841 B
841 B
Identity & access
| Service | URL | Purpose |
|---|---|---|
| Authentik | https://id.alexandru.macocian.me/ | IdP (OIDC / OAuth2 / SAML) |
| Caddy auth | https://auth.alexandru.macocian.me/ | caddy-security, fronts protected apps |
| Web terminal | https://terminal.alexandru.macocian.me/ | Browser SSH via ephemeral signed certs |
Terminal flow
OAuth → Authentik → backend mints ephemeral SSH cert (signed by CA trusted on every host) → SSH proxied over WebSocket to JS frontend.
CA material lives under /mnt/nas/ca/ and is synced to hosts by sync-ca.sh. Extracting cert issuance into a standalone service (so the CA key stops living on every host that needs to mint) is captured in cert-issuer.md.
Host logins / sudo are SSSD-backed against open-ldap; LDAP groups drive permissions.