sorb/axion1337.chat-gitops
1
0
Fork 0
Code Issues 5 Pull Requests Actions Packages Projects 1 Releases 3 Wiki Activity
Page: Authentik OIDC
Pages
00 TASKS 01 Installation Authentik Archive Authentik OIDC Element Customization Element Desktop Setup Home Invitation Registration Archive Monitoring Old Home Operations ConfigMap Sync Room Policies TURN Server
Clone
1
Authentik OIDC
Scrublord MacBad edited this page 2026-05-15 00:07:54 +02:00
Table of Contents

Authentik als Identity Provider für Matrix

Status: Stage 1 Deployed (Authentik läuft)
Pending: Stage 2 (MAS Integration)
Domain: auth.axion1337.chat

Überblick

Authentik = OIDC Provider für MAS → Zentrales Login + Einladungs-basierte Registrierung.

Stage 1: Authentik Deployment

Dateien (in apps/authentik/):

  • namespace.yaml, helm-repo.yaml, authentik-secret.yaml (SOPS)
  • authentik.yaml (HelmRelease v2026.x + embedded Postgres)
  • certificate.yaml, ingress.yaml

Flux Kustomization: clusters/matrix/flux-system/authentik-sync.yaml

Deployment-Schritte

  1. DNS A-Record: auth.axion1337.chat → 49.13.132.245
  2. Pods hochfahren: kubectl get pods -n authentik -w
  3. Authentik UI: https://auth.axion1337.chat/if/flow/initial-setup/ → Admin-Passwort setzen
  4. OIDC Provider: Admin UI → OIDC Provider erstellen
  5. Application: Slug matrix (wichtig für Issuer URL!)
  6. Redirect URIs:
    • https://account.axion1337.chat/upstream/callback/01KQDJTR1ZVTG8JQ220F5BNBFZ
    • Post-logout: https://axion1337.chat
  7. Client ID + Secret kopieren

Stage 2: MAS Integration

  1. Decrypt: sops --decrypt --in-place apps/production/custom-configs/mas-secret.yaml
  2. upstream_oauth2_config + passwords-config Blöcke hinzufügen
  3. Encrypt: sops --encrypt --in-place ...
  4. Commit & Push
  5. WICHTIG: passwords: enabled: false erst nach OIDC-Test!

Einladungs-Links

Authentik Admin → Flows & Stages → Invitations → Create

Weitere Details: Siehe Kapitel 2 in diesem Projekt.