# Identity & access | Service | URL | Purpose | |---------|-----|---------| | Authentik | https://id.alexandru.macocian.me/ | IdP (OIDC / OAuth2 / SAML) | | Caddy auth | https://auth.alexandru.macocian.me/ | `caddy-security`, fronts protected apps | | Web terminal | https://terminal.alexandru.macocian.me/ | Browser SSH via ephemeral signed certs | ## Terminal flow OAuth → Authentik → backend mints ephemeral SSH cert (signed by CA trusted on every host) → SSH proxied over WebSocket to JS frontend. CA material lives under `/mnt/nas/ca/` and is synced to hosts by `sync-ca.sh`. Host logins / sudo are SSSD-backed against `open-ldap`; LDAP groups drive permissions.