- Create
/etc/ssh/sshd_config.d/10-certs.conf:
PermitRootLogin prohibit-password
- Restart sshd
- Add NGINX's ssh key to
/root/.ssh/authorized_keys - rsync TLS certificates to
/srv/authentik/authentik/certs/auth.metropolis.nexus
- Create the
kcadminuser- Password -> Set
kcadmin's password - Role mapping -> Assign role
- Realm roles ->
admin
- Realm roles ->
- Password -> Set
- Log out and log into
kcadmin - Delete the
adminuser
- User-managed access -> On
- Login with email -> Off
- Manage realm -> Create realm ->
metropolis.nexus
- User-managed access -> On
- Login with email -> Off
- email -> Required -> On
- Who can edit -> Uncheck user
- firstName -> Required -> Off
- lastName -> Required -> Off
- Create Authentik flow

- Bind Authentik flow as the browser flow
- Create the Block Registration flow (otherwise registration can still be triggered under certain condition)

- Bind Block Registration as the registration flow
- Copy the Block Registration flow and make the Block Reset Credentials flow
- Bind Block Reset Credentials as the reset credentials flow
- Repeat the same for the Block Direct Grant flow
- Update User Locale -> On
Keep the rest off
Add Keycloak Open ID connect
- Alias -> Authentik
- Discovery endpoint -> https://auth.metropolis.nexus/application/o/keycloak/.well-known/openid-configuration
- Remove Logout URL
- Client assertion signature algorithm -> ES256
- Hit "Add"
- PKCE -> On
- PKCE Method -> S256
- Backchannel logout -> Off
- Scope -> openid profile email
- Prompt -> Consent
- Access Token is JWT -> On
- Trust Email -> On
- Show in Account console -> Never
- Sync mode -> Force
- Case-sensitive username -> On
- Hit "Save" again