Add staged Authentik stack and Grafana OIDC wiring
This commit is contained in:
64
identity-authentik/README.md
Normal file
64
identity-authentik/README.md
Normal file
@@ -0,0 +1,64 @@
|
||||
# Identity / SSO - Authentik
|
||||
|
||||
This stack stages an Authentik migration in parallel with the current Authelia deployment so cutover can happen app-by-app with easy rollback.
|
||||
|
||||
Current design choices:
|
||||
|
||||
- Authentik server + worker only
|
||||
- shared Postgres for durable storage
|
||||
- embedded outpost for Traefik forward-auth
|
||||
- no Redis dependency
|
||||
- no Docker socket mount
|
||||
- keep Authelia alive until all apps validate cleanly
|
||||
|
||||
Why this shape:
|
||||
|
||||
- it future-proofs the identity plane without turning migration into a flag day
|
||||
- it preserves easy rollback while Authentik is proven per app
|
||||
- it matches the homelab preference for shared database infra over one-off local state
|
||||
- embedded outpost is enough for this size and avoids extra moving parts
|
||||
|
||||
Files:
|
||||
|
||||
- docker-compose.yaml
|
||||
- .env.example
|
||||
- custom-templates/.gitkeep
|
||||
|
||||
Bootstrap:
|
||||
|
||||
1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity-authentik
|
||||
2. Copy .env.example to .env and replace every CHANGE_ME
|
||||
3. Create the Authentik database/user in shared Postgres
|
||||
4. Validate and start:
|
||||
|
||||
cd /mnt/docker-ssd/docker/compose/identity-authentik
|
||||
docker compose --env-file .env config
|
||||
docker compose --env-file .env up -d
|
||||
|
||||
5. Verify readiness:
|
||||
|
||||
docker compose ps
|
||||
docker logs authentik-server --tail=50
|
||||
curl -fsS http://127.0.0.1:9000/-/health/ready/
|
||||
|
||||
6. Complete initial login with the bootstrap admin on the internal URL first, then wire the public auth route.
|
||||
7. Build providers before cutover:
|
||||
|
||||
- Grafana: OAuth2/OIDC provider
|
||||
- Gitea: proxy provider, forward auth, single application
|
||||
- Technitium: proxy provider, forward auth, single application
|
||||
- Traefik dashboard: proxy provider, forward auth, single application
|
||||
|
||||
8. Bind those proxy providers to the embedded outpost.
|
||||
9. Cut apps over one at a time from Authelia forward-auth to Authentik forward-auth.
|
||||
10. Only remove Authelia after every migrated app and logout flow is verified.
|
||||
|
||||
Notes:
|
||||
|
||||
- Authentik listens internally on port 9000 for HTTP and serves the embedded outpost paths there too.
|
||||
- The Traefik middleware should call:
|
||||
http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
|
||||
- Each forward-auth protected app also needs a higher-priority router for:
|
||||
PathPrefix(`/outpost.goauthentik.io/`)
|
||||
routed to Authentik, or the login flow will break.
|
||||
- Grafana should end on native OIDC instead of remaining behind forward-auth long-term.
|
||||
Reference in New Issue
Block a user