# Authentik SSO — Setup & Status

## Server
- **Host:** `<IP_REDACTED>` (Assassin, Debian 6.12.90 amd64)
- **Authentik version:** 2025.2.4 (Enterprise)
- **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
- **Web UI:** `http://<IP_REDACTED>:<port>` / `http://<IP_REDACTED>:<port>/if/admin/`
- **API base:** `http://<IP_REDACTED>:<port>/api/v3/`

## Architecture

Authentik runs as a 4-container stack:

| Container | Role |
|-----------|------|
| `authentik` | Web server (port <port>) |
| `authentik-worker` | Background task worker |
| `authentik-postgres` | PostgreSQL 16 database |
| `authentik-redis` | Redis cache |

Both server and worker are on the `kitestacks` external Docker network.

## Configured Applications

| App | Provider Type | Client ID | Status |
|-----|--------------|-----------|--------|
| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |

> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:<port>` in the Cloudflare dashboard to activate proxy protection.

## All Services Running on Server

| Service | Image | External Port |
|---------|-------|---------------|
| forgejo | forgejo:<port> | <port> (HTTP), <port> (SSH) |
| kite-openwebui | open-webui | <port> |
| grafana | grafana-oss | <port> |
| cloudflared | cloudflared | — (tunnel) |
| shaarli | shaarli | <port> |
| homepage | nginx | <port> |
| homepage-test | gethomepage | <port> |
| kitestacks-portal | nginx | <port> |
| openproject | openproject:<port> | <port> |
| kite-litellm | litellm | <port> |
| bookstack | bookstack | <port> |
| authentik | server:latest | <port> |
| kavita | kavita | <port> |
| portainer | portainer-ce | <port> |
| prometheus | prometheus | <port> |
| node-exporter | node-exporter | <port> |
| uptime-kuma | uptime-kuma | <port> |

## External Access (Cloudflare Tunnel)

Tunnel is token-based — ingress rules live in the Cloudflare dashboard:  
**dash.cloudflare.com → Zero Trust → Networks → Tunnels**

No local `config.yml` — all routing configured via the dashboard.

## Pending

- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:<port>`
- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:<port>`
- [ ] Test SSO end-to-end for all services
- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

## Excluded from SSO

- Portainer — admin tool, excluded by design
- Prometheus / Node Exporter — internal metrics, excluded by design
- Homepage — public landing page, no auth needed