aee9a34369
- 01-turn-server-setup.md: TURN Server architecture, deployment, verification - 02-authentik-identity-provider.md: Two-stage OIDC integration (Stage 1 & Stage 2) - 03-monitoring-integration.md: Alloy, Prometheus, Loki integration with Selendis - 04-element-customization.md: Custom themes (7), desktop setup scripts, admin panel - 05-room-policies.md: Message retention, room publication, auto-join policies All guides include troubleshooting, configuration examples, and best practices. Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
1.6 KiB
1.6 KiB
Authentik als Identity Provider für Matrix
Status: ✅ Stage 1 Deployed (Authentik läuft)
Pending: Stage 2 (MAS Integration)
Domain: auth.axion1337.chat
Überblick
Authentik = OIDC Provider für MAS → Zentrales Login + Einladungs-basierte Registrierung.
Stage 1: Authentik Deployment
Dateien (in apps/authentik/):
namespace.yaml,helm-repo.yaml,authentik-secret.yaml(SOPS)authentik.yaml(HelmRelease v2026.x + embedded Postgres)certificate.yaml,ingress.yaml
Flux Kustomization: clusters/matrix/flux-system/authentik-sync.yaml
Deployment-Schritte
- DNS A-Record:
auth.axion1337.chat → 49.13.132.245 - Pods hochfahren:
kubectl get pods -n authentik -w - Authentik UI:
https://auth.axion1337.chat/if/flow/initial-setup/→ Admin-Passwort setzen - OIDC Provider: Admin UI → OIDC Provider erstellen
- Application: Slug
matrix(wichtig für Issuer URL!) - Redirect URIs:
https://account.axion1337.chat/upstream/callback/01KQDJTR1ZVTG8JQ220F5BNBFZ- Post-logout:
https://axion1337.chat
- Client ID + Secret kopieren
Stage 2: MAS Integration
- Decrypt:
sops --decrypt --in-place apps/production/custom-configs/mas-secret.yaml upstream_oauth2_config+passwords-configBlöcke hinzufügen- Encrypt:
sops --encrypt --in-place ... - Commit & Push
- WICHTIG:
passwords: enabled: falseerst nach OIDC-Test!
Einladungs-Links
Authentik Admin → Flows & Stages → Invitations → Create
Weitere Details: Siehe Kapitel 2 in diesem Projekt.