homelab-optimized/docs/services/individual/authentik.md

# Authentik - SSO / Identity Provider

**Host**: Calypso (DS723+)  
**Domain**: `sso.vish.gg`  
**Ports**: 9000 (HTTP), 9443 (HTTPS)  
**Compose File**: `Calypso/authentik/docker-compose.yaml`

## Overview

Authentik provides Single Sign-On (SSO) and identity management for homelab services. It supports:
- OAuth2 / OpenID Connect
- SAML 2.0
- LDAP
- Proxy authentication (forward auth)
- SCIM provisioning

## Architecture

```
┌─────────────────────────────────────────────────────────────────┐
│                        Cloudflare DNS                            │
│                      (sso.vish.gg → Calypso)                    │
└─────────────────────┬───────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────────────────────┐
│                   Synology Reverse Proxy                         │
│              (sso.vish.gg → localhost:9000)                     │
└─────────────────────┬───────────────────────────────────────────┘
                      │
                      ▼
┌─────────────────────────────────────────────────────────────────┐
│                     Authentik Stack                              │
│  ┌──────────────┐  ┌──────────────┐  ┌──────────────┐          │
│  │ authentik-   │  │ authentik-   │  │ authentik-   │          │
│  │   server     │◄─┤   worker     │  │    redis     │          │
│  │  (9000)      │  │              │  │              │          │
│  └──────┬───────┘  └──────┬───────┘  └──────────────┘          │
│         │                 │                                      │
│         ▼                 ▼                                      │
│  ┌────────────────────────────────┐                             │
│  │        authentik-db            │                             │
│  │       (PostgreSQL 16)          │                             │
│  └────────────────────────────────┘                             │
└─────────────────────────────────────────────────────────────────┘
```

## Initial Setup

### 1. Deploy the Stack

Deploy via Portainer GitOps - the stack will auto-pull from the repository.

### 2. Configure DNS

Add DNS record in Cloudflare:
- **Type**: A or CNAME
- **Name**: sso
- **Target**: Your Calypso IP or DDNS hostname
- **Proxy**: Orange cloud ON (recommended for DDoS protection)

### 3. Configure Synology Reverse Proxy

In DSM → Control Panel → Login Portal → Advanced → Reverse Proxy:

| Setting | Value |
|---------|-------|
| Description | Authentik SSO |
| Source Protocol | HTTPS |
| Source Hostname | sso.vish.gg |
| Source Port | 443 |
| Enable HSTS | Yes |
| Destination Protocol | HTTP |
| Destination Hostname | localhost |
| Destination Port | 9000 |

**Custom Headers** (Add these):
| Header | Value |
|--------|-------|
| X-Forwarded-Proto | $scheme |
| X-Forwarded-For | $proxy_add_x_forwarded_for |
| Host | $host |

**WebSocket** (Enable):
- Check "Enable WebSocket"

### 4. Initial Admin Setup

1. Navigate to `https://sso.vish.gg/if/flow/initial-setup/`
2. Create your admin account (default username: akadmin)
3. Set a strong password
4. Complete the setup wizard

## Integrating Services

### Grafana (gf.vish.gg)

1. **In Authentik**: Create OAuth2/OIDC Provider
   - Name: Grafana
   - Client ID: (copy this)
   - Client Secret: (generate and copy)
   - Redirect URIs: `https://gf.vish.gg/login/generic_oauth`

2. **In Grafana** (grafana.ini or environment):
   ```ini
   [auth.generic_oauth]
   enabled = true
   name = Authentik
   allow_sign_up = true
   client_id = YOUR_CLIENT_ID
   client_secret = YOUR_CLIENT_SECRET
   scopes = openid profile email
   auth_url = https://sso.vish.gg/application/o/authorize/
   token_url = https://sso.vish.gg/application/o/token/
   api_url = https://sso.vish.gg/application/o/userinfo/
   role_attribute_path = contains(groups[*], 'Grafana Admins') && 'Admin' || 'Viewer'
   ```

