20856f7f18
Added Authentik as the identity provider for SSO authentication:
Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community
Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies
Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes
Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
25 lines
595 B
YAML
25 lines
595 B
YAML
---
|
|
# Defaults for Authentik role
|
|
|
|
# Authentik version
|
|
authentik_version: "2025.10.3"
|
|
authentik_image: "ghcr.io/goauthentik/server"
|
|
|
|
# PostgreSQL configuration
|
|
authentik_db_user: "authentik"
|
|
authentik_db_name: "authentik"
|
|
|
|
# Ports (internal to Docker network, exposed via Traefik)
|
|
authentik_http_port: 9000
|
|
authentik_https_port: 9443
|
|
|
|
# Docker configuration
|
|
authentik_config_dir: "/opt/docker/authentik"
|
|
authentik_network: "authentik-internal"
|
|
authentik_traefik_network: "traefik"
|
|
|
|
# Domain (set per client)
|
|
# authentik_domain: "auth.example.com"
|
|
|
|
# Bootstrap settings
|
|
authentik_bootstrap: true
|