website: Flesh out docs split.

website: Copy files during build.

website: Allow for mixed env builds.

website: Reduce build size.

website: Expose build.

website: Add build memory debugging.

WIP: Disable broken links check to compare memory usage.

website: Update deps.

website: Clean up API paths.

website: Flesh out 3.8 fixes.

Format.

website: Update ignore paths.

Website: Clean up integrations build.

website: Fix paths.

website: Optimize remark.

website: Update deps.

website: Format.

website: Remove linking.

website: Fix paths.

wip: Attempt API only build.

Prep.

Migrate render to runtime. Tidy sidebar.

Clean up templates.

docs: Move directory. WIP

docs: Flesh out split.

website: Fix issue where routes have collisions.

docs/topics/users-sources/sources/directory-sync/active-directory/index.md

@@ -0,0 +1,81 @@
+---
+title: Active Directory
+support_level: community
+---
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `ad.company` is the name of the Active Directory domain.
+- `authentik.company` is the FQDN of the authentik install.
+
+## Active Directory configuration
+
+To support the integration of Active Directory with authentik, you need to create a service account in Active Directory.
+
+1. Open **Active Directory Users and Computers** on a domain controller or computer with **Active Directory Remote Server Administration Tools** installed.
+2. Navigate to an Organizational Unit, right click on it, and select **New** > **User**.
+3. Create a service account, matching your naming scheme, for example:
+
+    ![](./01_user_create.png)
+
+4. Set the password for the service account. Ensure that the **Reset user password and force password change at next logon** option is not checked.
+
+    Either one of the following commands can be used to generate the password:
+
+    ```sh
+    pwgen 64 1
+    ```
+
+    ```sh
+    openssl rand 36 | base64 -w 0
+    ```
+
+5. Open the **Delegation of Control Wizard** by right-clicking the domain Active Directory Users and Computers, and selecting **All Tasks**.
+6. Select the authentik service account that you've just created.
+7. Grant these additional permissions (only required when _User password writeback_ is enabled on the LDAP source in authentik, and dependent on your AD Domain)
+
+    ![](./02_delegate.png)
+
+## authentik Setup
+
+To support the integration of authentik with Active Directory, you will need to create a new LDAP Source in authentik.
+
+1. Log in to authentik as an administrator and open the authentik Admin interface.
+2. Navigate to **Directory** > **Federation & Social login**.
+3. Click **Create** and select **LDAP Source** as the type.
+4. Provide a name, slug, and the following required configurations:
+
+    Under **Connection Settings**:
+    - **Server URI**: `ldap://ad.company`
+
+    :::note
+    For authentik to be able to write passwords back to Active Directory, make sure to use `ldaps://` as a prefix. You can verify that LDAPS is working by opening the `ldp.exe` tool on a domain controller and attempting a connection to the server via port 636. If a connection can be established, LDAPS is functioning as expected. More information can be found in the [Microsoft LDAPS documentation](https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/ldap-over-ssl-connection-issues).
+
+    Multiple servers can be specified by separating URIs with a comma (e.g. `ldap://dc1.ad.company,ldap://dc2.ad.company`). If a DNS entry with multiple records is used, authentik will select a random entry when first connecting.
+    :::
+    - **Bind CN**: `<service account>@ad.company`
+    - **Bind Password**: the password of the service account created in the previous section.
+    - **Base DN**: the base DN which you want authentik to sync.
+
+    Under **LDAP Attribute Mapping**:
+    - **User Property Mappings**: select all Mappings which start with "authentik default LDAP" and "authentik default Active Directory"
+    - **Group Property Mappings**: select "authentik default LDAP Mapping: Name"
+
+    Under **Additional Settings** _(optional)_ configurations that may need to be adjusted based on the setup of your domain:
+    - **Group**: if enabled, all synchronized groups will be given this group as a parent.
+    - **Addition User/Group DN**: additional DN which is _prepended_ to your Base DN configured above, to limit the scope of synchronization for Users and Groups.
+    - **User object filter**: which objects should be considered users (e.g. `(objectClass=user)`). For Active Directory set it to `(&(objectClass=user)(!(objectClass=computer)))` to exclude Computer accounts.
+    - **Group object filter**: which objects should be considered groups (e.g `(objectClass=group)`).
+    - **Lookup using a user attribute**: acquire group membership from a User object attribute (`memberOf`) instead of a Group attribute (`member`). This works with directories and nested groups memberships (Active Directory, RedHat IDM/FreeIPA), using `memberOf:1.2.840.113556.1.4.1941:` as the group membership field.
+    - **Group membership field**: the user object attribute or the group object attribute that determines the group membership of a user (e.g. `member`). If **Lookup using a user attribute** is set, this should be a user object attribute, otherwise a group object attribute.
+    - **Object uniqueness field**: a user attribute that contains a unique identifier (e.g. `objectSid`).
+
+5. Click **Finish** to save the LDAP Source. An LDAP synchronization will begin in the background. Once completed, you can view the summary by navigating to **Dashboards** > **System Tasks**:
+
+    ![](./03_additional_perms.png)
+
+6. To finalise the Active Directory setup, you need to enable the backend "authentik LDAP" in the Password Stage.
+
+    ![](./11_ak_stage.png)

