ff66adbe9e
CLAUDE.md changes: - Extract service catalog + Cloudflare domains → .claude/reference/service-catalog.md - Extract Proxmox VMs, hardware, network → .claude/reference/proxmox-inventory.md - Extract GitHub/Drone API patterns → .claude/reference/github-drone-api.md - Extract Authentik state snapshot → .claude/reference/authentik-state.md - Remove Init Container pattern (duplicates setup-project skill) - Remove Poison Fountain service notes (duplicates Anti-AI section) - Consolidate Authentik section (link to skills + reference) - Remove resource limit tables (kept tier definitions inline) Skill merges (37→32): - helm-release-force-rerender + helm-stuck-release-recovery → helm-release-troubleshooting - containerd-multi-registry-pull-through-cache + k8s-docker-registry-cache-bypass → k8s-container-image-caching - (traefik merges in previous commits)
50 lines
2.5 KiB
Markdown
50 lines
2.5 KiB
Markdown
# Authentik Current State
|
|
|
|
> Snapshot of applications, groups, users, and flows. Use `authentik` skill for management tasks.
|
|
|
|
## Applications (9)
|
|
| Application | Provider Type | Auth Flow |
|
|
|-------------|--------------|-----------|
|
|
| Cloudflare Access | OAuth2/OIDC | explicit consent |
|
|
| Domain wide catch all | Proxy (forward auth) | implicit consent |
|
|
| Grafana | OAuth2/OIDC | implicit consent |
|
|
| Headscale | OAuth2/OIDC | explicit consent |
|
|
| Immich | OAuth2/OIDC | explicit consent |
|
|
| Kubernetes | OAuth2/OIDC (public) | implicit consent |
|
|
| linkwarden | OAuth2/OIDC | explicit consent |
|
|
| Matrix | OAuth2/OIDC | implicit consent |
|
|
| wrongmove | OAuth2/OIDC | implicit consent |
|
|
|
|
## Groups (9)
|
|
| Group | Parent | Superuser | Purpose |
|
|
|-------|--------|-----------|---------|
|
|
| Allow Login Users | — | No | Parent group for login-permitted users |
|
|
| authentik Admins | — | Yes | Full admin access |
|
|
| authentik Read-only | — | No | Read-only access (has role) |
|
|
| Headscale Users | Allow Login Users | No | VPN access |
|
|
| Home Server Admins | Allow Login Users | No | Server admin access |
|
|
| Wrongmove Users | Allow Login Users | No | Real-estate app access |
|
|
| kubernetes-admins | — | No | K8s cluster-admin RBAC |
|
|
| kubernetes-power-users | — | No | K8s power-user RBAC |
|
|
| kubernetes-namespace-owners | — | No | K8s namespace-owner RBAC |
|
|
|
|
## Users (7 real)
|
|
| Username | Name | Type | Groups |
|
|
|----------|------|------|--------|
|
|
| akadmin | authentik Default Admin | internal | authentik Admins, Home Server Admins, Headscale Users |
|
|
| vbarzin@gmail.com | Viktor Barzin | internal | authentik Admins, Home Server Admins, Wrongmove Users, Headscale Users |
|
|
| emil.barzin@gmail.com | Emil Barzin | internal | Home Server Admins, Headscale Users |
|
|
| ancaelena98@gmail.com | Anca Milea | external | Wrongmove Users, Headscale Users |
|
|
| vabbit81@gmail.com | GHEORGHE Milea | external | Headscale Users |
|
|
| valentinakolevabarzina@gmail.com | Валентина Колева-Барзина | internal | Headscale Users |
|
|
| anca.r.cristian10@gmail.com | — | internal | Wrongmove Users |
|
|
| kadir.tugan@gmail.com | Kadir | internal | Wrongmove Users |
|
|
|
|
## Login Sources
|
|
- **Google** (OAuth) — user matching by identifier
|
|
- **GitHub** (OAuth) — user matching by email_link
|
|
- **Facebook** (OAuth) — user matching by email_link
|
|
|
|
## Authorization Flows
|
|
- **Explicit consent** (`default-provider-authorization-explicit-consent`): Shows consent screen
|
|
- **Implicit consent** (`default-provider-authorization-implicit-consent`): Auto-redirects
|