# Listmonk ↔ Authentik OIDC

**Status:** Live at `https://listmonk.levkin.ca` (LXC **221**, `10.0.10.148`).

**Requires listmonk v5+** (OIDC). Upgraded from v2.4.0 → **v6.1.0** on 2026-05-24.

## Authentik

| Item | Value |
|------|--------|
| Application slug | `listmonk` |
| Provider name | `listmonk-oidc` |
| Client ID | `listmonk` |
| Redirect URI (strict) | `https://listmonk.levkin.ca/auth/oidc` |
| Subject mode | **user_username** |
| Signing key | `authentik Self-signed Certificate` |
| Access group | **`homelab-users`** (app binding) |

Client secret: `vault_listmonk_oidc_client_secret` in Ansible vault (rotate if exposed).

## Listmonk

Configured via **Settings → Security → OIDC** (stored in DB):

- **Provider URL:** `https://auth.levkin.ca/application/o/listmonk/`
- **Auto-create users:** enabled (Super Admin role id `1` for new SSO users)

Break-glass: local user `listmonk` (password login still enabled).

## Login

1. Sign out: `https://auth.levkin.ca/if/user/logout/`
2. `https://listmonk.levkin.ca/admin` → **Login with Authentik**
3. Sign in as **`ilia`** (must be in `homelab-users`)

## Upgrade (if needed)

```bash
ssh root@10.0.10.148
systemctl stop listmonk
curl -fsSL -o /tmp/lm.tgz https://github.com/knadh/listmonk/releases/download/v6.1.0/listmonk_6.1.0_linux_amd64.tar.gz
tar -xzf /tmp/lm.tgz -C /tmp && mv /tmp/listmonk /root/listmonk
/root/listmonk --config /etc/listmonk/config.toml --upgrade --yes
systemctl start listmonk
```

## Related

- [sso-selfhosted-matrix.md](sso-selfhosted-matrix.md)
- [Listmonk OIDC docs](https://listmonk.app/docs/oidc/)