Files
veola/deploy/authentik-forward-auth.md
prosolis 7c95e4fd4e Add Authentik SSO, budget visibility, Resend email, 12h item default
Opens Veola up to more users (Parodia's Authentik) and makes Apify spend
visible to everyone.

- Auth: Traefik forward-auth (trust X-Authentik-* headers only from
  trusted_proxies CIDRs, keyed by email, role synced from admin_group),
  keeping local password login as break-glass. New [auth] config,
  CaptureDirectIP + ForwardAuth middleware, deploy/authentik-forward-auth.md.
- Budget: count every Apify run (apify_api_usage table) and show
  calls + estimated cost to all users on the dashboard, with an optional
  monthly-budget bar. New [budget] config + settings.
- Email: Resend client for opt-in deal alerts and a weekly digest
  (Mon 09:00). Per-user email + toggles on Settings. New [resend] config.
- Defaults: new items default to a 12-hour poll interval to cut spend.

users table gains email/auth_source/email-pref columns (migrated in place).
go build/vet/test green; boots and migrates cleanly.
2026-06-20 11:12:11 -07:00

70 lines
2.3 KiB
Markdown

# Authentik forward-auth (via Traefik)
Veola can delegate identity to Authentik using Traefik's `forwardAuth`
middleware. Veola itself does not speak OIDC; it trusts identity headers that
Authentik's proxy outpost sets, and matches/creates a local user by **email**.
Local password login stays available as a break-glass fallback.
## 1. Veola config
```toml
[auth]
mode = "forward"
trusted_proxies = ["172.18.0.0/16"] # CIDR(s) of the Traefik container/host
admin_group = "veola-admins" # Authentik group that grants admin
```
`trusted_proxies` is mandatory in forward mode: forward-auth headers are only
honored when the **direct** connection (before `X-Forwarded-For` rewriting)
comes from one of these CIDRs. Without it the headers are spoofable. Use the
address Traefik connects from (its Docker network range, or `127.0.0.1/32` if
co-located).
Header names default to Authentik's (`X-Authentik-Username`,
`X-Authentik-Email`, `X-Authentik-Name`, `X-Authentik-Groups`); override under
`[auth]` only if your outpost differs.
## 2. Authentik
- Create a **Proxy Provider** in *forward auth (single application)* mode with
the external host (e.g. `https://veola.example.com`).
- Bind it to an Application, and bind the embedded/standalone outpost.
- Create a group (default name `veola-admins`) and add operators who should be
Veola admins. Everyone else lands as a regular user. Role is re-synced from
the group on every request.
## 3. Traefik
```yaml
http:
middlewares:
authentik:
forwardAuth:
address: "http://authentik-server:9000/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-email
- X-authentik-name
- X-authentik-groups
routers:
veola:
rule: "Host(`veola.example.com`)"
service: veola
middlewares:
- authentik
tls:
certResolver: letsencrypt
```
Traefik must strip any client-supplied `X-Authentik-*` and `X-Forwarded-*`
headers on ingress so only the outpost can set them.
## Break-glass
`/login` and `/setup` still work for local password accounts. If Authentik is
down, reach Veola directly (bypassing the proxy) from a trusted network and log
in with a local admin account. Forward-auth is a no-op for connections that do
not originate from `trusted_proxies`.