Files
2026-06-13 17:26:49 +02:00

30 lines
1.5 KiB
Markdown

# Identity & access
```mermaid
flowchart LR
User --> Authentik
Authentik --> Gssh
Gssh --> StepCA[step-ca]
StepCA --> Cert[SSH user cert]
Cert --> Host[Target host]
LDAP[LDAP/SSSD] --> Host
```
| System | Role | Current owner |
| -------------- | -------------------------------------- | --------------------- |
| Authentik | IdP for web apps and human auth | `Charlie/authentik` |
| Caddy security | Edge auth for protected routes | `Charlie/caddy` |
| LDAP / SSSD | Host users, groups, sudo, deploy group | `Charlie/ldap` |
| step-ca | SSH user certs and managed X.509 certs | `Charlie/cert-issuer` |
| Gssh | Web terminal + cert-backed SSH | `Charlie/gssh` |
| Sherlock | Operator agent/MCP credential wrapper | `amacocian/sherlock` |
| Principal | Used for |
| ------------------- | ------------------------------------------------------------- |
| `sys-gitea-runner` | CI deploy/build SSH identity; member of `charlie-deploy`. |
| `charlie-deploy` | Docker socket, stack working trees, SOPS age key read access. |
| `sys-host-<host>` | Host-local root Git/registry operations. |
| `sys-trivy-scanner` | Read-only registry pulls for CVE scanning. |
Terminal flow: Authentik login -> Gssh -> step-ca SSH cert -> target host SSH.