KiteStacks AutoSync 4b8925ca7e security: complete IP, port, and password redaction across all docs

Redact all remaining IPv4 addresses, port numbers, and credential values
from RUNBOOK.md, AUTHENTIK.md, and authentik-sso-setup.md. Replace with
descriptive placeholders (<IP_REDACTED>, <port>, <REDACTED>, etc.).
Docker image version tags (postgres:16, forgejo:11, etc.) preserved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

2026-06-11 16:16:23 -05:00

3.2 KiB

Raw Blame History

Authentik SSO — Setup & Status

Server

Host: <IP_REDACTED> (Assassin, Debian 6.12.90 amd64)
Authentik version: 2025.2.4 (Enterprise)
Stack location: /home/kenpat/docker/authentik/docker-compose.yml
Web UI: http://<IP_REDACTED>:<port> / http://<IP_REDACTED>:<port>/if/admin/
API base: http://<IP_REDACTED>:<port>/api/v3/

Architecture

Authentik runs as a 4-container stack:

Container	Role
`authentik`	Web server (port )
`authentik-worker`	Background task worker
`authentik-postgres`	PostgreSQL 16 database
`authentik-redis`	Redis cache

Both server and worker are on the kitestacks external Docker network.

Configured Applications

App	Provider Type	Client ID	Status
Grafana	OAuth2/OIDC	`grafana`	✅ Configured
Kavita	OAuth2/OIDC	`kavita`	✅ Configured, secret filled
Open WebUI	OAuth2/OIDC	`open-webui`	✅ Configured
Forgejo	OAuth2/OIDC	`forgejo`	✅ Configured, OAuth2 source in Forgejo admin
OpenProject	OAuth2/OIDC	`openproject`	✅ Configured, secret filled, upgraded to v15
Shaarli	Proxy	—	✅ Proxy Provider + Embedded Outpost, CF tunnel pending
Uptime Kuma	Proxy	—	✅ Proxy Provider + Embedded Outpost, CF tunnel pending
LiteLLM	Proxy	—	✅ Proxy Provider + Embedded Outpost, CF tunnel pending

Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to http://authentik:<port> in the Cloudflare dashboard to activate proxy protection.

All Services Running on Server

Service	Image	External Port
forgejo	forgejo:	(HTTP), (SSH)
kite-openwebui	open-webui
grafana	grafana-oss
cloudflared	cloudflared	— (tunnel)
shaarli	shaarli
homepage	nginx
homepage-test	gethomepage
kitestacks-portal	nginx
openproject	openproject:
kite-litellm	litellm
bookstack	bookstack
authentik	server:latest
kavita	kavita
portainer	portainer-ce
prometheus	prometheus
node-exporter	node-exporter
uptime-kuma	uptime-kuma

External Access (Cloudflare Tunnel)

Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
dash.cloudflare.com → Zero Trust → Networks → Tunnels

No local config.yml — all routing configured via the dashboard.

Pending

Update Cloudflare tunnel routes: links.kitestacks.com, status.kitestacks.com, llm.kitestacks.com → http://authentik:<port>
Update Cloudflare tunnel route: tasks.kitestacks.com → http://openproject:<port>
Test SSO end-to-end for all services
Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

Excluded from SSO

Portainer — admin tool, excluded by design
Prometheus / Node Exporter — internal metrics, excluded by design
Homepage — public landing page, no auth needed

3.2 KiB Raw Blame History