Kinesin/sovereign
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Updating documentation

Browse Source
This commit is contained in:
Ian Roddis
2026-05-02 09:22:36 -03:00
parent b4b4f6e922
commit b7fe984147
2 changed files with 54 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+51 -4
View File
@@ -34,6 +34,9 @@ Sovereign is an Ansible project that deploys a complete self-hosted infrastructu
| `wazuh` | Wazuh Manager + Indexer + Dashboard | `wazuh.<domain>` |
| `vaultwarden` | Vaultwarden + PostgreSQL | `vault.<domain>` |
| `forgejo` | Forgejo + PostgreSQL | `git.<domain>` |
| `uptimekuma` | Uptime Kuma (uptime monitoring) | `status.<domain>` |
| `automatisch` | Automatisch (workflow automation) | `automate.<domain>` |
| `twenty` | Twenty CRM + PostgreSQL + Redis | `crm.<domain>` |
| `website` | Nginx (static website) | `<domain>` |
---
@@ -186,14 +189,26 @@ Stalwart generates its DKIM signing key on first start. After Stalwart is runnin
Log into Authentik at `https://auth.<domain>` and create an OAuth2/OIDC provider and application for each service that integrates with SSO. Then fill in the `changeme_*_oidc_secret` placeholders in the relevant compose templates under `roles/<service>/templates/`.
Services that require Authentik OIDC configuration:
Services that use native OIDC — create an OAuth2/OIDC provider in Authentik for each, then set the corresponding variable in `all.yml`:
| Service | Template variable |
|---------|------------------|
| Service | `all.yml` variable |
|---------|-------------------|
| MinIO | `changeme_minio_oidc_secret` |
| Headscale | `changeme_headscale_oidc_secret` |
| Vaultwarden | `changeme_vaultwarden_oidc_secret` |
| Forgejo | `changeme_forgejo_oidc_secret` |
| Twenty CRM | `twenty_oidc_client_secret` |
For Twenty CRM, after setting the variable and redeploying the role, also configure the provider inside the app: **Settings → Security → SSO → Add provider**, using the discovery URL `https://auth.<domain>/application/o/twenty/.well-known/openid-configuration`.
Services that use Authentik **forward auth** (no native OIDC) — create a **Proxy Provider** in Forward Auth mode for each, create an Application bound to it, and add it to the embedded outpost:
| Service | External host |
|---------|--------------|
| Uptime Kuma | `https://status.<domain>` |
| Automatisch | `https://automate.<domain>` |
With the embedded outpost running, Traefik will redirect unauthenticated requests to the Authentik login page automatically — no further role changes are needed.
#### Wazuh TLS certificates
@@ -404,6 +419,38 @@ The DNS role publishes the following records for `<domain>`:
| `forgejo_admin_email` | `admin@<domain>` | Initial admin email. |
| `forgejo_ssh_port` | `2222` | Host port for Forgejo SSH access. Must be open in the firewall. |
### Uptime Kuma
| Variable | Default | Description |
|----------|---------|-------------|
| `uptimekuma_domain` | `status.<domain>` | Uptime Kuma dashboard URL. |
| `uptimekuma_version` | `1` | Uptime Kuma image tag (`1` tracks the latest v1 release). |
Access is controlled entirely by Authentik forward auth — Uptime Kuma's own account system is not used. After deployment, add monitors for each service subdomain via the web UI.
### Automatisch
| Variable | Default | Description |
|----------|---------|-------------|
| `automatisch_domain` | `automate.<domain>` | Automatisch URL. |
| `automatisch_version` | `latest` | Automatisch image tag. |
| `automatisch_db_password` | — | PostgreSQL password for Automatisch's database. |
| `automatisch_encryption_key` | — | Encrypts stored integration credentials. Generate with `openssl rand -base64 36`. **Never rotate after first deployment** — doing so breaks all existing connections. |
| `automatisch_webhook_secret_key` | — | Verifies incoming webhook requests. Same rotation warning applies. |
| `automatisch_app_secret_key` | — | Used for user session signing. Same rotation warning applies. |
Access is controlled by Authentik forward auth.
### Twenty CRM
| Variable | Default | Description |
|----------|---------|-------------|
| `twenty_domain` | `crm.<domain>` | Twenty CRM URL. |
| `twenty_version` | `latest` | Twenty image tag. |
| `twenty_app_secret` | — | Random secret for JWT signing. Generate with `openssl rand -base64 36`. |
| `twenty_db_password` | — | PostgreSQL password for Twenty's database. |
| `twenty_oidc_client_secret` | — | OIDC client secret from the Authentik OAuth2 application. |
### Website
| Variable | Default | Description |
@@ -456,7 +503,7 @@ ansible-playbook playbooks/site.yml --tags nextcloud
ansible-playbook playbooks/site.yml --tags website
```
Available tags: `common`, `dns`, `graylog`, `authentik`, `minio`, `nextcloud`, `stalwart`, `roundcube`, `matrix`, `jitsi`, `headscale`, `wazuh`, `vaultwarden`, `forgejo`, `website`.
Available tags: `common`, `dns`, `graylog`, `authentik`, `minio`, `nextcloud`, `stalwart`, `roundcube`, `matrix`, `jitsi`, `headscale`, `wazuh`, `vaultwarden`, `forgejo`, `uptimekuma`, `automatisch`, `twenty`, `website`.
### Dry run