46 lines
1.8 KiB
Markdown
46 lines
1.8 KiB
Markdown
# Authentik Local Bootstrap
|
|
|
|
This directory stores local Authentik bootstrap assets for NODE.DC.
|
|
|
|
## Current scope
|
|
|
|
The first infra pass runs Authentik from the official Docker Compose shape for the 2026.2 release line:
|
|
|
|
- PostgreSQL 16;
|
|
- authentik server;
|
|
- authentik worker;
|
|
- no Redis service in the current official compose template;
|
|
- Caddy reverse proxy in front of Authentik and current local apps.
|
|
|
|
## Bootstrap variables
|
|
|
|
For a first local install, put these variables in `infra/.env`:
|
|
|
|
```bash
|
|
AUTHENTIK_BOOTSTRAP_EMAIL=admin@nodedc.local
|
|
AUTHENTIK_BOOTSTRAP_PASSWORD=<local generated password>
|
|
AUTHENTIK_BOOTSTRAP_TOKEN=<local generated token>
|
|
```
|
|
|
|
These are read only on first startup. Do not commit `infra/.env`.
|
|
|
|
## Future blueprint work
|
|
|
|
Later phases should add reproducible configuration for:
|
|
|
|
- NODE.DC Launcher Application/Provider;
|
|
- NODE.DC Task Manager Application/Provider;
|
|
- groups and policies;
|
|
- admin service token scope;
|
|
- exports or blueprints for repeatable setup.
|
|
|
|
## NODE.DC branded login
|
|
|
|
`custom-templates/branding/nodedc-login.css` is mounted into Authentik at `/templates/branding/nodedc-login.css` and applied by `bootstrap-dev.py` through the native Authentik Brand `branding_custom_css` field.
|
|
|
|
`custom-templates/base/header_js.html` keeps Authentik's native config script and adds a minimal NODE.DC field enhancement for the email clear control and password placeholder only.
|
|
|
|
OAuth2 providers are assigned Authentik's `default-invalidation-flow` so application logout completes the IdP session and returns through the NODE.DC launcher route instead of showing the default Authentik application logout screen.
|
|
|
|
This is intentionally not an HTML-rewriting proxy. Passwords, MFA, recovery, sessions and audit remain inside Authentik; Launcher and Task Manager stay OIDC clients.
|