technitium-pilot: document and wire native oidc sso
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 22:17:35 +00:00
parent c1f6dce227
commit 26d5407b86
3 changed files with 20 additions and 0 deletions

View File

@@ -6,4 +6,13 @@ TECHNITIUM_BIND_IP=10.5.30.8
APPDATA_TECHNITIUM_ROOT=/mnt/tank/docker/appdata/technitium-pilot APPDATA_TECHNITIUM_ROOT=/mnt/tank/docker/appdata/technitium-pilot
DNS_SERVER_DOMAIN=dns.home.paccoco.com DNS_SERVER_DOMAIN=dns.home.paccoco.com
DNS_SERVER_ADMIN_PASSWORD=CHANGE_ME DNS_SERVER_ADMIN_PASSWORD=CHANGE_ME
DNS_SERVER_SSO_ENABLED=false
DNS_SERVER_SSO_AUTHORITY=
DNS_SERVER_SSO_CLIENT_ID=
DNS_SERVER_SSO_CLIENT_SECRET=
DNS_SERVER_SSO_METADATA_ADDRESS=
DNS_SERVER_SSO_SCOPES=openid profile email groups
DNS_SERVER_SSO_ALLOW_SIGNUP=false
DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS=true
DNS_SERVER_SSO_GROUP_MAP=authentik Admins=Administrators
DNS_SERVER_BLOCK_LIST_URLS=https://big.oisd.nl/ DNS_SERVER_BLOCK_LIST_URLS=https://big.oisd.nl/

View File

@@ -28,5 +28,7 @@ Notes:
- The stack binds only to `TECHNITIUM_BIND_IP`, so PD must have that secondary address present on `LAN_INTERFACE` before `docker compose up`. - The stack binds only to `TECHNITIUM_BIND_IP`, so PD must have that secondary address present on `LAN_INTERFACE` before `docker compose up`.
- The helper script adds the pilot IP alias read/write on the live host for the current boot only. That is deliberate for pilot safety. - The helper script adds the pilot IP alias read/write on the live host for the current boot only. That is deliberate for pilot safety.
- Technitium reads the environment initialization only on first boot when `/etc/dns` is empty. If you need to re-seed initial settings, stop the container and clear the config directory first. - Technitium reads the environment initialization only on first boot when `/etc/dns` is empty. If you need to re-seed initial settings, stop the container and clear the config directory first.
- SSO-capable deployments should set the `DNS_SERVER_SSO_*` variables. Keep a known local admin account as rollback because Technitium may only apply initial auth/env seeding cleanly on first boot or with an empty `/etc/dns` config dir.
- Authentik native OIDC callback for Technitium is `https://dns.paccoco.com/sso/callback`.
- The authoritative zone `home.paccoco.com` is now hosted in Technitium with `dns.home.paccoco.com -> 10.5.30.8`. - The authoritative zone `home.paccoco.com` is now hosted in Technitium with `dns.home.paccoco.com -> 10.5.30.8`.
- Clients will resolve `dns.home.paccoco.com` only when they query Technitium directly, or after DHCP/cutover points them at Technitium. - Clients will resolve `dns.home.paccoco.com` only when they query Technitium directly, or after DHCP/cutover points them at Technitium.

View File

@@ -11,6 +11,15 @@ services:
environment: environment:
DNS_SERVER_DOMAIN: ${DNS_SERVER_DOMAIN} DNS_SERVER_DOMAIN: ${DNS_SERVER_DOMAIN}
DNS_SERVER_ADMIN_PASSWORD: ${DNS_SERVER_ADMIN_PASSWORD} DNS_SERVER_ADMIN_PASSWORD: ${DNS_SERVER_ADMIN_PASSWORD}
DNS_SERVER_SSO_ENABLED: ${DNS_SERVER_SSO_ENABLED:-false}
DNS_SERVER_SSO_AUTHORITY: ${DNS_SERVER_SSO_AUTHORITY:-}
DNS_SERVER_SSO_CLIENT_ID: ${DNS_SERVER_SSO_CLIENT_ID:-}
DNS_SERVER_SSO_CLIENT_SECRET: ${DNS_SERVER_SSO_CLIENT_SECRET:-}
DNS_SERVER_SSO_METADATA_ADDRESS: ${DNS_SERVER_SSO_METADATA_ADDRESS:-}
DNS_SERVER_SSO_SCOPES: ${DNS_SERVER_SSO_SCOPES:-openid profile email groups}
DNS_SERVER_SSO_ALLOW_SIGNUP: ${DNS_SERVER_SSO_ALLOW_SIGNUP:-false}
DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS: ${DNS_SERVER_SSO_ALLOW_SIGNUP_ONLY_FOR_MAPPED_USERS:-true}
DNS_SERVER_SSO_GROUP_MAP: ${DNS_SERVER_SSO_GROUP_MAP:-authentik Admins=Administrators}
DNS_SERVER_WEB_SERVICE_HTTP_PORT: "80" DNS_SERVER_WEB_SERVICE_HTTP_PORT: "80"
DNS_SERVER_WEB_SERVICE_HTTPS_PORT: "443" DNS_SERVER_WEB_SERVICE_HTTPS_PORT: "443"
DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS: "true" DNS_SERVER_WEB_SERVICE_ENABLE_HTTPS: "true"