Move all Authentik troubleshooting guides into dedicated subdirectory:
- DIAGNOSTIK-AUTHENTIK-FLOW.md
- AUTHENTIK-FIX-TEMPLATE.md
- AUTHENTIK-INVITATION-FLOW-FIX.md
- AUTHENTIK-CREATE-INVITATION-FLOW.md
Add README.md with:
- Quick reference guide for each document
- Scenario-based navigation
- Known issues tracking
- Tips and best practices
This keeps the root directory clean and organizes related guides together.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Root cause analysis:
- Only one matrix-enrollment flow exists
- Used for both standard signup AND invitations
- Causes flow conflicts: 'Found existing plan for other flow'
- Error when Klaus enrollment attempted: 'kein ausstehender benutzer Anfrage wurde verweigert'
Solution:
- Create separate matrix-invitation flow
- Use for invitation links only
- Prevents conflicts and allows proper field capture (email is mandatory)
This guide provides:
1. Step-by-step flow creation (5 stages)
2. Field configuration for Prompt Stage
3. Binding setup for each stage
4. Testing procedure with invitation link
5. Troubleshooting checklist
Related issues: Klaus enrollment failure, Boje enrollment failure
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The Invitation Flow is not properly configured:
- Only username is captured during invitations
- Email field is missing (required for OIDC token generation)
- 'Fehler fehlende Rechte' error indicates incomplete user data
This guide walks through:
1. Diagnosing the current Invitation Flow configuration
2. Creating/repairing the Prompt Stage with email field
3. Adding the Prompt Stage to the Invitation Flow
4. Testing the complete enrollment process
Related to: User Boje enrollment failure via invitation link
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- DIAGNOSTIK-AUTHENTIK-FLOW.md: Comprehensive troubleshooting guide
- AUTHENTIK-FIX-TEMPLATE.md: Repair instructions for common issues
These guides help debug why Boje user was created in Authentik but not synchronized to Matrix.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Add upstream_oauth2_config with Authentik provider credentials
- Configure OIDC with client_id and client_secret from Authentik
- Disable local password authentication (OIDC-only login)
- Set claims mapping: subject, localpart, displayname, email
This enables users to login via Authentik OIDC provider with email
and username claims properly mapped for Matrix user provisioning.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- deploy-on-push.yml: Verify YAML, check SOPS encryption, notify on deployments
- milestone-release.yml: Auto-create releases on milestone tags
Triggers:
- deploy-on-push: On any push to main (apps/clusters changes)
- milestone-release: On git tag m*-*-complete
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add at top of TASKS.md:
- Status Summary table (quick view of progress)
- Priority distribution (CRITICAL/HIGH/MEDIUM/LOW)
- Next Steps section (this week, 1-2 weeks)
- Each task includes: description, effort estimate, blocking factors
Makes task list immediately actionable and progress trackable.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Create docs/deployment-guides/ directory with comprehensive README covering:
- Deployment order for all 5 major features
- Architecture overview
- Critical values & configuration
- Links to detailed guides
Full documentation files:
- 01-turn-server-setup.md
- 02-authentik-identity-provider.md
- 03-monitoring-integration.md
- 04-element-customization.md
- 05-room-policies.md
To be added in follow-up commits.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Dockerfile with all required tools (kubectl, flux, helm, sops, age, etc.)
- devcontainer.json with VSCode config and extensions
- postCreateCommand.sh for setup verification
- Comprehensive README with setup instructions for macOS, Windows/WSL2, Linux
- Automatic mounts for kubeconfig, SSH keys, age encryption keys
- SOPS_AGE_KEY_FILE and KUBECONFIG pre-configured
Enables development on Windows, macOS, and Linux with consistent environment.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
The config.json was truncated and had unclosed brackets. This prevented
Helm from properly merging the ElementWeb configuration, so the custom themes
were never loaded into the cluster.
This fix:
- Closes the unclosed JSON brackets
- Validates the full JSON structure
- Removes duplicate/extra closing brackets
- Ensures all 6 custom themes are properly included
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Add pre-commit hook (scripts/hooks/pre-commit) that automatically calculates
MD5 checksums of ConfigMaps (element-values.yaml, synapse-values.yaml)
- Update annotations in kustomization.yaml to trigger Flux CD HelmRelease syncs
- Add install script (scripts/install-hooks.sh) for easy hook setup
- Add comprehensive documentation (docs/ops-configmap-sync.md) explaining:
* Why Flux doesn't auto-detect ConfigMap changes
* How the checksum-based workaround works
* How to install and use the hook
* Troubleshooting and manual sync procedures
- Update README.md with post-clone hook installation step
This solves the issue where Flux CD doesn't automatically re-deploy when external
ConfigMaps are modified. Users no longer need manual checksum updates.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Reduce HelmRelease interval from 1h to 5m for faster sync
- Add checksum annotation to trigger reconciliation when element-values.yaml changes
- This ensures Flux CD re-deploys the chart when themes/config updates are made
To update the checksum after editing element-values.yaml:
md5sum apps/production/custom-configs/element-values.yaml
# Update the value in apps/production/kustomization.yaml patches[0].patch
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add Authentik v2026.x with embedded PostgreSQL in new namespace. Includes HelmRelease with valuesFrom injection for encrypted credentials, cert-manager Certificate for auth.axion1337.chat, and Traefik IngressRoute. Authentik serves as OIDC provider for MAS; registration via invitation links only.
DNS A-record setup and Authentik UI configuration (OIDC provider creation) are manual post-deployment steps.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
Add coturn Deployment with hostNetwork mode and init container for secret substitution. Include SOPS-encrypted shared secret, TLS certificate for turn.axion1337.chat, and Synapse TURN configuration with proper relay URIs and credentials.
Resolves DTLS timeout issues in RTC video calls by providing media relay for clients behind NAT/Firewall.
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Change from v1beta2 to v1 (v1beta2 is deprecated)
- Resolves dry-run failure in monitoring Kustomization
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Allow all users to publish public rooms in room list
- Fixes 403 'Not allowed to publish room' error
- Applies to rooms with join_rule: public
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Rename property from auto-join-rooms to auto_join (underscore instead of dash)
- Keep YAML structure with embedded config
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
- Use simpler property name 'retention' instead of 'retention-config'
- Helm Chart schema may not allow 'retention-config' naming convention
Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
