kenpat/kitestacks-homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
kitestacks-homelab/apps/authentik/AUTHENTIK.md
KiteStacks AutoSync 4b8925ca7e security: complete IP, port, and password redaction across all docs 
Redact all remaining IPv4 addresses, port numbers, and credential values
from RUNBOOK.md, AUTHENTIK.md, and authentik-sso-setup.md. Replace with
descriptive placeholders (<IP_REDACTED>, <port>, <REDACTED>, etc.).
Docker image version tags (postgres:16, forgejo:11, etc.) preserved.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-11 16:16:23 -05:00

78 lines
3.2 KiB
Markdown
Raw Blame History

# Authentik SSO — Setup & Status
## Server
- **Host:** `<IP_REDACTED>` (Assassin, Debian 6.12.90 amd64)
- **Authentik version:** 2025.2.4 (Enterprise)
- **Stack location:** `/home/kenpat/docker/authentik/docker-compose.yml`
- **Web UI:** `http://<IP_REDACTED>:<port>` / `http://<IP_REDACTED>:<port>/if/admin/`
- **API base:** `http://<IP_REDACTED>:<port>/api/v3/`
## Architecture
Authentik runs as a 4-container stack:
| Container | Role |
|-----------|------|
| `authentik` | Web server (port <port>) |
| `authentik-worker` | Background task worker |
| `authentik-postgres` | PostgreSQL 16 database |
| `authentik-redis` | Redis cache |
Both server and worker are on the `kitestacks` external Docker network.
## Configured Applications
| App | Provider Type | Client ID | Status |
|-----|--------------|-----------|--------|
| Grafana | OAuth2/OIDC | `grafana` | ✅ Configured |
| Kavita | OAuth2/OIDC | `kavita` | ✅ Configured, secret filled |
| Open WebUI | OAuth2/OIDC | `open-webui` | ✅ Configured |
| Forgejo | OAuth2/OIDC | `forgejo` | ✅ Configured, OAuth2 source in Forgejo admin |
| OpenProject | OAuth2/OIDC | `openproject` | ✅ Configured, secret filled, upgraded to v15 |
| Shaarli | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| Uptime Kuma | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
| LiteLLM | Proxy | — | ✅ Proxy Provider + Embedded Outpost, CF tunnel pending |
> Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to `http://authentik:<port>` in the Cloudflare dashboard to activate proxy protection.
## All Services Running on Server
| Service | Image | External Port |
|---------|-------|---------------|
| forgejo | forgejo:<port> | <port> (HTTP), <port> (SSH) |
| kite-openwebui | open-webui | <port> |
| grafana | grafana-oss | <port> |
| cloudflared | cloudflared | — (tunnel) |
| shaarli | shaarli | <port> |
| homepage | nginx | <port> |
| homepage-test | gethomepage | <port> |
| kitestacks-portal | nginx | <port> |
| openproject | openproject:<port> | <port> |
| kite-litellm | litellm | <port> |
| bookstack | bookstack | <port> |
| authentik | server:latest | <port> |
| kavita | kavita | <port> |
| portainer | portainer-ce | <port> |
| prometheus | prometheus | <port> |
| node-exporter | node-exporter | <port> |
| uptime-kuma | uptime-kuma | <port> |
## External Access (Cloudflare Tunnel)
Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
**dash.cloudflare.com → Zero Trust → Networks → Tunnels**
No local `config.yml` — all routing configured via the dashboard.
## Pending
- [ ] Update Cloudflare tunnel routes: `links.kitestacks.com`, `status.kitestacks.com`, `llm.kitestacks.com``http://authentik:<port>`
- [ ] Update Cloudflare tunnel route: `tasks.kitestacks.com``http://openproject:<port>`
- [ ] Test SSO end-to-end for all services
- [ ] Phase 2: add friend's Authentik account, verify auto-provisioning across all apps
## Excluded from SSO
- Portainer — admin tool, excluded by design
- Prometheus / Node Exporter — internal metrics, excluded by design
- Homepage — public landing page, no auth needed
Reference in a new issue View git blame Copy permalink