage | 3007 | | homepage-test | gethomepage | 3007 |
| kitestacks-portal | nginx | 3008 | | kitestacks-portal | nginx | 3008 |
| openproject | openproject:13 | 8080 | | openproject | openproject:15 | 80 |
| kite-litellm | litellm | 4000 | | kite-litellm | litellm | 4000 |
| bookstack | bookstack | 6875 | | bookstack | bookstack | 6875 |
| authentik | server:latest | 9001 | | authentik | server:latest | 9001 |
@ -60,20 +64,15 @@ Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
No local `config.yml` — all routing configured via the dashboard. No local `config.yml` — all routing configured via the dashboard.
## Pending Integrations ## Pending
Services not yet added to Authentik SSO: - [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com``http://authentik:9000`
- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com``http://openproject:80`
- [ ] Test SSO end-to-end for all services
- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps
- [ ] Bookstack ## Excluded from SSO
- [ ] OpenProject
- [ ] Portainer
- [ ] Homepage
- [ ] Shaarli
- [ ] Uptime Kuma
## Next Steps - Portainer — admin tool, excluded by design
- Prometheus / Node Exporter — internal metrics, excluded by design
1. Confirm public domain from Cloudflare tunnel dashboard - Homepage — public landing page, no auth needed
2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
3. Add remaining services (see Pending Integrations above)
4. Set up SSH key auth on the server (currently password only)

55
docs/KiteStacks-Homelab-Documentation-v1.3.898.md Normal file
View file

@ -0,0 +1,55 @@
# KiteStacks Homelab Documentation v1.3.898
**Version:** 1.3.898
**Updated:** 2026-06-08
**Previous:** [v1.3.897 docs](KiteStacks-Homelab-Documentation-v1.3.897.md)
---
## Change Summary
- Completed Authentik SSO provider/application setup for all kitestacks.com services
- Filled OIDC client secrets for Kavita and OpenProject
- Upgraded OpenProject from v13 → v15 (data preserved via bind mount migration)
- Created Authentik Proxy Providers for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
- Fixed OpenProject docker-compose.yml volume path to preserve existing data
- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
---
## SSO Status (as of 2026-06-08)
| Service | Method | Status |
|---------|--------|--------|
| Grafana | OAuth2 | ✅ Configured |
| Kite AI (OpenWebUI) | OIDC | ✅ Configured |
| Forgejo | OAuth2 | ✅ Configured |
| Kavita | OIDC | ✅ Configured, secret filled |
| OpenProject | OIDC | ✅ Configured, upgraded to v15 |
| Shaarli | Proxy | ⚠️ Provider ready, CF tunnel update pending |
| Uptime Kuma | Proxy | ⚠️ Provider ready, CF tunnel update pending |
| LiteLLM | Proxy | ⚠️ Provider ready, CF tunnel update pending |
---
## Pending
1. Update Cloudflare tunnel routes:
- `links.kitestacks.com``http://authentik:9000`
- `status.kitestacks.com``http://authentik:9000`
- `llm.kitestacks.com``http://authentik:9000` (new)
- `tasks.kitestacks.com``http://openproject:80`
2. Test SSO end-to-end for all services
3. Phase 2: add guest Authentik account with auto-provisioning across all apps
---
## Files Changed This Session
| File | Change |
|------|--------|
| `apps/kavita/config/appsettings.json` | Filled OIDC client secret |
| `apps/openproject/.env` | Filled OIDC client secret |
| `apps/openproject/docker-compose.yml` | Fixed volume path to preserve data; image already at v15 |
| `apps/authentik/AUTHENTIK.md` | Updated configured apps, pending steps, excluded services |
| `docs/authentik-sso-setup.md` | Updated SSO status table to reflect completed steps |

18
docs/authentik-sso-setup.md
View file

@ -2,7 +2,7 @@
**Established:** 2026-06-08 **Established:** 2026-06-08
**Author:** kenpat **Author:** kenpat
**Status:** In Progress — config files deployed, manual Authentik UI steps pending **Status:** In Progress — all providers/apps configured, Cloudflare tunnel updates pending
--- ---
@ -32,15 +32,15 @@ Internet → Cloudflare → cloudflared → [service container]
| Service | Subdomain | Port | Method | Status | | Service | Subdomain | Port | Method | Status |
|---------|-----------|------|--------|--------| |---------|-----------|------|--------|--------|
| Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running | | Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running |
| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ⚠️ env set, Authentik app needed | | Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ⚠️ env set, Authentik app needed | | Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ✅ Configured |
| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ⚠️ Forgejo admin UI config needed | | Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
| BookStack | — | — | — | 🚫 Retired — books hosted on Kavita | | BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
| OpenProject | tasks.kitestacks.com | 80 | OIDC | ⚠️ env set, Authentik app needed | | OpenProject | tasks.kitestacks.com | 80 | OIDC | ✅ Configured, upgraded v13→v15 |
| Kavita | kavita.kitestacks.com | 5000 | OIDC | ⚠️ appsettings.json updated, Authentik app needed | | Kavita | kavita.kitestacks.com | 5000 | OIDC | ✅ Configured, secret filled |
| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update | | Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update | | Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update | | LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
| Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded | | Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded |
| Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded | | Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded |
| Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded | | Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |