habsi/authentik
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

website: Flesh out docs split.

Browse Source 
website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.
This commit is contained in:
Teffen Ellis
2025-06-17 21:02:38 +02:00
parent b10c795a26
commit 582812b3ec
704 changed files with 5179 additions and 4670 deletions
Download Patch File Download Diff File Expand all files Collapse all files

94
docs/integrations/media/calibre-web/index.md Normal file
View File

@ -0,0 +1,94 @@
---
title: Integrate with Calibre-Web
sidebar_label: Calibre-Web
support_level: community
---
## What is Calibre-Web
> Calibre-Web is a web app that offers an interface for browsing, reading, and downloading eBooks using a valid Calibre database.
>
> -- https://github.com/janeczku/calibre-web
## Preparation
The following placeholders are used in this guide:
- `calibreweb.company` is the FQDN of the Calibre-Web installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Calibre-Web with authentik, you need to create an application/provider pair and a correspdonding group in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select LDAP Provider as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name) and set the authorization flow to use for this provider.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
### Create a group in authentik
Create a group that will grant access to Calibre-Web.
1. Navigate to **Directory** > **Groups** and click **Create**.
- **Name**: provide a name (e.g. `Calibre-Web`).
2. Click **Create**.
### Add users to the group
Add the user that require access to the newly created group.
1. Navigate to **Directory** > **Groups** and click on the name of the group (e.g. `Calibre-Web`) that was just created.
2. Navigate to the **Users** tab and click **Add existing user**.
3. Click **+**.
4. Select the user that requires access and click **Add**.
5. Click **Add**.
## Calibre-Web configuration
1. Navigate to **Admin** > **Edit Basic Configuration** and click on **Feature Configuration** and set the following options:
- Login Type: `Use LDAP Authentication`
- LDAP Server: `authentik.company`
- LDAP Server Port: `389`
- LDAP Encryption: `None`
- LDAP Authentication: `Simple`
- LDAP Administrator Username: `cn=<authentik_administrator_username>,ou=users,dc=goauthentik,dc=io` (e.g. `cn=akadmin,ou=users,dc=goauthentik,dc=io`)
- LDAP Administrator Password: `<authentik_administrator_password>`
- LDAP Distinguished Name (DN): `dc=ldap,dc=goauthentik,dc=io`
- LDAP User Object Filter: `(&(objectclass=user)(cn=%s))`
- LDAP Server is OpenLDAP?: `true`
- LDAP Group Object Filter: `(&(objectclass=group)(cn=%s))`
- LDAP Group Name: `<group_name>` (e.g. `Calibre-Web`)
- LDAP Group Members Field: `member`
- LDAP Member User Filter Detection: `Autodetect`
2. Click **Save**.
3. Navigate to **Admin** and click **Import LDAP Users**
4. Once the user is imported from authentik, click **Edit Users** and give the user the desired permissions by checking the relevant checkboxes.
## Configuration verification
To confirm that authentik is properly configured with _Calibre-Web_, log out and log back in using the credentials of a user that is a member of the LDAP group (e.g. `Calibre-Web`).

73
docs/integrations/media/freshrss/index.mdx Normal file
View File

@ -0,0 +1,73 @@
---
title: Integrate with FreshRSS
sidebar_label: FreshRSS
support_level: community
---
## What is FreshRSS
> FreshRSS is a self-hosted RSS feed aggregator.
>
> -- https://github.com/FreshRSS/FreshRSS
## Preparation
The following placeholders are used in this guide:
- `freshrss.company` is the FQDN of the FreshRSS installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation only lists the settings that have been changed from their default values. Please verify your changes carefully to avoid any issues accessing your application.
:::
## authentik configuration
To support the integration of FreshRss with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add two `Strict` redirect URI and set them to `https://freshrss.company/i/oidc/` and `https://freshrss.company:443/i/oidc/`. If FreshRSS is exposed on a port other than `443`, update the second redirect URI accordingly.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## FreshRSS configuration
:::info
This integration is compatible only with Docker or Kubernetes installations of FreshRSS that use the [FreshRSS Docker image](https://hub.docker.com/r/freshrss/freshrss/) on x86_64 systems. Note that the Alpine version of the image is not supported. For more details, see [this issue on the FreshRSS GitHub repository](https://github.com/FreshRSS/FreshRSS/issues/5722).
:::
:::warning
Before restarting your Docker container, ensure that at least one Admin user in your FreshRSS instance has a username that matches an authentik user.
:::
To enable OIDC login with FreshRSS, update your `.env` file to include the following variables:
```yaml showLineNumbers
OIDC_ENABLED=1
OIDC_PROVIDER_METADATA_URL=https://authentik.company/application/o/<application_slug>/.well-known/openid-configuration
OIDC_CLIENT_ID=<Your Client ID from authentik<>
OIDC_CLIENT_SECRET=<Your Client Secret from authentik>
OIDC_X_FORWARDED_HEADERS=X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
OIDC_SCOPES=openid email profile
```
Once your container or pod is restarted, attempt to login as a user that exists in both FreshRSS and authentik. Go to **Settings** -> **Authentication** and set the authentication method to **HTTP**.
## Configuration verification
To verify that authentik is correctly set up with FreshRSS, log out of FreshRSS and try logging back in using authentik. You should see a new button on the login page for OIDC authentication.
## Resources
- [FreshRSS documentation for OpenID Connect](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect.html).
- [FreshRSS documentation for OIDC with authentik](https://freshrss.github.io/FreshRSS/en/admins/16_OpenID-Connect-Authentik.html)

