{"id":34745996,"url":"https://github.com/dfpc-coe/auth-infra","last_synced_at":"2026-05-26T15:03:16.484Z","repository":{"id":173118663,"uuid":"649894015","full_name":"dfpc-coe/auth-infra","owner":"dfpc-coe","description":"Cloud Infrastrcture for Hosting \u0026 Managing TAK Authentication Infrastructure (LDAP)","archived":false,"fork":false,"pushed_at":"2026-05-22T14:14:24.000Z","size":434,"stargazers_count":0,"open_issues_count":0,"forks_count":1,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-05-22T19:44:31.838Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"","language":"JavaScript","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/dfpc-coe.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null},"funding":{"github":"ingalls"}},"created_at":"2023-06-05T21:53:22.000Z","updated_at":"2026-05-22T14:14:28.000Z","dependencies_parsed_at":null,"dependency_job_id":"8a4d385e-da40-405e-9709-ba505013e341","html_url":"https://github.com/dfpc-coe/auth-infra","commit_stats":null,"previous_names":["tak-ps/auth-infra","dfpc-coe/auth-infra"],"tags_count":7,"template":false,"template_full_name":null,"purl":"pkg:github/dfpc-coe/auth-infra","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfpc-coe%2Fauth-infra","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfpc-coe%2Fauth-infra/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfpc-coe%2Fauth-infra/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfpc-coe%2Fauth-infra/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/dfpc-coe","download_url":"https://codeload.github.com/dfpc-coe/auth-infra/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/dfpc-coe%2Fauth-infra/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33525947,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T03:12:49.672Z","status":"ssl_error","status_checked_at":"2026-05-26T03:12:47.976Z","response_time":63,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-12-25T04:38:10.220Z","updated_at":"2026-05-26T15:03:16.474Z","avatar_url":"https://github.com/dfpc-coe.png","language":"JavaScript","funding_links":["https://github.com/sponsors/ingalls"],"categories":[],"sub_categories":[],"readme":"\u003ch1 align=center\u003eTAK Auth Infra\u003c/h1\u003e\n\n\u003cp align=center\u003eInfrastructure to support LDAP based auth in TAK via \u003ca href=\"https://goauthentik.io/\"\u003eAuthentik\u003c/a\u003e\u003c/p\u003e\n\n## AWS Deployment\n\n### 1. Pre-Reqs\n\n\u003e [!IMPORTANT]\n\u003e The Auth-Infra service assumes some pre-requisite dependencies are deployed before\n\u003e initial deployment.\n\nThe following are dependencies which need to be created:\n\n| Name                  | Notes |\n| --------------------- | ----- |\n| `tak-vpc-\u003cname\u003e`      | VPC \u0026 networking to place tasks in - [repo](https://github.com/dfpc-coe/vpc)      |\n\nAn AWS ACM certificate must also be generated that covers the subdomain that the Auth-Infra is deployed to.\n\n### 2. Installing Dependencies\n\nFrom the root directory, install the deploy dependencies\n\n```sh\nnpm install\n```\n\n### 3. Authentik Server Deployment\n\nDeployment to AWS is handled via AWS Cloudformation. The template can be found in the `./cloudformation`\ndirectory. The deployment itself is performed by [Deploy](https://github.com/openaddresses/deploy) which\nwas installed in the previous step.\n\n\u003e [!NOTE]\n\u003e The deploy tool can be run via the following\n\u003e\n\u003e ```sh\n\u003e npx deploy\n\u003e ```\n\u003e\n\u003e To install it globally - view the deploy [README](https://github.com/openaddresses/deploy)\n\u003e\n\u003e Deploy uses your existing AWS credentials. Ensure that your `~/.aws/credentials` has an entry like:\n\u003e\n\u003e ```\n\u003e [coe]\n\u003e aws_access_key_id = \u003credacted\u003e\n\u003e aws_secret_access_key = \u003credacted\u003e\n\u003e ```\n\nDeployment can then be performed via the following:\n\n```\nnpx deploy create \u003cstack\u003e\nnpx deploy update \u003cstack\u003e\nnpx deploy info \u003cstack\u003e --outputs\nnpx deploy info \u003cstack\u003e --parameters\n```\n\nStacks can be created, deleted, cancelled, etc all via the deploy tool. For further information\ninformation about `deploy` functionality run the following for help.\n\n```sh\nnpx deploy\n```\n\n#### Sub-Stack Deployment\n\nThe CloudFormation is split into two stacks to ensure consistent deploy results.\n\nThe first portion deploys the Authentik Server itself. The second portion deploys the Authentik LDAP Outpost.\n\nStep 1: Create the Authenik Server Portion\n\n```\nnpx deploy create \u003cstack\u003e\n```\n\nThe custom Authentik server image in this repository bakes in\n[docker/authentik-server/user_settings.py](docker/authentik-server/user_settings.py), which is copied to\n`/data/user_settings.py` inside the container. Authentik loads that file automatically on startup for both the\nserver and worker processes. It is currently used to enable Django BCrypt password hashers for imported legacy\npasswords.\n\nThe Authentik server ECS service now always uses target-tracking autoscaling. CPU utilization is hardcoded to a\n60% target and memory utilization is hardcoded to a 75% target. The CloudFormation parameters\n`ServerAutoScalingMinCapacity` and `ServerAutoScalingMaxCapacity` can be used to bound cost.\n\nStep 2: Configure the Authentik LDAP Provider\n\nFollow the instructions of the Authentik documentation to [create and LDAP provider](https://docs.goauthentik.io/docs/add-secure-apps/providers/ldap/generic_setup).\n\n* **LDAP Service Account:** The username and password have been created by the above CloudFormation template as a Secrets Manager secret in `coe-auth-\u003cstack\u003e\u003e/svc`.\n* **LDAP Outpost AUTHENTIK_TOKEN:** The Authentik server will create an AUTHENTIK_TOKEN for the LDAP Outpost, which needs to be saved in Secrets Manager as the secret for `coe-auth-\u003cstack\u003e\u003e/authentik-ldap-token`\n\nStep 3: Create the Authentik LDAP Outpost\n\n```\nnpx deploy create \u003cstack\u003e --template ./cloudformation/ldap.template.js\n```\n\nStep 4: Verify the LDAP DNS record\n\nThe LDAP stack now creates an `ldap.\u003chosted-zone-name\u003e` Route53 alias automatically and points it at the internal NLB. For example, if the hosted zone is `epatak.org`, the stack will create `ldap.epatak.org`.\n\nThe LDAP outpost is exposed as LDAPS only on port `636`. The LDAP CloudFormation template automatically associates the VPC ACM certificate with the secure listener.\n\nTLS terminates on the NLB at port `636` and the decrypted LDAP traffic is forwarded internally to the outpost on port `3389`.\n\n```\nldapsearch -x -H ldaps://ldap.\u003cdomain\u003e:636 -D \"cn=akadmin,ou=users,dc=ldap,dc=goauthentik,dc=io\" -W -b \"ou=users,dc=ldap,dc=goauthentik,dc=io\" -s sub \"(objectClass=person)\" dn cn uid mail\n```\n\nBind Example:\n```\nldapsearch -x -H ldaps://ldap.\u003cdomain\u003e:636 -D \"cn=\u003cusername\u003e,ou=users,dc=ldap,dc=goauthentik,dc=io\" -W -b \"ou=users,dc=ldap,dc=goauthentik,dc=io\" -s sub \"(objectClass=person)\" dn cn uid mail\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfpc-coe%2Fauth-infra","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fdfpc-coe%2Fauth-infra","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fdfpc-coe%2Fauth-infra/lists"}