ilia/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ansible/docs/guides/mattermost-authentik-gitlab-oauth.md
ilia 0f34c51fc8
All checks were successful
CI / skip-ci-check (pull_request) Successful in 8s
Details
CI / lint-and-test (pull_request) Successful in 17s
Details
CI / secret-scanning (pull_request) Successful in 8s
Details
CI / dependency-scan (pull_request) Successful in 18s
Details
CI / ansible-validation (pull_request) Successful in 54s
Details
CI / sast-scan (pull_request) Successful in 29s
Details
CI / license-check (pull_request) Successful in 14s
Details
CI / vault-check (pull_request) Successful in 13s
Details
CI / container-scan (pull_request) Successful in 8s
Details
CI / sonar-analysis (pull_request) Successful in 8s
Details
CI / playbook-test (pull_request) Successful in 27s
Details
CI / workflow-summary (pull_request) Successful in 6s
Details
Complete homelab post-sprint: SSO docs, monitoring scripts, phase 0/1 closure. 
Consolidate sprint status into handoff docs, add Listmonk/Mattermost/Mailcow
and Vikunja SSO guides, Beszel alerts script, mattermost inventory, and
mark phases 0–1 complete with phase 2 backlog for edge Caddy and security.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-24 12:13:55 -04:00

75 lines
2.4 KiB
Markdown
Raw Blame History

# Mattermost ↔ Authentik (GitLab OAuth workaround)
**Status:** ✅ Live (config.json patched 2026-05-24; VM **107** @ `10.0.10.237`)
Team Edition has no generic OIDC UI — use **GitLab OAuth** endpoints pointed at Authentik.
**URL:** https://slack.levkin.ca · **Backend:** `10.0.10.237:8065` (VM **107** on pve10)
---
## Authentik (done 2026-05-24)
| Item | Value |
|------|--------|
| Application slug | `mattermost` |
| Provider | `mattermost-gitlab-oidc` |
| Client ID | `mattermost` |
| Redirect URI | `https://slack.levkin.ca/signup/gitlab/complete` |
| Scope mappings | `mattermost-username`, `mattermost-id` + default OpenID |
| Access | `homelab-users` group binding |
Client secret: store in vault as `vault_mattermost_oidc_client_secret` (rotate if exposed).
---
## Mattermost — apply on VM
SSH as root (or bootstrap key first: `make bootstrap-root-ssh` once password works):
```bash
ssh root@10.0.10.237
```
Edit `/opt/mattermost/config/config.json` (path may vary — `find / -name config.json -path '*mattermost*'`).
Set `GitLabSettings`:
```json
"GitLabSettings": {
"Enable": true,
"Secret": "<vault_mattermost_oidc_client_secret>",
"Id": "mattermost",
"Scope": "",
"AuthEndpoint": "https://auth.levkin.ca/application/o/authorize/",
"TokenEndpoint": "https://auth.levkin.ca/application/o/token/",
"UserAPIEndpoint": "https://auth.levkin.ca/application/o/userinfo/",
"DiscoveryEndpoint": "https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration",
"ButtonText": "Log in with Authentik",
"ButtonColor": "#fd4b2d"
}
```
Then:
1. **System Console** → Authentication → Signup → **Enable Account Creation** = true
2. `systemctl restart mattermost` (or `docker compose restart` if containerized)
3. Log out → use **GitLab** button (actually Authentik)
4. Existing users: Profile → Security → **Switch to GitLab SSO** (see [Authentik integration](https://integrations.goauthentik.io/chat-communication-collaboration/mattermost-team-edition/))
---
## Verify
```bash
curl -sS https://auth.levkin.ca/application/o/mattermost/.well-known/openid-configuration | head
curl -sS -o /dev/null -w '%{http_code}\n' https://slack.levkin.ca/login
```
---
## Related
- [sso-selfhosted-matrix.md](sso-selfhosted-matrix.md)
- [cursor-mcp-homelab.md](cursor-mcp-homelab.md) — Playwright can smoke-test login after `config.json` is applied
Reference in New Issue View Git Blame Copy Permalink