51
docs/integrations/media/immich/index.md Normal file
View File

@ -0,0 +1,51 @@
---
title: Integrate with Immich
sidebar_label: Immich
support_level: community
---
## What is Immich
> Immich is a self-hosted backup solution for photos and videos on mobile devices.
>
> -- https://immich.app/
## Preparation
The following placeholders are used in this guide:
- `https://immich.company` is the URL used to access the Immich instance.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Immich with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Add three `Strict` redirect URIs and set them to `app.immich:///oauth-callback`, `https://immich.company/auth/login`, and `https://immich.company/user-settings`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Immich configuration
Immich documentation can be found here: https://immich.app/docs/administration/oauth
1. In Immich, navigate to **Administration** > **Settings** > **OAuth Authentication**
2. Configure Immich as follows:
- **Issuer URL**: `https://authentik.company/application/o/<application_slug>/`
- **Client ID**: Enter your Client ID from authentik
- **Client Secret**: Enter your Client Secret from authentik
- **Scope**: `openid email profile`

176
docs/integrations/media/jellyfin/index.md Normal file
View File

@ -0,0 +1,176 @@
---
title: Integrate with Jellyfin
sidebar_label: Jellyfin
support_level: community
---
## What is Jellyfin
> Jellyfin is a free and open source media management and streaming platform for movies, TV shows, and music.
>
> -- https://jellyfin.org
:::note
Jellyfin does not have any native external authentication support as of the writing of this page. Currently, there are two plugins for Jellyfin that provide external authentication, an OIDC plugin and an LDAP plugin.
:::
:::caution
An LDAP outpost must be deployed to use the Jellyfin LDAP plugin
:::
## Preparation
The following placeholders are used in this guide:
- `jellyfin.company` is the FQDN of the Jellyfin installation.
- `authentik.company` is the FQDN of the authentik installation.
- `ldap.company` the FQDN of the LDAP outpost.
- `dc=company,dc=com` the Base DN of the LDAP outpost.
- `ldap_bind_user` the username of the desired LDAP Bind User
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## LDAP Configuration
### authentik Configuration
No additional authentik configuration needs to be configured. Follow the LDAP outpost instructions to create an LDAP outpost and configure access via the outpost
### Jellyfin configuration
1. If you don't have one already, create an LDAP bind user before starting these steps.
- Ideally, this user doesn't have any permissions other than the ability to view other users. However, some functions do require an account with permissions.
- This user must be part of the group that is specified in the "Search group" in the LDAP outpost.
2. Navigate to your Jellyfin installation and log in with the administrator account or currently configured local admin.
3. Open the **Administrator dashboard** and go to the **Plugins** section.
4. Click **Catalog** at the top of the page, and locate the "LDAP Authentication Plugin"
5. Install the plugin. You may need to restart Jellyfin to finish installation.
6. Once finished, navigate back to the plugins section of the admin dashboard, click the 3 dots on the "LDAP-Auth Plugin" card, and click settings.
7. Configure the LDAP Settings as follows:
- `LDAP Server`: `ldap.company`
- `LDAP Port`: 636
- `Secure LDAP`: **Checked**
- `StartTLS`: Unchecked
- `Skip SSL/TLS Verification`:
- If using a certificate issued by a certificate authority, Jellyfin trusts, leave this unchecked.
- If you're using a self-signed certificate, check this box.
- `Allow password change`: Unchecked
- Since authentik already has a frontend for password resets, it's not necessary to include this in Jellyfin, especially since it requires bind user to have privileges.
- `Password Reset URL`: Empty
- `LDAP Bind User`: Set this to a user you want to bind to in authentik. By default, the path will be `ou=users,dc=company,dc=com` so the LDAP Bind user will be `cn=ldap_bind_user,ou=users,dc=company,dc=com`.
- `LDAP Bind User Password`: The Password of the user. If using a Service account, this is the token.
- `LDAP Base DN for Searches`: the base DN for LDAP queries. To query all users, set this to `dc=company,dc=com`.
- You can specify an OU if you divide your users up into different OUs and only want to query a specific OU.
