Files
truenas-stacks/docs/operations/IDENTITY_AND_SSO.md
Fizzlepoof 2057c8aaa5
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Cut Doris over to Authentik ingress
2026-05-24 18:59:36 +00:00

3.8 KiB

Identity and SSO

Authentik is the public identity provider for the homelab. Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.

Why Authentik

  • centralizes auth for the growing pile of web apps
  • works with shared Postgres/Redis already in the lab
  • supports OIDC for apps that speak it properly
  • avoids inventing separate local auth for every exposed service

Current scope

  • stack path: identity/
  • host target: PlausibleDeniability
  • public entrypoint: https://authentik.paccoco.com (https://auth.paccoco.com is now just a compatibility redirect)
  • status: Authentik is the public login front door; Traefik now protects doris.paccoco.com through the embedded outpost and Authelia is no longer intended for direct public use

Access-control direction

Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.

Current intended protected domains:

  • doris.paccoco.com
  • gitea.paccoco.com
  • grafana.paccoco.com
  • traefik.paccoco.com

App-native SSO exception:

  • dns.paccoco.com now uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns /sso/login and /sso/callback directly.

Current baseline group policy:

  • admins -> full access to the domains above

Planned expansion pattern:

  • create additional Authelia groups per audience or app class
  • grant access in access_control.rules by domain + group:<name> subject
  • keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth

Initial bootstrap flow

  1. Copy identity/.env.example to identity/.env and generate fresh secrets.
  2. Copy identity/authelia/configuration.yml.example to identity/authelia/configuration.yml.
  3. Render concrete secrets and passwords into identity/authelia/configuration.yml on PD; do not rely on runtime env interpolation inside the YAML.
  4. Copy identity/authelia/users_database.example.yml to identity/authelia/users_database.yml.
  5. Generate an Argon2 password hash with the Authelia image and replace the sample hash.
  6. Create the authelia Postgres database and user in the shared database stack.
  7. Set AUTHELIA_SESSION_REDIS_PASSWORD from the live shared Redis stack on PD.
  8. Add a Pangolin resource for auth.paccoco.com pointing at container authelia:9091.
  9. Validate with docker compose --env-file .env config and docker exec authelia authelia config validate --config /config/configuration.yml.

Rollout order

This repo stage is the control-plane bootstrap, not the full client cutover.

After Authelia is healthy on PD, wire OIDC or forward-auth clients one at a time.

Recommended first targets:

  • Grafana
  • Gitea
  • any new public app before it gains yet another standalone login

Grafana first-cutover notes

  • Use Authelia OIDC as a Generic OAuth provider in Grafana.
  • Keep Grafana's local admin login enabled for the first rollout.
  • After OIDC is verified, disable Pangolin auth in front of Grafana to avoid double-auth.

Gitea prep notes

  • The live Gitea stack is the dev/ compose on PD.
  • Disable public self-registration before or during the SSO prep pass.
  • Keep local admin login working for the first OIDC test.
  • Stage the exact Gitea auth-source values in docs/operations/GITEA_SSO_PREP.md before creating the live source.

Notes

  • File-backed users are intentional for the initial rollout; this is enough for the current household scale.
  • If identity sprawl grows later, migrate the authentication backend to LDAP instead of bolting extra auth stores onto apps ad hoc.
  • OIDC signing keys and per-app client secrets should be generated during deployment on PD, not committed to the repo.