30 lines
1.5 KiB
Markdown
30 lines
1.5 KiB
Markdown
# Identity & access
|
|
|
|
```mermaid
|
|
flowchart LR
|
|
User --> Authentik
|
|
Authentik --> Gssh
|
|
Gssh --> StepCA[step-ca]
|
|
StepCA --> Cert[SSH user cert]
|
|
Cert --> Host[Target host]
|
|
LDAP[LDAP/SSSD] --> Host
|
|
```
|
|
|
|
| System | Role | Current owner |
|
|
| -------------- | -------------------------------------- | --------------------- |
|
|
| Authentik | IdP for web apps and human auth | `Charlie/authentik` |
|
|
| Caddy security | Edge auth for protected routes | `Charlie/caddy` |
|
|
| LDAP / SSSD | Host users, groups, sudo, deploy group | `Charlie/ldap` |
|
|
| step-ca | SSH user certs and managed X.509 certs | `Charlie/cert-issuer` |
|
|
| Gssh | Web terminal + cert-backed SSH | `Charlie/gssh` |
|
|
| Sherlock | Operator agent/MCP credential wrapper | `amacocian/sherlock` |
|
|
|
|
| Principal | Used for |
|
|
| ------------------- | ------------------------------------------------------------- |
|
|
| `sys-gitea-runner` | CI deploy/build SSH identity; member of `charlie-deploy`. |
|
|
| `charlie-deploy` | Docker socket, stack working trees, SOPS age key read access. |
|
|
| `sys-host-<host>` | Host-local root Git/registry operations. |
|
|
| `sys-trivy-scanner` | Read-only registry pulls for CVE scanning. |
|
|
|
|
Terminal flow: Authentik login -> Gssh -> step-ca SSH cert -> target host SSH.
|