# Authentik SSO — Setup & Status

## Server
- **Host:** `100.90.13.55` (Assassin, Debian 6.12.90 amd64)
- **Authentik version:** 2025.2.4 (Enterprise)
- **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
- **Web UI:** `http://100.90.13.55:9001` / `http://100.90.13.55:9001/if/admin/`
- **API base:** `http://100.90.13.55:9001/api/v3/`

## Architecture

Authentik runs as a 4-container stack:

| Container | Role |
|-----------|------|
| `authentik` | Web server (port 9001) |
| `authentik-worker` | Background task worker |
| `authentik-postgres` | PostgreSQL 16 database |
| `authentik-redis` | Redis cache |

Both server and worker are on the `kitestacks` external Docker network.

## Configured Applications

| App | Provider Type | Client ID | Status |
|-----|--------------|-----------|--------|
| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |

> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.

## All Services Running on Server

| Service | Image | External Port |
|---------|-------|---------------|
| forgejo | forgejo:11 | 3006 (HTTP), 2222 (SSH) |
| kite-openwebui | open-webui | 3100 |
| grafana | grafana-oss | 3150 |
| cloudflared | cloudflared | — (tunnel) |
| shaarli | shaarli | 8085 |
| homepage | nginx | 3005 |
| homepage-test | gethomepage | 3007 |
| kitestacks-portal | nginx | 3008 |
| openproject | openproject:15 | 80 |
| kite-litellm | litellm | 4000 |
| bookstack | bookstack | 6875 |
| authentik | server:latest | 9001 |
| kavita | kavita | 5000 |
| portainer | portainer-ce | 9443 |
| prometheus | prometheus | 9090 |
| node-exporter | node-exporter | 9100 |
| uptime-kuma | uptime-kuma | 3001 |

## External Access (Cloudflare Tunnel)

Tunnel is token-based — ingress rules live in the Cloudflare dashboard:  
**dash.cloudflare.com → Zero Trust → Networks → Tunnels**

No local `config.yml` — all routing configured via the dashboard.

## Pending

- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com` → `http://authentik:9000`
- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com` → `http://openproject:80`
- [ ] Test SSO end-to-end for all services
- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

## Excluded from SSO

- Portainer — admin tool, excluded by design
- Prometheus / Node Exporter — internal metrics, excluded by design
- Homepage — public landing page, no auth needed