New Grimoire

2026-04-12 09:53:51 -05:00 · 2026-04-12 09:53:51 -05:00 · cc574f8aed
commit cc574f8aed
parent 77d589a13d
157 changed files with 29420 additions and 0 deletions
--- a/Ward-Grimoire/Access/Auth-Overview.md
+++ b/Ward-Grimoire/Access/Auth-Overview.md
@ -0,0 +1,39 @@
+---
+title: Authentication Overview
+description: SSO, LDAP, and access control in Netgrimoire
+published: true
+date: 2026-04-12T00:00:00.000Z
+tags: ward, auth, sso
+editor: markdown
+dateCreated: 2026-04-12T00:00:00.000Z
+---
+
+# Authentication Overview
+
+## SSO Providers
+
+| Provider | Scope | URL |
+|----------|-------|-----|
+| Authentik | `*.netgrimoire.com` | Protected via `caddy.import_1: authentik` label |
+| Authelia | `*.wasted-bandwidth.net` | Green Grimoire + Shadow Grimoire services |
+
+Both providers use LLDAP as their LDAP backend.
+
+## LLDAP
+
+Lightweight LDAP directory at `ldap.netgrimoire.com`. Postgres backend. Provides the user directory for both Authentik and Authelia.
+
+See [LDAP Client Setup](/Ward-Grimoire/Access/LDAP-Client-Setup) for configuring hosts to authenticate via LLDAP.
+
+## Vaultwarden
+
+Password manager at `pass.netgrimoire.com`. Protected by Authentik.
+
+## WireGuard
+
+5 VPN peers on 192.168.32.0/24. Managed in OPNsense. See [Host Inventory](/Keystone-Grimoire/Hosts/Host-Inventory) for peer assignments.
+
+## YubiKey (Planned)
+
+- PIV SSH authentication on all hosts — highest-impact pending integration
+- Challenge-response for LUKS / Kopia key derivation on znas