docs: complete Authentik SSO setup for all kitestacks.com services (v1.3.898)

- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject - Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost - OpenProject upgraded v13→v15 with data preserved; compose volume path fixed - Cloudflare tunnel updates for proxy services still pending Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 20:32:51 -05:00 · 2026-06-08 20:32:51 -05:00 · 34ae9423ef
commit 34ae9423ef
parent 608f8de681
5 changed files with 102 additions and 32 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -2,6 +2,22 @@

 All notable changes to KiteStacks Homelab are documented here.

+## [v1.3.898] — 2026-06-08
+
+### Changed
+- Completed Authentik SSO configuration for all kitestacks.com services
+- Filled OIDC client secrets for Kavita (`appsettings.json`) and OpenProject (`.env`)
+- Created Authentik OAuth2/OIDC providers for OpenProject; Proxy Providers for Shaarli, Uptime Kuma, LiteLLM
+- All three proxy apps assigned to Authentik Embedded Outpost
+- Upgraded OpenProject from `community:13` → `openproject:15` (data preserved)
+- Fixed `apps/openproject/docker-compose.yml` volume path to bind-mount existing data directory
+- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
+
+### Pending
+- Cloudflare tunnel route updates for Shaarli, Uptime Kuma, LiteLLM, OpenProject
+
+---
+
 ## [v1.3.897] — 2026-06-08 19:22:51

 ### Changed
--- a/README.md
+++ b/README.md
@ -1,6 +1,6 @@
 # KiteStacks Homelab

-<!-- version: 1.3.897 -->
+<!-- version: 1.3.898 -->

 Private GitOps repository for the KiteStacks homelab.

--- a/apps/authentik/AUTHENTIK.md
+++ b/apps/authentik/AUTHENTIK.md
@ -22,14 +22,18 @@ Both server and worker are on the `kitestacks` external Docker network.

 ## Configured Applications

-| App | Provider ID | Status |
-|-----|-------------|--------|
-| Grafana | 1 | Configured |
-| Kavita | 2 | Configured |
-| Open WebUI | 3 | Configured |
-| Forgejo | 4 | Configured |
+| App | Provider Type | Client ID | Status |
+|-----|--------------|-----------|--------|
+| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
+| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
+| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
+| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
+| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
+| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |

-> SSO verification pending — not yet tested end-to-end.
+> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.

 ## All Services Running on Server

@ -43,7 +47,7 @@ Both server and worker are on the `kitestacks` external Docker network.
 | homepage | nginx | 3005 |
 | homepage-test | gethomepage | 3007 |
 | kitestacks-portal | nginx | 3008 |
-| openproject | openproject:13 | 8080 |
+| openproject | openproject:15 | 80 |
 | kite-litellm | litellm | 4000 |
 | bookstack | bookstack | 6875 |
 | authentik | server:latest | 9001 |
@ -60,20 +64,15 @@ Tunnel is token-based — ingress rules live in the Cloudflare dashboard:

 No local `config.yml` — all routing configured via the dashboard.

-## Pending Integrations
+## Pending

-Services not yet added to Authentik SSO:
+- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:9000`
+- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:80`
+- [ ] Test SSO end-to-end for all services
+- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

- [ ] Bookstack
- [ ] OpenProject
- [ ] Portainer
- [ ] Homepage
- [ ] Shaarli
- [ ] Uptime Kuma
+## Excluded from SSO

-## Next Steps
-
-1. Confirm public domain from Cloudflare tunnel dashboard
-2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
-3. Add remaining services (see Pending Integrations above)
-4. Set up SSH key auth on the server (currently password only)
+- Portainer — admin tool, excluded by design
+- Prometheus / Node Exporter — internal metrics, excluded by design
+- Homepage — public landing page, no auth needed
--- a/docs/KiteStacks-Homelab-Documentation-v1.3.898.md
+++ b/docs/KiteStacks-Homelab-Documentation-v1.3.898.md
@ -0,0 +1,55 @@
+# KiteStacks Homelab Documentation v1.3.898
+
+**Version:** 1.3.898
+**Updated:** 2026-06-08
+**Previous:** [v1.3.897 docs](KiteStacks-Homelab-Documentation-v1.3.897.md)
+
+---
+
+## Change Summary
+
+- Completed Authentik SSO provider/application setup for all kitestacks.com services
+- Filled OIDC client secrets for Kavita and OpenProject
+- Upgraded OpenProject from v13 → v15 (data preserved via bind mount migration)
+- Created Authentik Proxy Providers for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
+- Fixed OpenProject docker-compose.yml volume path to preserve existing data
+- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
+
+---
+
+## SSO Status (as of 2026-06-08)
+
+| Service | Method | Status |
+|---------|--------|--------|
+| Grafana | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | OIDC | ✅ Configured |
+| Forgejo | OAuth2 | ✅ Configured |
+| Kavita | OIDC | ✅ Configured, secret filled |
+| OpenProject | OIDC | ✅ Configured, upgraded to v15 |
+| Shaarli | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+| Uptime Kuma | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+| LiteLLM | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+
+---
+
+## Pending
+
+1. Update Cloudflare tunnel routes:
+   - `links.kitestacks.com` → `http://authentik:9000`
+   - `status.kitestacks.com` → `http://authentik:9000`
+   - `llm.kitestacks.com` → `http://authentik:9000` (new)
+   - `tasks.kitestacks.com` → `http://openproject:80`
+2. Test SSO end-to-end for all services
+3. Phase 2: add guest Authentik account with auto-provisioning across all apps
+
+---
+
+## Files Changed This Session
+
+| File | Change |
+|------|--------|
+| `apps/kavita/config/appsettings.json` | Filled OIDC client secret |
+| `apps/openproject/.env` | Filled OIDC client secret |
+| `apps/openproject/docker-compose.yml` | Fixed volume path to preserve data; image already at v15 |
+| `apps/authentik/AUTHENTIK.md` | Updated configured apps, pending steps, excluded services |
+| `docs/authentik-sso-setup.md` | Updated SSO status table to reflect completed steps |
--- a/docs/authentik-sso-setup.md
+++ b/docs/authentik-sso-setup.md
@ -2,7 +2,7 @@

 **Established:** 2026-06-08  
 **Author:** kenpat  
-**Status:** In Progress — config files deployed, manual Authentik UI steps pending
+**Status:** In Progress — all providers/apps configured, Cloudflare tunnel updates pending

 ---

@ -32,15 +32,15 @@ Internet → Cloudflare → cloudflared → [service container]
 | Service | Subdomain | Port | Method | Status |
 |---------|-----------|------|--------|--------|
 | Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running |
-| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ⚠️ env set, Authentik app needed |
-| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ⚠️ env set, Authentik app needed |
-| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ⚠️ Forgejo admin UI config needed |
+| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ✅ Configured |
+| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
 | BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
-| OpenProject | tasks.kitestacks.com | 80 | OIDC | ⚠️ env set, Authentik app needed |
-| Kavita | kavita.kitestacks.com | 5000 | OIDC | ⚠️ appsettings.json updated, Authentik app needed |
-| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
-| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
-| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
+| OpenProject | tasks.kitestacks.com | 80 | OIDC | ✅ Configured, upgraded v13→v15 |
+| Kavita | kavita.kitestacks.com | 5000 | OIDC | ✅ Configured, secret filled |
+| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
 | Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded |
 | Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded |
 | Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |