Files
project-charlie/docs/identity.md
T

679 B

Identity & access

Service URL Purpose
Authentik https://id.alexandru.macocian.me/ IdP (OIDC / OAuth2 / SAML)
Caddy auth https://auth.alexandru.macocian.me/ caddy-security, fronts protected apps
Web terminal https://terminal.alexandru.macocian.me/ Browser SSH via ephemeral signed certs

Terminal flow

OAuth → Authentik → backend mints ephemeral SSH cert (signed by CA trusted on every host) → SSH proxied over WebSocket to JS frontend.

CA material lives under /mnt/nas/ca/ and is synced to hosts by sync-ca.sh.

Host logins / sudo are SSSD-backed against open-ldap; LDAP groups drive permissions.