admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

workout-system: SparkyFitness OIDC-only auth (email login+signup off, OIDC signup on)

Browse Source 
Admin bootstrapped via Authentik OIDC. Finalize the intended auth posture:
- Remove SPARKY_FITNESS_FORCE_EMAIL_LOGIN fail-safe (OIDC confirmed working).
- Add SPARKY_FITNESS_DISABLE_EMAIL_LOGIN=true -> email/password login + registration off.
- Keep SPARKY_FITNESS_DISABLE_SIGNUP=false so OIDC auto-register keeps working
  (the global signup gate would otherwise block OIDC self-registration too).
Net: Authentik OIDC is the only login + signup path; emergency recovery documented
inline (set FORCE_EMAIL_LOGIN=true to re-enable email login).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
authentik Default Admin
2026-05-27 16:00:27 +02:00
parent a1e73466a6
commit 6d21576e00
1 changed files with 14 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
workout-system/sparkyfitness.yaml
+14 -9
View File
@@ -208,10 +208,13 @@ spec:
value: "INFO" value: "INFO"
- name: SPARKY_FITNESS_FRONTEND_URL - name: SPARKY_FITNESS_FRONTEND_URL
value: "https://workout.dooplex.hu" value: "https://workout.dooplex.hu"
# TEMPORARILY "false" to bootstrap the first admin account. With signup # MUST stay "false": this is the GLOBAL signup gate, and "true" blocks
# disabled, even OIDC auto-register is blocked ("Signups are currently # OIDC auto-register too ("Signups are currently disabled by the
# disabled by the administrator"). Flip back to "true" immediately after # administrator"). We want OIDC self-registration to work, so it stays
# the admin (SPARKY_FITNESS_ADMIN_EMAIL) has logged in via Authentik once. # false; email/password registration is instead blocked by disabling
# email login entirely (SPARKY_FITNESS_DISABLE_EMAIL_LOGIN below).
# Who may actually register is then governed by Authentik (only users
# authorized for the SparkyFitness application can complete OIDC).
- name: SPARKY_FITNESS_DISABLE_SIGNUP - name: SPARKY_FITNESS_DISABLE_SIGNUP
value: "false" value: "false"
- name: SPARKY_FITNESS_ADMIN_EMAIL - name: SPARKY_FITNESS_ADMIN_EMAIL
@@ -220,11 +223,13 @@ spec:
value: "true" value: "true"
- name: SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS - name: SPARKY_FITNESS_EXTRA_TRUSTED_ORIGINS
value: "https://workout.home" value: "https://workout.home"
# ---- Fail-safe: keep email/password login working during bring-up # OIDC login confirmed working (admin bootstrapped via Authentik 2026-05-27),
# so a misconfigured OIDC can't lock you out. REMOVE this (and # so the email-login fail-safe is removed and email/password login +
# optionally set SPARKY_FITNESS_DISABLE_EMAIL_LOGIN=true) once the # registration are disabled — Authentik (OIDC) is the only auth/signup path.
# Authentik OIDC login is confirmed working end-to-end. # EMERGENCY RECOVERY if ever locked out of OIDC: set
- name: SPARKY_FITNESS_FORCE_EMAIL_LOGIN # SPARKY_FITNESS_FORCE_EMAIL_LOGIN=true on the deployment and restart to
# re-enable email/password login (it overrides DISABLE_EMAIL_LOGIN).
- name: SPARKY_FITNESS_DISABLE_EMAIL_LOGIN
value: "true" value: "true"
# ---- OIDC (Authentik) — env-based provider upsert ---- # ---- OIDC (Authentik) — env-based provider upsert ----
- name: SPARKY_FITNESS_OIDC_AUTH_ENABLED - name: SPARKY_FITNESS_OIDC_AUTH_ENABLED