Files
truenas-stacks/identity/README.md

66 lines
2.3 KiB
Markdown

# Identity / SSO
This stack introduces Authelia as the homelab identity plane.
Current design choices:
- Authelia only, no LDAP yet
- shared Postgres for durable storage
- shared Redis for session storage
- file-backed users database for initial bootstrap
- Pangolin/Newt exposure at auth.paccoco.com
Why this shape:
- it gets a real SSO control plane online without dragging in extra moving parts
- it matches the homelab preference for shared DB infrastructure over SQLite
- file users are fine at this size and can be migrated to LDAP later if needed
Files:
- docker-compose.yaml
- .env.example
- authelia/configuration.yml.example
- authelia/users_database.example.yml
Bootstrap:
1. Copy this directory to PD at /mnt/docker-ssd/docker/compose/identity
2. Copy .env.example to .env and replace every CHANGE_ME
3. Copy authelia/configuration.yml.example to authelia/configuration.yml
4. Render concrete secrets into `authelia/configuration.yml`; do not leave template placeholders or `${...}` references in the live file.
5. Copy authelia/users_database.example.yml to authelia/users_database.yml
6. Create an Authelia password hash:
docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'CHANGE_ME'
7. Replace the sample hash in users_database.yml
8. Create the authelia database/user in shared Postgres
9. Set `AUTHELIA_SESSION_REDIS_PASSWORD` from the live shared Redis stack on PD.
10. Create a Pangolin resource:
Domain: auth.paccoco.com
Scheme: http
Host: authelia
Port: 9091
11. Validate and start:
cd /mnt/docker-ssd/docker/compose/identity
docker compose --env-file .env config
docker compose --env-file .env up -d
docker exec authelia authelia config validate --config /config/configuration.yml
This repo stage gives you the identity control plane itself.
OIDC client rollout is intentionally a second pass because it needs:
- a real signing-key strategy
- per-app client IDs and secrets
- app-specific callback URLs verified against live domains
First client recommendation:
- Grafana via Generic OAuth against Authelia OIDC
- Keep Grafana local-admin login enabled for the first cutover so recovery is easy if the public auth route or claims mapping is wrong
Do not try to wire every app at once. Get Authelia healthy first, then cut services over one at a time.