docs/topics/users-sources/sources/directory-sync/freeipa/index.md

@@ -0,0 +1,80 @@
+---
+title: FreeIPA
+support_level: community
+---
+
+## Preparation
+
+The following placeholders are used in this guide:
+
+- `svc_authentik` is the name of the bind account.
+- `freeipa.company` is the Name of the domain.
+- `ipa1.freeipa.company` is the Name of the FreeIPA server.
+
+## FreeIPA Setup
+
+1. Log in to FreeIPA.
+
+2. Create a user in FreeIPA, matching your naming scheme. Provide a strong password, example generation methods: `pwgen 64 1` or `openssl rand 36 | base64 -w 0`. After you are done click **Add and Edit**.
+
+    ![](./01_user_create.pn)
+
+3. In the user management screen, select the Roles tab.
+
+    ![](./02_user_roles.png)
+
+4. Add a role that has privileges to change user passwords, the default `User Administrators` role is sufficient. This is needed to support password resets from within authentik.
+
+    ![](./03_add_user_role.png)
+
+5. By default, if an administrator account resets a user's password in FreeIPA the user's password expires after the first use and must be reset again. This is a security feature to ensure password complexity and history policies are enforced. To bypass this feature for a more seamless experience, you can make the following modification on each of your FreeIPA servers:
+
+    ```
+    $ ldapmodify -x -D "cn=Directory Manager" -W -h ipa1.freeipa.company -p 389
+
+    dn: cn=ipa_pwd_extop,cn=plugins,cn=config
+    changetype: modify
+    add: passSyncManagersDNs
+    passSyncManagersDNs: uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company
+    ```
+
+Additional info: [22.1.2. Enabling Password Reset Without Prompting for a Password Change at the Next Login](https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/user-authentication#user-passwords-no-expiry)
+
+## authentik Setup
+
+In authentik, create a new LDAP Source in Directory -> Federation & Social login.
+
+Use these settings:
+
+- Server URI: `ldaps://ipa1.freeipa.company`
+
+    You can specify multiple servers by separating URIs with a comma, like `ldap://ipa1.freeipa.company,ldap://ipa2.freeipa.company`.
+
+    When using a DNS entry with multiple Records, authentik will select a random entry when first connecting.
+
+- Bind CN: `uid=svc_authentik,cn=users,cn=accounts,dc=freeipa,dc=company`
+- Bind Password: The password you've given the user above
+- Base DN: `dc=freeipa,dc=company`
+- Property mappings: Control/Command-select all Mappings which start with "authentik default LDAP" and "authentik default OpenLDAP"
+- Group property mappings: Select "authentik default OpenLDAP Mapping: cn"
+
+Additional settings:
+
+- Group: If selected, all synchronized groups will be given this group as a parent.
+- Addition User/Group DN: `cn=users,cn=accounts`
+- Addition Group DN: `cn=groups,cn=accounts`
+- User object filter: `(objectClass=person)`
+- Group object filter: `(objectClass=groupofnames)`
+- Group membership field: `member`
+- Object uniqueness field: `ipaUniqueID`
+
+    ![](./04_source_settings_1.png)
+    ![](./05_source_settings_2.png)
+
+After you save the source, you can kick off a synchronization by navigating to the source, clicking on the "Sync" tab, and clicking the "Run sync again" button.
+
+![](./06_sync_source.png)
+
+Lastly, verify that the "User database + LDAP password" backend is selected in the "Password Stage" under Flows -> Stages.
+
+![](./07_password_stage.png)