At this point, click **Save and Test LDAP Server Settings**. If the settings are correct, you will see:
`Connect(Success); Bind(Success); Base Search (Found XY Entities)`
- `LDAP User Filter`: This is used to a user filter on what users are allowed to login. **This must be set**
- To allow all users: `(objectClass=user)`
- To only allow users in a specific group: `(memberOf=cn=jellyfin_users,ou=groups,dc=company,dc=com)`
- Good Docs on LDAP Filters: [atlassian.com](https://confluence.atlassian.com/kb/how-to-write-ldap-search-filters-792496933.html)
- `LDAP Admin Base DN`: All the users in this DN are automatically set as admins.
- This can be left blank. Admins can be set manually outside this filter
- `LDAP Admin Filter`: Similar to the user filter, but every matched user is set as admin.
- This can be left blank. Admins can be set manually outside this filter
At this point, click **Save and Test LDAP Filter Settings**. If the settings are correct, you will see:
`Found X user(s), Y admin(s)`
- `LDAP Attributes`: `uid, cn, mail, displayName`
- `Enable case Insensitive Username`: **Checked**
At this point, enter a username and click **Save Search Attribute Settings and Query User**. If the settings are correct, you will see:
`Found User: cn=test,ou=users,dc=company,dc=com`
- `Enabled User Creation`: **Checked**
- `LDAP Name Attribute`: `cn`
- `LDAP Password Attribute`: `userPassword`
- `Library Access`: Set this according to desired library access
1. Click "Save"
2. Logout, and login with a LDAP user. Username **must** be used, logging in with email will not work.
## OIDC Configuration
### authentik Configuration
**Provider Settings**
In authentik under **Providers**, create an OAuth2/OpenID Provider with these settings:
- Name: `jellyfin`
- Redirect URI: `https://jellyfin.company/sso/OID/redirect/authentik`
Everything else is up to you, just make sure to grab the client ID and the client secret!
:::note
The last part of the URI is the name you use when making the provider in Jellyfin so make sure they are the same.
:::
**Application Settings**
Create an application that uses `jellyfin` provider. Optionally apply access restrictions to the application.
Set the launch URL to `https://jellyfin.company/sso/OID/start/authentik`
### Jellyfin Configuration
1. Log in to Jellyfin with an administrator account and navigate to the **Admin Dashboard** by selecting your profile icon in the top right, then clicking **Dashboard**.
2. Go to **Dashboard > Plugins > Repositories**.
3. Click the **+** in the top left to add a new repository. Use the following URL and name it "SSO-Auth":
```
https://raw.githubusercontent.com/9p4/jellyfin-plugin-sso/manifest-release/manifest.json
```
4. Click the **Catalog** tab on top and install the SSO-Auth with the most recent version.
5. Restart the Jellyfin server.
6. Go back to the plugin tab.
7. Click the SSO-Auth plugin.
8. Fill out the Add / Update Provider Configuration:
- Name of OID Provider: `authentik`
- OID Endpoint: `https://authentik.company/application/o/jellyfin/.well-known/openid-configuration`
- OpenID Client ID: ClientID from provider
- OID Secret: Client Secret from provider
- Enabled: **CHECKED**
- Enable Authorization by Plugin: **CHECKED**
9. If you want to use the role claim then also fill out these:
- Roles: roles to look for when authorizing access (should be done through authentik instead)
- Admin Roles: roles to look for when giving administrator privilege
- Role Claim: `groups`
10. Hit **Save** at the bottom.
11. On the left side now click the **General** under dashboard and go to **Branding**.
12. In the login disclaimer put this code and making sure to change the url at the top:
```
<form action="https://jellyfin.company/sso/OID/start/authentik">
<button class="raised block emby-button button-submit">
Sign in with SSO
</button>
</form>
```
13. In the Custom CSS code also add this:
```
a.raised.emby-button {
padding:0.9em 1em;
color: inherit !important;
}
.disclaimerContainer{
display: block;
}
```
14. Click **Save** at the bottom & restart the server.
15. When you are signed out you should now see a **Sign in with SSO** button.
:::note
If you have problems check your logs which are under the **Administration** -> **Dashboard** then "logs" and will be near the bottom (most likely) with `Jellyfin.Plugin.SSO_Auth.` as the start of the lines you are looking for.
:::

