# Authentik Local Bootstrap

This directory stores local Authentik bootstrap assets for NODE.DC.

## Current scope

The first infra pass runs Authentik from the official Docker Compose shape for the 2026.2 release line:

- PostgreSQL 16;
- authentik server;
- authentik worker;
- no Redis service in the current official compose template;
- Caddy reverse proxy in front of Authentik and current local apps.

## Bootstrap variables

For a first local install, put these variables in `infra/.env`:

```bash
AUTHENTIK_BOOTSTRAP_EMAIL=admin@nodedc.local
AUTHENTIK_BOOTSTRAP_PASSWORD=<local generated password>
AUTHENTIK_BOOTSTRAP_TOKEN=<local generated token>
```

These are read only on first startup. Do not commit `infra/.env`.

## Future blueprint work

Later phases should add reproducible configuration for:

- NODE.DC Launcher Application/Provider;
- NODE.DC Task Manager Application/Provider;
- groups and policies;
- admin service token scope;
- exports or blueprints for repeatable setup.

## NODE.DC branded login

`custom-templates/branding/nodedc-login.css` is mounted into Authentik at `/templates/branding/nodedc-login.css` and applied by `bootstrap-dev.py` through the native Authentik Brand `branding_custom_css` field.

`custom-templates/base/header_js.html` keeps Authentik's native config script and adds a minimal NODE.DC field enhancement for the email clear control and password placeholder only.

OAuth2 providers are assigned Authentik's `default-invalidation-flow` so application logout completes the IdP session and returns through the NODE.DC launcher route instead of showing the default Authentik application logout screen.

This is intentionally not an HTML-rewriting proxy. Passwords, MFA, recovery, sessions and audit remain inside Authentik; Launcher and Task Manager stay OIDC clients.