From 34ae9423efa65fe67295b13132501591b3492899 Mon Sep 17 00:00:00 2001
From: Kenpat7177 <kenpat@assassin.local>
Date: Mon, 8 Jun 2026 20:32:51 -0500
Subject: [PATCH 1/2] docs: complete Authentik SSO setup for all kitestacks.com
 services (v1.3.898)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject
- Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
- OpenProject upgraded v13→v15 with data preserved; compose volume path fixed
- Cloudflare tunnel updates for proxy services still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md                                  | 16 ++++++
 README.md                                     |  2 +-
 apps/authentik/AUTHENTIK.md                   | 43 +++++++--------
 ...teStacks-Homelab-Documentation-v1.3.898.md | 55 +++++++++++++++++++
 docs/authentik-sso-setup.md                   | 18 +++---
 5 files changed, 102 insertions(+), 32 deletions(-)
 create mode 100644 docs/KiteStacks-Homelab-Documentation-v1.3.898.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fec2e83..b8d804c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,22 @@
 
 All notable changes to KiteStacks Homelab are documented here.
 
+## [v1.3.898] — 2026-06-08
+
+### Changed
+- Completed Authentik SSO configuration for all kitestacks.com services
+- Filled OIDC client secrets for Kavita (`appsettings.json`) and OpenProject (`.env`)
+- Created Authentik OAuth2/OIDC providers for OpenProject; Proxy Providers for Shaarli, Uptime Kuma, LiteLLM
+- All three proxy apps assigned to Authentik Embedded Outpost
+- Upgraded OpenProject from `community:13` → `openproject:15` (data preserved)
+- Fixed `apps/openproject/docker-compose.yml` volume path to bind-mount existing data directory
+- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
+
+### Pending
+- Cloudflare tunnel route updates for Shaarli, Uptime Kuma, LiteLLM, OpenProject
+
+---
+
 ## [v1.3.897] — 2026-06-08 19:22:51
 
 ### Changed
diff --git a/README.md b/README.md
index 73ee37c..4359baf 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
 # KiteStacks Homelab
 
-<!-- version: 1.3.897 -->
+<!-- version: 1.3.898 -->
 
 Private GitOps repository for the KiteStacks homelab.
 
diff --git a/apps/authentik/AUTHENTIK.md b/apps/authentik/AUTHENTIK.md
index e40f2d2..05bc73f 100644
--- a/apps/authentik/AUTHENTIK.md
+++ b/apps/authentik/AUTHENTIK.md
@@ -22,14 +22,18 @@ Both server and worker are on the `kitestacks` external Docker network.
 
 ## Configured Applications
 
-| App | Provider ID | Status |
-|-----|-------------|--------|
-| Grafana | 1 | Configured |
-| Kavita | 2 | Configured |
-| Open WebUI | 3 | Configured |
-| Forgejo | 4 | Configured |
+| App | Provider Type | Client ID | Status |
+|-----|--------------|-----------|--------|
+| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
+| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
+| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
+| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
+| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
+| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
+| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
 
-> SSO verification pending — not yet tested end-to-end.
+> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.
 
 ## All Services Running on Server
 
@@ -43,7 +47,7 @@ Both server and worker are on the `kitestacks` external Docker network.
 | homepage | nginx | 3005 |
 | homepage-test | gethomepage | 3007 |
 | kitestacks-portal | nginx | 3008 |
-| openproject | openproject:13 | 8080 |
+| openproject | openproject:15 | 80 |
 | kite-litellm | litellm | 4000 |
 | bookstack | bookstack | 6875 |
 | authentik | server:latest | 9001 |
@@ -60,20 +64,15 @@ Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
 
 No local `config.yml` — all routing configured via the dashboard.
 
