This page is read only. You can view the source, but not change it. Ask your administrator if you think this is wrong. # Authentik We use Authentik as our primary Identity Provider (IdP). This means that our Authentik instance holds the source of truth for all dma.space's internal user logins, and sometimes, profile information. ## Deployment Authentik currently sits on one of the NixOS boxes. This is bound to be changed in the future. ## Configuration Most of Authentik's applications and providers are configured on OpenTofu (Terraform fork) as part of [dma/infra](https://codeberg.org/dma/infra). Specifically, refer to [dma/infra/tf/authentik](https://codeberg.org/dma/infra/src/branch/main/tf/authentik) for its code. Occasionally, some manual configuration on the portal side is allowed, but keep in mind that **manual configurations are prone to being overwritten by OpenTofu**. For this reason, you must port your manual configurations to OpenTofu files as soon as you can. ## App-specific Notes This section contains some particularly naughty services (i.e. need special treatment). ### Zulip All of dma.space's internal users have their Zulip accounts automatically created. This is done thanks to Zulip's SCIM synchronization with Authentik. Note that **Zulip does not support Authentik as a SCIM provider; we're running this off [our own set of patches](https://codeberg.org/dma/infra/src/commit/660a2dcf0d7eb10326f0e52727e8f8d0ad1cc1eb/nixos/machines/nixos-zulip-box/zulip.nix#L81-L112) to make this work**. These patches may be quite fragile; they may break on the next Zulip update, even. ### Monolith The Monolith is our in-house member integration software. It needs a special non-OpenID-compliant user claims format. The OpenTofu file declares this already.