20856f7f18
Added Authentik as the identity provider for SSO authentication:
Why Authentik:
- MIT license (truly open source, most permissive)
- Simple Docker Compose deployment (no manual wizards)
- Lightweight Python-based architecture
- Comprehensive protocol support (SAML, OAuth2/OIDC, LDAP, RADIUS)
- No Redis required as of v2025.10 (all caching in PostgreSQL)
- Active development and strong community
Implementation:
- Created complete Authentik Ansible role
- Docker Compose with server + worker architecture
- PostgreSQL 16 database backend
- Traefik integration with Let's Encrypt SSL
- Bootstrap tasks for initial setup guidance
- Health checks and proper service dependencies
Architecture decisions updated:
- Documented comparison: Authentik vs Zitadel vs Keycloak
- Explained Zitadel removal (FirstInstance bugs)
- Added deployment example and configuration notes
Next steps:
- Update documentation (PROJECT_REFERENCE.md, README.md)
- Create Authentik agent configuration
- Add secrets template
- Test deployment on test server
🤖 Generated with Claude Code
Co-Authored-By: Claude <noreply@anthropic.com>
48 lines
1.4 KiB
YAML
48 lines
1.4 KiB
YAML
---
|
|
# Bootstrap tasks for initial Authentik configuration
|
|
|
|
- name: Check if bootstrap already completed
|
|
stat:
|
|
path: "{{ authentik_config_dir }}/.bootstrap_complete"
|
|
register: bootstrap_flag
|
|
|
|
- name: Bootstrap Authentik instance
|
|
when: not bootstrap_flag.stat.exists
|
|
block:
|
|
- name: Wait for Authentik to be fully ready
|
|
uri:
|
|
url: "https://{{ authentik_domain }}/"
|
|
validate_certs: yes
|
|
status_code: [200, 302]
|
|
register: authentik_ready
|
|
until: authentik_ready.status in [200, 302]
|
|
retries: 30
|
|
delay: 10
|
|
|
|
- name: Display bootstrap instructions
|
|
debug:
|
|
msg: |
|
|
========================================
|
|
Authentik is running!
|
|
========================================
|
|
|
|
URL: https://{{ authentik_domain }}
|
|
|
|
Initial Setup:
|
|
1. Visit: https://{{ authentik_domain }}/if/flow/initial-setup/
|
|
2. Create admin account (username: akadmin recommended)
|
|
3. Configure email settings in Admin UI
|
|
4. Create OAuth2/OIDC provider for Nextcloud integration
|
|
|
|
Documentation: https://docs.goauthentik.io
|
|
|
|
- name: Mark bootstrap as complete
|
|
file:
|
|
path: "{{ authentik_config_dir }}/.bootstrap_complete"
|
|
state: touch
|
|
mode: '0600'
|
|
|
|
- name: Bootstrap already completed
|
|
debug:
|
|
msg: "Authentik bootstrap already completed, skipping initialization"
|
|
when: bootstrap_flag.stat.exists
|