1.5 KiB
1.5 KiB
Identity & access
flowchart LR
User --> Authentik
Authentik --> Gssh
Gssh --> StepCA[step-ca]
StepCA --> Cert[SSH user cert]
Cert --> Host[Target host]
LDAP[LDAP/SSSD] --> Host
| System | Role | Current owner |
|---|---|---|
| Authentik | IdP for web apps and human auth | Charlie/authentik |
| Caddy security | Edge auth for protected routes | Charlie/caddy |
| LDAP / SSSD | Host users, groups, sudo, deploy group | Charlie/ldap |
| step-ca | SSH user certs and managed X.509 certs | Charlie/cert-issuer |
| Gssh | Web terminal + cert-backed SSH | Charlie/gssh |
| Sherlock | Operator agent/MCP credential wrapper | amacocian/sherlock |
| Principal | Used for |
|---|---|
sys-gitea-runner |
CI deploy/build SSH identity; member of charlie-deploy. |
charlie-deploy |
Docker socket, stack working trees, SOPS age key read access. |
sys-host-<host> |
Host-local root Git/registry operations. |
sys-trivy-scanner |
Read-only registry pulls for CVE scanning. |
Terminal flow: Authentik login -> Gssh -> step-ca SSH cert -> target host SSH.