Files
project-charlie/docs/identity.md
T
2026-05-04 18:14:42 +02:00

841 B

Identity & access

Service URL Purpose
Authentik https://id.alexandru.macocian.me/ IdP (OIDC / OAuth2 / SAML)
Caddy auth https://auth.alexandru.macocian.me/ caddy-security, fronts protected apps
Web terminal https://terminal.alexandru.macocian.me/ Browser SSH via ephemeral signed certs

Terminal flow

OAuth → Authentik → backend mints ephemeral SSH cert (signed by CA trusted on every host) → SSH proxied over WebSocket to JS frontend.

CA material lives under /mnt/nas/ca/ and is synced to hosts by sync-ca.sh. Extracting cert issuance into a standalone service (so the CA key stops living on every host that needs to mint) is captured in cert-issuer.md.

Host logins / sudo are SSSD-backed against open-ldap; LDAP groups drive permissions.