ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ansible/docs/guides/mattermost-authentik-gitlab-oauth.md
ilia 0f34c51fc8
All checks were successful
CI / skip-ci-check (pull_request) Successful in 8s
Details
CI / lint-and-test (pull_request) Successful in 17s
Details
CI / secret-scanning (pull_request) Successful in 8s
Details
CI / dependency-scan (pull_request) Successful in 18s
Details
CI / ansible-validation (pull_request) Successful in 54s
Details
CI / sast-scan (pull_request) Successful in 29s
Details
CI / license-check (pull_request) Successful in 14s
Details
CI / vault-check (pull_request) Successful in 13s
Details
CI / container-scan (pull_request) Successful in 8s
Details
CI / sonar-analysis (pull_request) Successful in 8s
Details
CI / playbook-test (pull_request) Successful in 27s
Details
CI / workflow-summary (pull_request) Successful in 6s
Details
Complete homelab post-sprint: SSO docs, monitoring scripts, phase 0/1 closure. 
Consolidate sprint status into handoff docs, add Listmonk/Mattermost/Mailcow
and Vikunja SSO guides, Beszel alerts script, mattermost inventory, and
mark phases 0–1 complete with phase 2 backlog for edge Caddy and security.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-24 12:13:55 -04:00

2.4 KiB
Raw Blame History

Mattermost ↔ Authentik (GitLab OAuth workaround)

Status: Live (config.json patched 2026-05-24; VM 107 @ 10.0.10.237)

Team Edition has no generic OIDC UI — use GitLab OAuth endpoints pointed at Authentik.

URL: https://slack.levkin.ca · Backend: 10.0.10.237:8065 (VM 107 on pve10)

Authentik (done 2026-05-24)

Item Value
Application slug mattermost
Provider mattermost-gitlab-oidc
Client ID mattermost
Redirect URI https://slack.levkin.ca/signup/gitlab/complete
Scope mappings mattermost-username, mattermost-id + default OpenID
Access homelab-users group binding

Client secret: store in vault as vault_mattermost_oidc_client_secret (rotate if exposed).

Mattermost — apply on VM

SSH as root (or bootstrap key first: make bootstrap-root-ssh once password works):

ssh root@10.0.10.237

Edit /opt/mattermost/config/config.json (path may vary — find / -name config.json -path '*mattermost*').

Set GitLabSettings:

"GitLabSettings": {
  "Enable": true,
  "Secret": "<vault_mattermost_oidc_client_secret>",
  "Id": "mattermost",
  "Scope": "",
  "AuthEndpoint": "https://auth.levkin.ca/application/o/authorize/",
  "TokenEndpoint": "https://auth.levkin.ca/application/o/token/",
  "UserAPIEndpoint": "https://auth.levkin.ca/application/o/userinfo/",
  "DiscoveryEndpoint": "https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration",
  "ButtonText": "Log in with Authentik",
  "ButtonColor": "#fd4b2d"
}

Then:

  1. System Console → Authentication → Signup → Enable Account Creation = true
  2. systemctl restart mattermost (or docker compose restart if containerized)
  3. Log out → use GitLab button (actually Authentik)
  4. Existing users: Profile → Security → Switch to GitLab SSO (see Authentik integration)

Verify

curl -sS https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration | head
curl -sS -o /dev/null -w '%{http_code}\n' https://slack.levkin.ca/login

Related