Updating documentation

CLAUDE.md

@@ -25,6 +25,9 @@ This file provides guidance to Claude Code (claude.ai/code) when working with co
 | wazuh | Wazuh Manager + Indexer + Dashboard | `wazuh.<domain>` |
 | vaultwarden | Vaultwarden + PostgreSQL | `vault.<domain>` |
 | forgejo | Forgejo + PostgreSQL | `git.<domain>` |
+| uptimekuma | Uptime Kuma (uptime monitoring) | `status.<domain>` |
+| automatisch | Automatisch (workflow automation) | `automate.<domain>` |
+| twenty | Twenty CRM + PostgreSQL + Redis | `crm.<domain>` |
 
 ### Design Principles
 

README.md

@@ -34,6 +34,9 @@ Sovereign is an Ansible project that deploys a complete self-hosted infrastructu
 | `wazuh` | Wazuh Manager + Indexer + Dashboard | `wazuh.<domain>` |
 | `vaultwarden` | Vaultwarden + PostgreSQL | `vault.<domain>` |
 | `forgejo` | Forgejo + PostgreSQL | `git.<domain>` |
+| `uptimekuma` | Uptime Kuma (uptime monitoring) | `status.<domain>` |
+| `automatisch` | Automatisch (workflow automation) | `automate.<domain>` |
+| `twenty` | Twenty CRM + PostgreSQL + Redis | `crm.<domain>` |
 | `website` | Nginx (static website) | `<domain>` |
 
 ---
@@ -186,14 +189,26 @@ Stalwart generates its DKIM signing key on first start. After Stalwart is runnin
 
 Log into Authentik at `https://auth.<domain>` and create an OAuth2/OIDC provider and application for each service that integrates with SSO. Then fill in the `changeme_*_oidc_secret` placeholders in the relevant compose templates under `roles/<service>/templates/`.
 
-Services that require Authentik OIDC configuration:
+Services that use native OIDC — create an OAuth2/OIDC provider in Authentik for each, then set the corresponding variable in `all.yml`:
 
-| Service | Template variable |
+| Service | `all.yml` variable |
-|---------|------------------|
+|---------|-------------------|
 | MinIO | `changeme_minio_oidc_secret` |
 | Headscale | `changeme_headscale_oidc_secret` |
 | Vaultwarden | `changeme_vaultwarden_oidc_secret` |
 | Forgejo | `changeme_forgejo_oidc_secret` |
+| Twenty CRM | `twenty_oidc_client_secret` |
+
+For Twenty CRM, after setting the variable and redeploying the role, also configure the provider inside the app: **Settings → Security → SSO → Add provider**, using the discovery URL `https://auth.<domain>/application/o/twenty/.well-known/openid-configuration`.
+
+Services that use Authentik **forward auth** (no native OIDC) — create a **Proxy Provider** in Forward Auth mode for each, create an Application bound to it, and add it to the embedded outpost:
+
+| Service | External host |
+|---------|--------------|
+| Uptime Kuma | `https://status.<domain>` |
+| Automatisch | `https://automate.<domain>` |
+
+With the embedded outpost running, Traefik will redirect unauthenticated requests to the Authentik login page automatically — no further role changes are needed.
 
 #### Wazuh TLS certificates
 
@@ -404,6 +419,38 @@ The DNS role publishes the following records for `<domain>`:
 | `forgejo_admin_email` | `admin@<domain>` | Initial admin email. |
 | `forgejo_ssh_port` | `2222` | Host port for Forgejo SSH access. Must be open in the firewall. |
 
+### Uptime Kuma
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `uptimekuma_domain` | `status.<domain>` | Uptime Kuma dashboard URL. |
+| `uptimekuma_version` | `1` | Uptime Kuma image tag (`1` tracks the latest v1 release). |
+
+Access is controlled entirely by Authentik forward auth — Uptime Kuma's own account system is not used. After deployment, add monitors for each service subdomain via the web UI.
+
+### Automatisch
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `automatisch_domain` | `automate.<domain>` | Automatisch URL. |
+| `automatisch_version` | `latest` | Automatisch image tag. |
+| `automatisch_db_password` | — | PostgreSQL password for Automatisch's database. |
+| `automatisch_encryption_key` | — | Encrypts stored integration credentials. Generate with `openssl rand -base64 36`. **Never rotate after first deployment** — doing so breaks all existing connections. |
+| `automatisch_webhook_secret_key` | — | Verifies incoming webhook requests. Same rotation warning applies. |
+| `automatisch_app_secret_key` | — | Used for user session signing. Same rotation warning applies. |
+
+Access is controlled by Authentik forward auth.
+
+### Twenty CRM
+
+| Variable | Default | Description |
+|----------|---------|-------------|
+| `twenty_domain` | `crm.<domain>` | Twenty CRM URL. |
+| `twenty_version` | `latest` | Twenty image tag. |
+| `twenty_app_secret` | — | Random secret for JWT signing. Generate with `openssl rand -base64 36`. |
+| `twenty_db_password` | — | PostgreSQL password for Twenty's database. |
+| `twenty_oidc_client_secret` | — | OIDC client secret from the Authentik OAuth2 application. |
+
 ### Website
 
 | Variable | Default | Description |
@@ -456,7 +503,7 @@ ansible-playbook playbooks/site.yml --tags nextcloud
 ansible-playbook playbooks/site.yml --tags website
 ```
 
-Available tags: `common`, `dns`, `graylog`, `authentik`, `minio`, `nextcloud`, `stalwart`, `roundcube`, `matrix`, `jitsi`, `headscale`, `wazuh`, `vaultwarden`, `forgejo`, `website`.
+Available tags: `common`, `dns`, `graylog`, `authentik`, `minio`, `nextcloud`, `stalwart`, `roundcube`, `matrix`, `jitsi`, `headscale`, `wazuh`, `vaultwarden`, `forgejo`, `uptimekuma`, `automatisch`, `twenty`, `website`.
 
 ### Dry run