kitestacks-homelab/apps/authentik/AUTHENTIK.md

Authentik SSO — Setup & Status

Server

• Host: 100.90.13.55 (Assassin, Debian 6.12.90 amd64)
• Authentik version: 2025.2.4 (Enterprise)
• Stack location: /home/kenpat/docker/authentik/docker-compose.yml
• Web UI: http://100.90.13.55:9001 / http://100.90.13.55:9001/if/admin/
• API base: http://100.90.13.55:9001/api/v3/

Architecture

Authentik runs as a 4-container stack:

Container	Role
authentik	Web server (port 9001)
authentik-worker	Background task worker
authentik-postgres	PostgreSQL 16 database
authentik-redis	Redis cache

Both server and worker are on the kitestacks external Docker network.

Configured Applications

App	Provider ID	Status
Grafana	1	Configured
Kavita	2	Configured
Open WebUI	3	Configured
Forgejo	4	Configured

SSO verification pending — not yet tested end-to-end.

All Services Running on Server

Service	Image	External Port
forgejo	forgejo:11	3006 (HTTP), 2222 (SSH)
kite-openwebui	open-webui	3100
grafana	grafana-oss	3150
cloudflared	cloudflared	— (tunnel)
shaarli	shaarli	8085
homepage	nginx	3005
homepage-test	gethomepage	3007
kitestacks-portal	nginx	3008
openproject	openproject:13	8080
kite-litellm	litellm	4000
bookstack	bookstack	6875
authentik	server:latest	9001
kavita	kavita	5000
portainer	portainer-ce	9443
prometheus	prometheus	9090
node-exporter	node-exporter	9100
uptime-kuma	uptime-kuma	3001

External Access (Cloudflare Tunnel)

Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
dash.cloudflare.com → Zero Trust → Networks → Tunnels

No local config.yml — all routing configured via the dashboard.

Pending Integrations

Services not yet added to Authentik SSO:

• Bookstack
• OpenProject
• Portainer
• Homepage
• Shaarli
• Uptime Kuma

Next Steps

1. Confirm public domain from Cloudflare tunnel dashboard
2. Test SSO login on Forgejo, Grafana, Kavita, Open WebUI
3. Add remaining services (see Pending Integrations above)
4. Set up SSH key auth on the server (currently password only)