Vish/homelab-optimized

Files

Gitea Mirror Bot 1f453f302a

Documentation / Deploy to GitHub Pages (push) Has been cancelled

Details

Documentation / Build Docusaurus (push) Has been cancelled

Details

Sanitized mirror from private repository - 2026-04-05 10:10:45 UTC

2026-04-05 10:10:45 +00:00

5.0 KiB

Raw Blame History

SSO / OIDC Status

Identity Provider: Authentik at https://sso.vish.gg (runs on Calypso) Last updated: 2026-03-21

Configured Services

Service	URL	Authentik App Slug	Method	Notes
Grafana (Atlantis)	`gf.vish.gg`	—	OAuth2 generic	Pre-existing
Grafana (homelab-vm)	monitoring stack	—	OAuth2 generic	Pre-existing
Mattermost (matrix-ubuntu)	`mm.crista.love`	—	OpenID Connect	Pre-existing
Mattermost (homelab-vm)	—	—	GitLab-compat OAuth2	Pre-existing
Reactive Resume	`rx.vish.gg`	—	OAuth2	Pre-existing
Homarr	`dash.vish.gg`	—	OIDC	Pre-existing
Headscale	`headscale.vish.gg`	—	OIDC	Pre-existing
Headplane	—	—	OIDC	Pre-existing
Paperless-NGX	`docs.vish.gg`	`paperless`	django-allauth OIDC	Added 2026-03-16. Forward Auth removed from NPM 2026-03-21 (was causing redirect loop)
Hoarder	`hoarder.thevish.io`	`hoarder`	NextAuth OIDC	Added 2026-03-16
Portainer	`pt.vish.gg`	`portainer`	OAuth2	Migrated to pt.vish.gg 2026-03-16
Immich (Calypso)	`192.168.0.250:8212`	`immich`	immich-config.json OAuth2	Renamed to "Immich (Calypso)" 2026-03-16
Immich (Atlantis)	`atlantis.tail.vish.gg:8212`	`immich-atlantis`	immich-config.json OAuth2	Added 2026-03-16
Gitea	`git.vish.gg`	`gitea`	OpenID Connect	Added 2026-03-16
Actual Budget	`actual.vish.gg`	`actual-budget`	OIDC env vars	Added 2026-03-16. Forward Auth removed from NPM 2026-03-21 (was causing redirect loop)
Vaultwarden	`pw.vish.gg`	`vaultwarden`	SSO_ENABLED (testing image)	Added 2026-03-16, SSO works but local login preferred due to 2FA/security key

Authentik Provider Reference

Provider PK	Name	Client ID	Used By
2	Gitea OAuth2	`7KamS51a0H7V8HyIsfMKNJ8COstZEFh4Z8Em6ZhO`	Gitea
3	Portainer OAuth2	`fLLnVh8iUyJYdw5HKdt1Q7LHKJLLB8tLZwxmVhNs`	Portainer
4	Paperless (legacy Forward Auth)	—	Superseded by pk=18
11	Immich (Calypso)	`XSHhp1Hys1ZyRpbpGUv4iqu1y1kJXX7WIIFETqcL`	Immich Calypso
18	Paperless-NGX OIDC	`paperless`	Paperless docs.vish.gg
19	Hoarder	`hoarder`	Hoarder
20	Vaultwarden	`vaultwarden`	Vaultwarden
21	Actual Budget	`actual-budget`	Actual Budget
22	Immich (Atlantis)	`immich-atlantis`	Immich Atlantis

User Account Reference

Service	Login email/username	Notes
Authentik (`vish`)	`admin@thevish.io`	Primary SSO identity
Gitea	`admin@thevish.io`	Updated 2026-03-16
Paperless	`vish` / `admin@thevish.io`	OAuth linked to `vish` username
Hoarder	`admin@thevish.io`
Portainer	`vish` (username match)
Immich (both)	`admin@thevish.io`	oauthId=`vish`
Vaultwarden	`your-email@example.com`	Left as-is to preserve 2FA/security key
Actual Budget	auto-created on first login	`ACTUAL_USER_CREATION_MODE=login`

Known Issues / Quirks

Vaultwarden SSO

Requires vaultwarden/server:testing image (SSO not compiled into :latest)
SSO_AUTHORITY must include trailing slash to match Authentik's issuer URI
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION=true required (Authentik sends email_verified: False by default)
A custom email scope mapping email_verified true (pk=51d15142) returns True for Authentik
SSO login works but local login kept as primary due to security key/2FA dependency

Authentik email scope

Default Authentik email mapping hardcodes email_verified: False
Custom mapping email_verified true (pk=51d15142) created and applied to Vaultwarden provider
All other providers use the default mapping (most apps don't check this field)

Gitea OAuth2 source name case

Gitea sends Authentik (capital A) as the callback path
Both authentik and Authentik redirect URIs registered in Authentik provider pk=2

Portainer

Migrated from http://vishinator.synology.me:10000 to https://pt.vish.gg on 2026-03-16
Client secret was stale — resynced from Authentik provider

Immich (Atlantis) network issues

Container must be on immich-stack_default network (not immich_default or atlantis_default)
When recreating container manually, always reconnect to immich-stack_default before starting

Services Without SSO (candidates)

Service	OIDC Support	Effort	Notes
Paperless (Atlantis)	✅ same as Calypso	Low	Separate older instance
Audiobookshelf	✅ `AUTH_OPENID_*` env vars	Low
BookStack (Seattle)	✅ `AUTH_METHOD=oidc`	Low
Seafile	✅ `seahub_settings.py`	Medium	WebDAV at `dav.vish.gg`
NetBox	✅ `SOCIAL_AUTH_OIDC_*`	Medium
PhotoPrism	✅ `PHOTOPRISM_AUTH_MODE=oidc`	Medium
Firefly III	✅ via `stack.env`	Medium
Mastodon	✅ `.env.production`	Medium