-## Pending Integrations
+## Pending
 
-Services not yet added to Authentik SSO:
+- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:9000`
+- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:80`
+- [ ] Test SSO end-to-end for all services
+- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps
 
-- [ ] Bookstack
-- [ ] OpenProject
-- [ ] Portainer
-- [ ] Homepage
-- [ ] Shaarli
-- [ ] Uptime Kuma
+## Excluded from SSO
 
-## Next Steps
-
-1. Confirm public domain from Cloudflare tunnel dashboard
-2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
-3. Add remaining services (see Pending Integrations above)
-4. Set up SSH key auth on the server (currently password only)
+- Portainer — admin tool, excluded by design
+- Prometheus / Node Exporter — internal metrics, excluded by design
+- Homepage — public landing page, no auth needed
diff --git a/docs/KiteStacks-Homelab-Documentation-v1.3.898.md b/docs/KiteStacks-Homelab-Documentation-v1.3.898.md
new file mode 100644
index 0000000..a0a3de0
--- /dev/null
+++ b/docs/KiteStacks-Homelab-Documentation-v1.3.898.md
@@ -0,0 +1,55 @@
+# KiteStacks Homelab Documentation v1.3.898
+
+**Version:** 1.3.898
+**Updated:** 2026-06-08
+**Previous:** [v1.3.897 docs](KiteStacks-Homelab-Documentation-v1.3.897.md)
+
+---
+
+## Change Summary
+
+- Completed Authentik SSO provider/application setup for all kitestacks.com services
+- Filled OIDC client secrets for Kavita and OpenProject
+- Upgraded OpenProject from v13 → v15 (data preserved via bind mount migration)
+- Created Authentik Proxy Providers for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
+- Fixed OpenProject docker-compose.yml volume path to preserve existing data
+- Updated `apps/authentik/AUTHENTIK.md` and `docs/authentik-sso-setup.md` to reflect current status
+
+---
+
+## SSO Status (as of 2026-06-08)
+
+| Service | Method | Status |
+|---------|--------|--------|
+| Grafana | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | OIDC | ✅ Configured |
+| Forgejo | OAuth2 | ✅ Configured |
+| Kavita | OIDC | ✅ Configured, secret filled |
+| OpenProject | OIDC | ✅ Configured, upgraded to v15 |
+| Shaarli | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+| Uptime Kuma | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+| LiteLLM | Proxy | ⚠️ Provider ready, CF tunnel update pending |
+
+---
+
+## Pending
+
+1. Update Cloudflare tunnel routes:
+   - `links.kitestacks.com` → `http://authentik:9000`
+   - `status.kitestacks.com` → `http://authentik:9000`
+   - `llm.kitestacks.com` → `http://authentik:9000` (new)
+   - `tasks.kitestacks.com` → `http://openproject:80`
+2. Test SSO end-to-end for all services
+3. Phase 2: add guest Authentik account with auto-provisioning across all apps
+
+---
+
+## Files Changed This Session
+
+| File | Change |
+|------|--------|
+| `apps/kavita/config/appsettings.json` | Filled OIDC client secret |
+| `apps/openproject/.env` | Filled OIDC client secret |
+| `apps/openproject/docker-compose.yml` | Fixed volume path to preserve data; image already at v15 |
+| `apps/authentik/AUTHENTIK.md` | Updated configured apps, pending steps, excluded services |
+| `docs/authentik-sso-setup.md` | Updated SSO status table to reflect completed steps |
diff --git a/docs/authentik-sso-setup.md b/docs/authentik-sso-setup.md
index 2c88aee..56b3e9d 100644
--- a/docs/authentik-sso-setup.md
+++ b/docs/authentik-sso-setup.md
@@ -2,7 +2,7 @@
 
 **Established:** 2026-06-08  
 **Author:** kenpat  
-**Status:** In Progress — config files deployed, manual Authentik UI steps pending
+**Status:** In Progress — all providers/apps configured, Cloudflare tunnel updates pending
 
