kenpat/kitestacks-homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
kitestacks-homelab/apps/authentik/AUTHENTIK.md
Kenpat7177 34ae9423ef docs: complete Authentik SSO setup for all kitestacks.com services (v1.3.898) 
- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject
- Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
- OpenProject upgraded v13→v15 with data preserved; compose volume path fixed
- Cloudflare tunnel updates for proxy services still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 20:32:51 -05:00

78 lines
3.1 KiB
Markdown
Raw Blame History

# Authentik SSO — Setup & Status
## Server
- **Host:** `100.90.13.55` (Assassin, Debian 6.12.90 amd64)
- **Authentik version:** 2025.2.4 (Enterprise)
- **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
- **Web UI:** `http://100.90.13.55:9001` / `http://100.90.13.55:9001/if/admin/`
- **API base:** `http://100.90.13.55:9001/api/v3/`
## Architecture
Authentik runs as a 4-container stack:
| Container | Role |
|-----------|------|
| `authentik` | Web server (port 9001) |
| `authentik-worker` | Background task worker |
| `authentik-postgres` | PostgreSQL 16 database |
| `authentik-redis` | Redis cache |
Both server and worker are on the `kitestacks` external Docker network.
## Configured Applications
| App | Provider Type | Client ID | Status |
|-----|--------------|-----------|--------|
| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:9000` in the Cloudflare dashboard to activate proxy protection.
## All Services Running on Server
| Service | Image | External Port |
|---------|-------|---------------|
| forgejo | forgejo:11 | 3006 (HTTP), 2222 (SSH) |
| kite-openwebui | open-webui | 3100 |
| grafana | grafana-oss | 3150 |
| cloudflared | cloudflared | — (tunnel) |
| shaarli | shaarli | 8085 |
| homepage | nginx | 3005 |
| homepage-test | gethomepage | 3007 |
| kitestacks-portal | nginx | 3008 |
| openproject | openproject:15 | 80 |
| kite-litellm | litellm | 4000 |
| bookstack | bookstack | 6875 |
| authentik | server:latest | 9001 |
| kavita | kavita | 5000 |
| portainer | portainer-ce | 9443 |
| prometheus | prometheus | 9090 |
| node-exporter | node-exporter | 9100 |
| uptime-kuma | uptime-kuma | 3001 |
## External Access (Cloudflare Tunnel)
Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
**dash.cloudflare.com → Zero Trust → Networks → Tunnels**
No local `config.yml` — all routing configured via the dashboard.
## Pending
- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com``http://authentik:9000`
- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com``http://openproject:80`
- [ ] Test SSO end-to-end for all services
- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps
## Excluded from SSO
- Portainer — admin tool, excluded by design
- Prometheus / Node Exporter — internal metrics, excluded by design
- Homepage — public landing page, no auth needed
Reference in a new issue View git blame Copy permalink