ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ansible/docs/guides/mailcow-authentik-oidc.md
ilia 0f34c51fc8
All checks were successful
CI / skip-ci-check (pull_request) Successful in 8s
Details
CI / lint-and-test (pull_request) Successful in 17s
Details
CI / secret-scanning (pull_request) Successful in 8s
Details
CI / dependency-scan (pull_request) Successful in 18s
Details
CI / ansible-validation (pull_request) Successful in 54s
Details
CI / sast-scan (pull_request) Successful in 29s
Details
CI / license-check (pull_request) Successful in 14s
Details
CI / vault-check (pull_request) Successful in 13s
Details
CI / container-scan (pull_request) Successful in 8s
Details
CI / sonar-analysis (pull_request) Successful in 8s
Details
CI / playbook-test (pull_request) Successful in 27s
Details
CI / workflow-summary (pull_request) Successful in 6s
Details
Complete homelab post-sprint: SSO docs, monitoring scripts, phase 0/1 closure. 
Consolidate sprint status into handoff docs, add Listmonk/Mattermost/Mailcow
and Vikunja SSO guides, Beszel alerts script, mattermost inventory, and
mark phases 0–1 complete with phase 2 backlog for edge Caddy and security.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-24 12:13:55 -04:00

1.4 KiB
Raw Blame History

Mailcow ↔ Authentik OIDC

Status: Configured 2026-05-24 (Generic-OIDC in DB + Authentik app mailcow)

Requires: mailcow 2025-03+ (this host: 2025-10a)

URL: https://mail.levkine.ca

What OIDC means

OIDC = OpenID Connect — login with an identity provider (Authentik) instead of a separate password per app. You sign in once at auth.levkin.ca, apps trust that login.

Authentik

Item Value
Application slug mailcow
Provider mailcow-oidc
Client ID mailcow
Redirect URI https://mail.levkine.ca
Scope mapping mailcow_templatedefault mailbox template
Access homelab-users

Secret: vault_mailcow_oidc_client_secret in Ansible vault.

Mailcow (applied via MySQL identity_provider)

  • Identity Provider: Generic-OIDC
  • Authorize / token / userinfo: https://auth.levkin.ca/application/o/{authorize,token,userinfo}/
  • Redirect URL: https://mail.levkine.ca
  • Scopes: openid profile email mailcow_template

Mailbox users with SSO need matching email in Authentik. Admin UI may still use local admin for break-glass.

Verify

Log out of Mailcow → login should offer external IdP. Test with user ilia in homelab-users.

Related