Identity Management¶
This guide covers deploying identity and secrets management using Authentik
TODO: Not tested
Components¶
| Service | Purpose |
|---|---|
| Authentik | Identity provider, SSO, user management |
TODO: central management of API keys are not implemented yet
Prerequisites¶
- CICD Mothership operational
- Firewall and reverse proxy (Caddy) operational
DNS Configuration¶
Register the services with your DNS provider: (This is DNS provider specific, you are on your own for the details)
| Record | Type | Value |
|---|---|---|
identity.yourdomain.com | A | Your public IP |
Installation¶
Deploy Identity VM¶
From the tappaas-cicd VM:
This creates a VM with Authentik configured.
Authentik Configuration¶
(To be automated)
Initial Setup¶
Access Authentik at https://authentik.yourdomain.com/if/flow/initial-setup/
- Create the admin account
- Set a strong password
- Complete the setup wizard
Configure Applications¶
For each TAPPaaS service requiring authentication:
- Navigate to Applications → Applications
- Click Create
- Configure the application settings
- Set up the appropriate provider (OAuth2, SAML, etc.)
User Management¶
Create users and groups:
- Navigate to Directory → Users
- Create users as needed
- Assign to appropriate groups
Integration¶
(o be automated as a identity:auth service)
Service Integration¶
Connect other TAPPaaS services to Authentik:
# Example: n8n OAuth configuration
N8N_AUTH_OAUTH2_CLIENT_ID: "your-client-id"
N8N_AUTH_OAUTH2_CLIENT_SECRET: "your-client-secret"
N8N_AUTH_OAUTH2_AUTHORIZE_URL: "https://authentik.yourdomain.com/application/o/authorize/"
N8N_AUTH_OAUTH2_ACCESS_TOKEN_URL: "https://authentik.yourdomain.com/application/o/token/"
Verification¶
Test the identity system:
```bash
Check Authentik health¶
curl -f https://authentik.yourdomain.com/-/health/ready/
Next Steps¶
Complete the foundation with Security hardening.