2a9b9f2e5e
|
||
|---|---|---|
| .. | ||
| custom-templates | ||
| README.md | ||
| bootstrap-dev.py | ||
README.md
Authentik Local Bootstrap
This directory stores local Authentik bootstrap assets for NODE.DC.
Current scope
The first infra pass runs Authentik from the official Docker Compose shape for the 2026.2 release line:
- PostgreSQL 16;
- authentik server;
- authentik worker;
- no Redis service in the current official compose template;
- Caddy reverse proxy in front of Authentik and current local apps.
Bootstrap variables
For a first local install, put these variables in infra/.env:
AUTHENTIK_BOOTSTRAP_EMAIL=admin@nodedc.local
AUTHENTIK_BOOTSTRAP_PASSWORD=<local generated password>
AUTHENTIK_BOOTSTRAP_TOKEN=<local generated token>
These are read only on first startup. Do not commit infra/.env.
Future blueprint work
Later phases should add reproducible configuration for:
- NODE.DC Launcher Application/Provider;
- NODE.DC Task Manager Application/Provider;
- groups and policies;
- admin service token scope;
- exports or blueprints for repeatable setup.
NODE.DC branded login
custom-templates/branding/nodedc-login.css is mounted into Authentik at /templates/branding/nodedc-login.css and applied by bootstrap-dev.py through the native Authentik Brand branding_custom_css field.
custom-templates/base/header_js.html keeps Authentik's native config script and adds a minimal NODE.DC field enhancement for the email clear control and password placeholder only.
OAuth2 providers are assigned Authentik's default-invalidation-flow so application logout completes the IdP session and returns through the NODE.DC launcher route instead of showing the default Authentik application logout screen.
This is intentionally not an HTML-rewriting proxy. Passwords, MFA, recovery, sessions and audit remain inside Authentik; Launcher and Task Manager stay OIDC clients.