kenpat/kitestacks-homelab
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions 1
kitestacks-homelab/apps/authentik/AUTHENTIK.md
Kenpat7177 34ae9423ef docs: complete Authentik SSO setup for all kitestacks.com services (v1.3.898) 
- All OAuth2/OIDC providers created in Authentik; secrets filled for Kavita and OpenProject
- Proxy Providers created for Shaarli, Uptime Kuma, LiteLLM; assigned to Embedded Outpost
- OpenProject upgraded v13→v15 with data preserved; compose volume path fixed
- Cloudflare tunnel updates for proxy services still pending

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-06-08 20:32:51 -05:00

3.1 KiB
Raw Blame History

Authentik SSO — Setup & Status

Server

  • Host: 100.90.13.55 (Assassin, Debian 6.12.90 amd64)
  • Authentik version: 2025.2.4 (Enterprise)
  • Stack location: /home/kenpat/docker/authentik/docker-compose.yml
  • Web UI: http://100.90.13.55:9001 / http://100.90.13.55:9001/if/admin/
  • API base: http://100.90.13.55:9001/api/v3/

Architecture

Authentik runs as a 4-container stack:

Container Role
authentik Web server (port 9001)
authentik-worker Background task worker
authentik-postgres PostgreSQL 16 database
authentik-redis Redis cache

Both server and worker are on the kitestacks external Docker network.

Configured Applications

App Provider Type Client ID Status
Grafana OAuth2/OIDC grafana Configured
Kavita OAuth2/OIDC kavita Configured, secret filled
Open WebUI OAuth2/OIDC open-webui Configured
Forgejo OAuth2/OIDC forgejo Configured, OAuth2 source in Forgejo admin
OpenProject OAuth2/OIDC openproject Configured, secret filled, upgraded to v15
Shaarli Proxy Proxy Provider + Embedded Outpost, CF tunnel pending
Uptime Kuma Proxy Proxy Provider + Embedded Outpost, CF tunnel pending
LiteLLM Proxy Proxy Provider + Embedded Outpost, CF tunnel pending

Cloudflare tunnel routes for Shaarli, Uptime Kuma, LiteLLM still point to service containers directly — update to http://authentik:9000 in the Cloudflare dashboard to activate proxy protection.

All Services Running on Server

Service Image External Port
forgejo forgejo:11 3006 (HTTP), 2222 (SSH)
kite-openwebui open-webui 3100
grafana grafana-oss 3150
cloudflared cloudflared — (tunnel)
shaarli shaarli 8085
homepage nginx 3005
homepage-test gethomepage 3007
kitestacks-portal nginx 3008
openproject openproject:15 80
kite-litellm litellm 4000
bookstack bookstack 6875
authentik server:latest 9001
kavita kavita 5000
portainer portainer-ce 9443
prometheus prometheus 9090
node-exporter node-exporter 9100
uptime-kuma uptime-kuma 3001

External Access (Cloudflare Tunnel)

Tunnel is token-based — ingress rules live in the Cloudflare dashboard:
dash.cloudflare.com → Zero Trust → Networks → Tunnels

No local config.yml — all routing configured via the dashboard.

Pending

  • Update Cloudflare tunnel routes: links.kitestacks.com, status.kitestacks.com, llm.kitestacks.comhttp://authentik:9000
  • Update Cloudflare tunnel route: tasks.kitestacks.comhttp://openproject:80
  • Test SSO end-to-end for all services
  • Phase 2: add friend's Authentik account, verify auto-provisioning across all apps

Excluded from SSO

  • Portainer — admin tool, excluded by design
  • Prometheus / Node Exporter — internal metrics, excluded by design
  • Homepage — public landing page, no auth needed