73
docs/integrations/media/komga/index.md Normal file
View File

@ -0,0 +1,73 @@
---
title: Integrate with Komga
sidebar_label: Komga
support_level: community
---
## What is Komga
> Komga is an open-source comic and manga server that lets users organize, read, and stream their digital comic collections with ease.
>
> -- https://komga.org/
## Preparation
The following placeholders are used in this guide:
- `komga.company` is the FQDN of the Komga installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Komga with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name, an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: select **OAuth2/OpenID Connect** as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations.
- Note the **Client ID**,**Client Secret**, and **slug** values because they will be required later.
- Set a `Strict` redirect URI to `https://komga.company/login/oauth2/code/authentik`.
- Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Komga configuration
To configure Komga, update its `application.yml` file to include the following options:
:::info
All configuration options can be found in [Komga's OAuth2 Advanced configuration documentation](https://komga.org/docs/installation/oauth2/#advanced-configuration).
:::
:::warning
You can configure Komga to use either the `sub` or `preferred_username` as the UID field under `user-name-attribute`. When using `preferred_username` as the user identifier, ensure that the [**Allow users to change username** setting](https://docs.goauthentik.io/docs/sys-mgmt/settings#allow-users-to-change-username) is disabled to prevent authentication issues. The `sub` option uses a unique, stable identifier for the user, while `preferred_username` uses the username configured in authentik.
:::
```yml
spring:
security:
oauth2:
client:
registration:
authentik:
provider: authentik
client-id: <client id>
client-secret: <client secret>
client-name: authentik
scope: openid,email,profile
authorization-grant-type: authorization_code
redirect-uri: "{baseUrl}/{action}/oauth2/code/{registrationId}"
provider:
authentik:
user-name-attribute: preferred_username
issuer-uri: https://authentik.company/application/o/<application_slug>/
```

60
docs/integrations/media/miniflux/index.md Normal file
View File

@ -0,0 +1,60 @@
---
title: Integrate with Miniflux
sidebar_label: Miniflux
support_level: community
---
## What is Miniflux
> Miniflux is a minimalist and opinionated RSS feed reader.
>
> -- https://github.com/miniflux/v2
## Preparation
The following placeholders are used in this guide:
- `miniflux.company` is the FQDN of the Miniflux installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik configuration
To support the integration of Miniflux with authentik, you need to create an application/provider pair in authentik.
### Create an application and provider in authentik
1. Log in to authentik as an administrator and open the authentik Admin interface.
2. Navigate to **Applications** > **Applications** and click **Create with Provider** to create an application and provider pair. (Alternatively you can first create a provider separately, then create the application and connect it with the provider.)
- **Application**: provide a descriptive name (e.g., `Miniflux`), an optional group for the type of application, the policy engine mode, and optional UI settings.
- **Choose a Provider type**: Select OAuth2/OpenID Provider as the provider type.
- **Configure the Provider**: provide a name (or accept the auto-provided name), the authorization flow to use for this provider, and the following required configurations. - Note the **Client ID**, **Client Secret**, and **slug** values because they will be required later. - Set a `Strict` redirect URI to `https://miniflux.company/oauth2/oidc/callback` - Select any available signing key.
- **Configure Bindings** _(optional)_: you can create a [binding](/docs/add-secure-apps/flows-stages/bindings/) (policy, group, or user) to manage the listing and access to applications on a user's **My applications** page.
3. Click **Submit** to save the new application and provider.
## Miniflux configuration
Add the following environment variables to your Miniflux configuration. Make sure to fill in the client ID, client secret, and OpenID Connect well-known URL from your authentik instance.
```sh
OAUTH2_PROVIDER=oidc
OAUTH2_CLIENT_ID=<Client ID from authentik>
OAUTH2_CLIENT_SECRET=<Client Secret from authentik>
OAUTH2_REDIRECT_URL=https://miniflux.company/oauth2/oidc/callback
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.company/application/o/<application_slug>/
OAUTH2_USER_CREATION=1
```
:::note
The trailing `.well-known/openid-configuration` is not required for `OAUTH2_OIDC_DISCOVERY_ENDPOINT`
:::
Restart the Miniflux service for the changes to take effect.
## Configuration verification
To confirm that authentik is properly configured with Miniflux, log out of Miniflux, locate the "Sign in with OpenID Connect" button on the login page, click on it, and ensure you can successfully log in using Single Sign-On.

