3.8 KiB
3.8 KiB
Identity and SSO
Authentik is the public identity provider for the homelab. Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
Why Authentik
- centralizes auth for the growing pile of web apps
- works with shared Postgres/Redis already in the lab
- supports OIDC for apps that speak it properly
- avoids inventing separate local auth for every exposed service
Current scope
- stack path: identity/
- host target: PlausibleDeniability
- public entrypoint:
https://authentik.paccoco.com(https://auth.paccoco.comis now just a compatibility redirect) - status: Authentik is the public login front door; Traefik now protects
doris.paccoco.comthrough the embedded outpost and Authelia is no longer intended for direct public use
Access-control direction
Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
Current intended protected domains:
doris.paccoco.comgitea.paccoco.comgrafana.paccoco.comtraefik.paccoco.com
App-native SSO exception:
dns.paccoco.comnow uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns/sso/loginand/sso/callbackdirectly.
Current baseline group policy:
admins-> full access to the domains above
Planned expansion pattern:
- create additional Authelia groups per audience or app class
- grant access in
access_control.rulesby domain +group:<name>subject - keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth
Initial bootstrap flow
- Copy identity/.env.example to identity/.env and generate fresh secrets.
- Copy identity/authelia/configuration.yml.example to identity/authelia/configuration.yml.
- Render concrete secrets and passwords into identity/authelia/configuration.yml on PD; do not rely on runtime env interpolation inside the YAML.
- Copy identity/authelia/users_database.example.yml to identity/authelia/users_database.yml.
- Generate an Argon2 password hash with the Authelia image and replace the sample hash.
- Create the authelia Postgres database and user in the shared database stack.
- Set
AUTHELIA_SESSION_REDIS_PASSWORDfrom the live shared Redis stack on PD. - Add a Pangolin resource for auth.paccoco.com pointing at container authelia:9091.
- Validate with docker compose --env-file .env config and docker exec authelia authelia config validate --config /config/configuration.yml.
Rollout order
This repo stage is the control-plane bootstrap, not the full client cutover.
After Authelia is healthy on PD, wire OIDC or forward-auth clients one at a time.
Recommended first targets:
- Grafana
- Gitea
- any new public app before it gains yet another standalone login
Grafana first-cutover notes
- Use Authelia OIDC as a Generic OAuth provider in Grafana.
- Keep Grafana's local admin login enabled for the first rollout.
- After OIDC is verified, disable Pangolin auth in front of Grafana to avoid double-auth.
Gitea prep notes
- The live Gitea stack is the
dev/compose on PD. - Disable public self-registration before or during the SSO prep pass.
- Keep local admin login working for the first OIDC test.
- Stage the exact Gitea auth-source values in
docs/operations/GITEA_SSO_PREP.mdbefore creating the live source.
Notes
- File-backed users are intentional for the initial rollout; this is enough for the current household scale.
- If identity sprawl grows later, migrate the authentication backend to LDAP instead of bolting extra auth stores onto apps ad hoc.
- OIDC signing keys and per-app client secrets should be generated during deployment on PD, not committed to the repo.