| Property | Value |
|---|---|
| Host VM | VM-RZ-SVC-PROD-01 |
| Compose path | /opt/authentik/ |
| Image | ghcr.io/goauthentik/server:2025.8.4 |
| Container name(s) | authentik-server, authentik-worker-1, Postgres auf vm-rz-db-01 (DB authentik), authentik-redis-1 |
| External URL | https://auth.blackreset.com |
| Networks | traefik_backend (server) + private internal for DB + redis |
| DB / state | Dedicated authentik-postgresql-1 (PG 16) — separate from postgres_production |
| Auth | Local + (TBD federation sources) |
| Backup | PBS image-level + per-app pg_dump. |
Single sign-on across blackreset apps via OIDC (and SAML where appropriate). Group membership in Authentik drives role assignment in downstream apps via the groups claim, matched by exact name.
Standard Authentik 4-container layout: server (HTTP/UI), worker (background tasks), Postgres (state), Redis (cache + tasks queue). A dedicated Postgres separate from the shared postgres_production is intentional — Authentik's schema is opinionated and lifecycle-coupled to the application.
Traefik exposes auth.blackreset.com on websecure. HTTP -> HTTPS redirect, security-headers middleware analogous to the wiki.
Self-hosted IDP. Property mapping OAuth Mapping: groups (per-app group names) emits the user's group names as a top-level groups claim on every OAuth2 provider attached to it. See Access / Authentik for the configured providers and Access / Groups for the role-mapping convention.
authentik-postgresql-1 Docker volume (PG 16 datadir).
PBS image-level via VM-SL-00 + pg_dump of the authentik database on a regular schedule (TBD verified). Authentik state is small but rebuilding flows / providers / property mappings by hand is painful — the dump is the fast recovery path.
AUTHENTIK__API_TOKEN in .secrets/credentials.env (write-by-explicit-approval)letsencrypt resolver)Authentik läuft seit 2026-05-01 auf vm-rz-svc-prod-01 (10.200.0.101). DB liegt zentral auf vm-rz-db-01 (PG 17.6, DB authentik). LDAP-Outpost migriert von vm-sl-00:389 → vm-rz-svc-prod-01:389/636 (gleiche Outpost-UUID + Token).