63
docs/integrations/media/sonarr/index.md Normal file
View File

@ -0,0 +1,63 @@
---
title: Integrate with Sonarr
sidebar_label: Sonarr
support_level: community
---
:::note
These instructions apply to all projects in the \*arr Family. If you use multiple of these projects, you can assign them to the same Outpost.
:::
## What is Sonarr
> Sonarr is a PVR for Usenet and BitTorrent users. It can monitor multiple RSS feeds for new episodes of your favorite shows and will grab, sort and rename them. It can also be configured to automatically upgrade the quality of files already downloaded when a better quality format becomes available.
>
> -- https://github.com/Sonarr/Sonarr
## Preparation
The following placeholders are used in this guide:
- `sonarr.company` is the FQDN of the Sonarr installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
Create a Proxy Provider with the following values
- Internal host
If Sonarr is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://sonarr:8989`, where sonarr is the name of your container.
If Sonarr is running on a different server than where you are deploying the authentik proxy, set the value to `http://sonarr.company:8989`.
- External host
Set this to the external URL you will be accessing Sonarr from.
Create an application in authentik and select the provider you've created above.
## Deployment
Create an outpost deployment for the provider you've created above, as described [here](https://docs.goauthentik.io/docs/add-secure-apps/outposts/). Deploy this Outpost either on the same host or a different host that can access Sonarr.
The outpost will connect to authentik and configure itself.
## Authentication Setup
Because Sonarr can use HTTP Basic credentials, you can save your HTTP Basic Credentials in authentik. The recommended way to do this is to create a Group. Name the group "Sonarr Users", for example. For this group, add the following attributes:
```yaml
sonarr_user: username
sonarr_password: password
```
Add all Sonarr users to the Group. You should also create a Group Membership Policy to limit access to the application.
Enable the `Use Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `sonarr_user` and `sonarr_password` respectively. These values can be chosen freely, `sonarr_` is just used as a prefix for clarity.
## Reverse Proxy Setup
Finally, in your reverse proxy setup for Sonarr, replace the current value with your Authentik Server

57
docs/integrations/media/tautulli/index.md Normal file
View File

@ -0,0 +1,57 @@
---
title: Integrate with Tautulli
sidebar_label: Tautulli
support_level: community
---
## What is Tautulli
> Tautulli is a 3rd party application that you can run alongside your Plex Media Server to monitor activity and track various statistics. Most importantly, these statistics include what has been watched, who watched it, when and where they watched it, and how it was watched. The only thing missing is "why they watched it", but who am I to question your 42 plays of Frozen. All statistics are presented in a nice and clean interface with many tables and graphs, which makes it easy to brag about your server to everyone else.
>
> -- https://tautulli.com/
## Preparation
The following placeholders are used in this guide:
- `tautulli.company` is the FQDN of the Tautulli installation.
- `authentik.company` is the FQDN of the authentik installation.
:::note
This documentation lists only the settings that you need to change from their default values. Be aware that any changes other than those explicitly mentioned in this guide could cause issues accessing your application.
:::
## authentik Setup
Because Tautulli requires valid HTTP Basic credentials, you must save your HTTP Basic Credentials in authentik. The recommended way to do this is to create a Group. Name the group "Tautulli Users", for example. For this group, add the following attributes:
```yaml
tautulli_user: username
tautulli_password: password
```
Add all Tautulli users to the Group. You should also create a Group Membership Policy to limit access to the application.
Create an application in authentik. Create a Proxy provider with the following parameters:
- Internal host
If Tautulli is running in docker, and you're deploying the authentik proxy on the same host, set the value to `http://tautulli:3579`, where tautulli is the name of your container.
If Tautulli is running on a different server to where you are deploying the authentik proxy, set the value to `http://tautulli.company:3579`.
- External host
Set this to the external URL you will be accessing Tautulli from.
Enable the `Set HTTP-Basic Authentication` option. Set and `HTTP-Basic Username` and `HTTP-Basic Password` to `tautulli_user` and `tautulli_password` respectively. These values can be chosen freely, `tautulli_` is just used as a prefix for clarity.
## Tautulli Setup
In Tautulli, navigate to Settings and enable the "Show Advanced" option. Navigate to "Web Interface" on the sidebar, and ensure the Option `Use Basic Authentication` is checked.
![](./tautulli.png)
Save the settings, and restart Tautulli if prompted.
Afterwards, you need to deploy an Outpost in front of Tautulli, as described [here](../sonarr/)

BIN
docs/integrations/media/tautulli/tautulli.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 58 KiB