 ---
 
@@ -32,15 +32,15 @@ Internet → Cloudflare → cloudflared → [service container]
 | Service | Subdomain | Port | Method | Status |
 |---------|-----------|------|--------|--------|
 | Authentik | auth.kitestacks.com | 9000 | (is the IdP) | ✅ Running |
-| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ⚠️ env set, Authentik app needed |
-| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ⚠️ env set, Authentik app needed |
-| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ⚠️ Forgejo admin UI config needed |
+| Grafana | grafana.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
+| Kite AI (OpenWebUI) | ai.kitestacks.com | 8080 | OIDC | ✅ Configured |
+| Forgejo | gitforge.kitestacks.com | 3000 | OAuth2 | ✅ Configured |
 | BookStack | — | — | — | 🚫 Retired — books hosted on Kavita |
-| OpenProject | tasks.kitestacks.com | 80 | OIDC | ⚠️ env set, Authentik app needed |
-| Kavita | kavita.kitestacks.com | 5000 | OIDC | ⚠️ appsettings.json updated, Authentik app needed |
-| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
-| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
-| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Authentik Proxy Provider needed + CF tunnel update |
+| OpenProject | tasks.kitestacks.com | 80 | OIDC | ✅ Configured, upgraded v13→v15 |
+| Kavita | kavita.kitestacks.com | 5000 | OIDC | ✅ Configured, secret filled |
+| Shaarli | links.kitestacks.com | 80 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| Uptime Kuma | status.kitestacks.com | 3001 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
+| LiteLLM | llm.kitestacks.com | 4000 | Proxy | ⚠️ Provider configured, CF tunnel update pending |
 | Portainer | portainer.kitestacks.com | 9000 | — | 🚫 SSO excluded |
 | Prometheus | prometheus.kitestacks.com | 9090 | — | 🚫 SSO excluded |
 | Node Exporter | node-exporter.kitestacks.com | 9100 | — | 🚫 SSO excluded |

From d6c4812b7345619c6085144d2753f45793d7c23f Mon Sep 17 00:00:00 2001
From: Kenpat7177 <kenpat@assassin.local>
Date: Tue, 9 Jun 2026 10:40:46 -0500
Subject: [PATCH 2/2] Remove Shaarli; switch to Raindrop.io cloud for bookmark
 management

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 CHANGELOG.md                                   | 10 ++++++++++
 ...iteStacks-Homelab-Documentation-v1.3.899.md | 18 ++++++++++++++++++
 2 files changed, 28 insertions(+)
 create mode 100644 docs/KiteStacks-Homelab-Documentation-v1.3.899.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index b8d804c..8ecd23c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,16 @@
 
 All notable changes to KiteStacks Homelab are documented here.
 
+## [v1.3.899] — 2026-06-09
+
+### Removed
+- Shaarli bookmark manager decommissioned; replaced with Raindrop.io (cloud service)
+- Docker stack and container removed; data directory was empty
+- **Pending:** Remove `links.kitestacks.com` from Cloudflare Zero Trust tunnel routes
+- **Pending:** Remove Shaarli entries from Authentik if configured
+
+---
+
 ## [v1.3.898] — 2026-06-08
 
 ### Changed
diff --git a/docs/KiteStacks-Homelab-Documentation-v1.3.899.md b/docs/KiteStacks-Homelab-Documentation-v1.3.899.md
new file mode 100644
index 0000000..c84ea91
--- /dev/null
+++ b/docs/KiteStacks-Homelab-Documentation-v1.3.899.md
@@ -0,0 +1,18 @@
+# KiteStacks Homelab Documentation v1.3.899
+
+**Date:** 2026-06-09
+
+## Change Summary
+
+### Removed: Shaarli
+
+- Shaarli bookmark manager has been decommissioned and replaced with Raindrop.io (cloud service).
+- Docker stack at `/home/kenpat/docker/shaarli/` removed (data directory was empty — no bookmarks lost).
+- Container `shaarli` stopped and removed.
+- **Manual action required:** Remove the `links.kitestacks.com` tunnel route from the Cloudflare Zero Trust dashboard.
+- **Manual action required:** Remove the Shaarli Proxy Provider and application from Authentik if previously configured.
+
+### Bookmark Manager
+
+- Bookmarks are now managed via **Raindrop.io** (https://raindrop.io) — cloud-hosted, no local container.
+- Chrome bookmarks can be imported via Raindrop.io's import tool: Settings → Import → Chrome/HTML file.