### Gitea (git.vish.gg)

1. **In Authentik**: Create OAuth2/OIDC Provider
   - Name: Gitea
   - Redirect URIs: `https://git.vish.gg/user/oauth2/authentik/callback`

2. **In Gitea**: Settings → Authentication → Add OAuth2
   - Provider: OpenID Connect
   - Client ID: (from Authentik)
   - Client Secret: (from Authentik)
   - OpenID Connect Auto Discovery URL: `https://sso.vish.gg/application/o/gitea/.well-known/openid-configuration`

### Seafile (seafile.vish.gg)

1. **In Authentik**: Create OAuth2/OIDC Provider
   - Name: Seafile
   - Redirect URIs: `https://seafile.vish.gg/oauth/callback/`

2. **In Seafile** (seahub_settings.py):
   ```python
   ENABLE_OAUTH = True
   OAUTH_ENABLE_INSECURE_TRANSPORT = False
   OAUTH_CLIENT_ID = 'YOUR_CLIENT_ID'
   OAUTH_CLIENT_SECRET = 'YOUR_CLIENT_SECRET'
   OAUTH_REDIRECT_URL = 'https://seafile.vish.gg/oauth/callback/'
   OAUTH_PROVIDER_DOMAIN = 'sso.vish.gg'
   OAUTH_AUTHORIZATION_URL = 'https://sso.vish.gg/application/o/authorize/'
   OAUTH_TOKEN_URL = 'https://sso.vish.gg/application/o/token/'
   OAUTH_USER_INFO_URL = 'https://sso.vish.gg/application/o/userinfo/'
   OAUTH_SCOPE = ['openid', 'profile', 'email']
   OAUTH_ATTRIBUTE_MAP = {
       'id': (True, 'email'),
       'email': (True, 'email'),
       'name': (False, 'name'),
   }
   ```

### Forward Auth (Proxy Provider)

For services that don't support OAuth natively, use Authentik's proxy provider:

1. **In Authentik**: Create Proxy Provider
   - Name: Protected Service
   - External Host: https://service.vish.gg
   - Mode: Forward auth (single application)

2. **In Synology Reverse Proxy**: Add auth headers
   - Forward requests to Authentik's outpost first

## Backup & Recovery

### Data Locations
| Data | Path | Backup Priority |
|------|------|-----------------|
| Database | `/volume1/docker/authentik/database` | Critical |
| Media | `/volume1/docker/authentik/media` | High |
| Templates | `/volume1/docker/authentik/templates` | Medium |

### Backup Command
```bash
# On Calypso via SSH
docker exec Authentik-DB pg_dump -U authentik authentik > /volume1/backups/authentik_$(date +%Y%m%d).sql
```

### Restore
```bash
docker exec -i Authentik-DB psql -U authentik authentik < backup.sql
```

## Troubleshooting

### Check Logs
```bash
docker logs Authentik-SERVER
docker logs Authentik-WORKER
```

### Database Connection Issues
```bash
docker exec Authentik-DB pg_isready -U authentik
```

### Reset Admin Password
```bash
docker exec -it Authentik-SERVER ak create_recovery_key 10 akadmin
```
This creates a recovery link valid for 10 minutes.

## Security Considerations

- Authentik is the gateway to all services - protect it well
- Use a strong admin password
- Enable 2FA for admin accounts
- Regularly rotate the AUTHENTIK_SECRET_KEY (requires re-authentication)
- Keep the PostgreSQL password secure
- Consider IP restrictions in Cloudflare for admin paths

## Related Documentation

- [Official Docs](https://docs.goauthentik.io/)
- [OAuth2 Provider Setup](https://docs.goauthentik.io/docs/providers/oauth2/)
- [Proxy Provider Setup](https://docs.goauthentik.io/docs/providers/proxy/)