We use Authentik as our primary Identity Provider (IdP). This means that our Authentik instance holds the source of truth for all dma.space's internal user logins, and sometimes, profile information.

Authentik currently sits on one of the NixOS boxes. This is bound to be changed in the future.

Most of Authentik's applications and providers are configured on OpenTofu (Terraform fork) as part of dma/infra. Specifically, refer to https://codeberg.org/dma/infra/src/branch/main/tf/authentik for its code.

Occasionally, some manual configuration on the portal side is allowed, but keep in mind that manual configurations are prone to being overwritten by OpenTofu. For this reason, you must port your manual configurations to OpenTofu files as soon as you can.

This section contains some particularly naughty services (i.e. need special treatment).

All of dma.space's internal users have their Zulip accounts automatically created. This is done thanks to Zulip's SCIM synchronization with Authentik.

Note that Zulip does not support Authentik as a SCIM provider; we're running this off our own set of patches to make this work. These patches may be quite fragile; they may break on the next Zulip update, even.

The Monolith is our in-house member integration software. It needs a special non-OpenID-compliant user claims format. The OpenTofu file declares this already.