Initial commit: homelab infrastructure wiki

- Full Obsidian vault content
- Host configs (ice, grizzley, ubuntu, proxmox, truenas, panda, hyte)
- Media stack documentation
- Traefik HA setup
- Automation scripts
- Bachelor party planning

homelab/concepts/sso-authentik.md

@@ -0,0 +1,62 @@
+---
+title: SSO with Authentik
+created: 2026-04-28
+updated: 2026-04-28
+type: concept
+tags: [concept, sso, services]
+sources: [../../homelab/architecture.md, ../../platform-config/overview.md]
+---
+
+# SSO with Authentik
+
+Authentik provides SSO identity provider for the homelab via OAuth2/OIDC. Traefik middleware enforces authentication on internal services.
+
+## Architecture
+
+```
+User → Service (protected by authentik-auth middleware)
+              ↓
+       Traefik middleware
+              ↓
+       Authentik Server (ubuntu)
+       auth.tophermayor.com
+              ↓
+       OAuth2/OIDC flow
+              ↓
+       Redirect with token
+```
+
+## Services Using SSO
+
+| Service | URL | SSO Method |
+|---------|-----|-----------|
+| Authentik | auth.tophermayor.com | Direct |
+| Jellyfin | jellyfin.tophermayor.com | Authentik OAuth2 |
+| Immich | immich.tophermayor.com | Authentik OAuth2 |
+| Traefik Dashboard | traefik.local.tophermayor.com | local-only middleware |
+
+## Authentik Components
+
+| Component | Description |
+|-----------|-------------|
+| Authentik Server | Main SSO application (ubuntu) |
+| Authentik Worker | Background task processing |
+| Authentik Redis | Session caching |
+
+## Database
+
+Authentik uses the `postgres-shared` PostgreSQL instance on ubuntu (`authentik` database).
+
+## Traefik Middleware
+
+```
+authentik-auth@file
+```
+
+Applied to services that need SSO. Users are redirected to Authentik login, then back with a valid session cookie.
+
+## Related
+
+- [[authentik]] — Authentik entity page
+- [[ubuntu]] — Hosts Authentik server
+- [[docker-traefik-stack]] — Docker, Traefik, and container orchestration