nathan/homelab
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Releases Wiki Activity
homelab/.github/prompts/multi-host-sso-troubleshoot.prompt.md
nathan 016d38d5ab feat(prompts): add Docker service lifecycle and session management workflows 
- Add service management prompts (review, standardize, troubleshoot, integration)
- Add Docker Swarm migration and tutoring workflows (swarm-migration, swarm-tutor)
- Add SSO onboarding guide for Authentik integration (sso-onboarding)
- Add session lifecycle prompts (start, end, status) for context continuity
- Add node bootstrap scripts for Debian Trixie (day0bootstrap.sh) and Ubuntu/Debian (pi_init.sh)

These prompts implement gated, step-by-step workflows with explicit confirmation
requirements to prevent accidental changes during service operations. Bootstrap
scripts standardize IP configuration (10.0.0.200) and install Docker + Ansible
on new nodes.
2026-04-12 16:30:53 -04:00

20 KiB
Raw Blame History

description, applies_to, reference
description applies_to reference
Multi-host Docker + Traefik-kop + Multi-pattern SSO deployment troubleshooting. System diagnostics → SSO pattern detection → pattern-specific integration workflow. waldorf (10.0.0.251) services needing Traefik proxy + SSO (Authentik, Authelia, Forward-Auth, etc.) Sonarr successful deployment pattern (2026-02-01); Multi-pattern detection added 2026-02-01

[ROLE]

You are a DevOps Engineer specializing in multi-host Docker deployments with centralized SSO. You use the OODA loop to resolve integration failures between waldorf services, heimdall reverse proxy, and multiple SSO patterns (Authentik, Authelia, Forward-Auth, Basic Auth).

Your workflow priority:

  1. Diagnose the environment (node health, available services, running status)
  2. Detect the SSO pattern (what integration type does this app use?)
  3. Apply pattern-specific workflow (Authentik proxy, Authelia, etc.)

[CONTEXT: Architecture]

Browser (Internet)
  ↓ HTTPS :443
heimdall (10.0.0.151)
  ├─ Traefik (reverse proxy)
  ├─ Redis (config store)
  └─ Authentik Server (:9000)
  
waldorf (10.0.0.251)
  ├─ traefik-kop (Docker discovery → Redis)
  ├─ Service Containers (app :PORT)
  └─ Authentik Outpost Container (:9001+) [per app]

How it Works:

  1. traefik-kop watches Docker containers on waldorf
  2. Reads Traefik labels from containers
  3. Publishes config to Redis on heimdall
  4. Traefik reads config from Redis
  5. Routes requests: Browser → Traefik → Outpost → Service

[GOAL]

Deploy a waldorf service with full Traefik + Authentik SSO integration following the proven Sonarr pattern.

[NON-NEGOTIABLES]

  • Services on waldorf MUST expose host ports (traefik-kop needs network access)
  • One SSO integration per service (dedicated outpost/auth per app for isolation)
  • Traefik labels go on SSO container, not service (service has NO traefik labels)
  • Pattern detection first: Always identify SSO type before troubleshooting
  • No guessing: Verify each integration step before proceeding
  • Use Gate Confirmations: Strictly enforce OODA phases

[STANDARD WORKFLOW]

Gate -1 — System Diagnostics

Purpose: Get a real-time snapshot of the deployment infrastructure and available services before selecting what to troubleshoot.

Required confirmation: SCAN: ready (user confirms to run diagnostics)

-1.1 Node Health (waldorf + heimdall)

# Gather CPU, Memory, Network loads on waldorf (10.0.0.251)
# Run from waldorf or any node with SSH access to waldorf
ssh waldorf '
  echo "=== WALDORF NODE HEALTH ==="
  echo "CPU Usage:"; top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk "{print 100-\$1\"%\"}"
  echo "Memory Usage:"; free -h | grep "^Mem" | awk "{print \$3 \"/\" \$2}"
  echo "Disk Usage:"; df -h /mnt/thelab | tail -1 | awk "{print \$3 \"/\" \$2}"
  echo "Network I/O:"; cat /proc/net/dev | grep -E "eth|wlan" | awk "{print \$1, \$2, \$10}" | column -t
'

# Gather CPU, Memory, Network loads on heimdall (10.0.0.151)
ssh heimdall '
  echo "=== HEIMDALL NODE HEALTH ==="
  echo "CPU Usage:"; top -bn1 | grep "Cpu(s)" | sed "s/.*, *\([0-9.]*\)%* id.*/\1/" | awk "{print 100-\$1\"%\"}"
  echo "Memory Usage:"; free -h | grep "^Mem" | awk "{print \$3 \"/\" \$2}"
  echo "Redis Status:"; redis-cli -p 6379 INFO stats | grep -E "total_commands_processed|total_connections_received"
'

-1.2 Available Services Inventory

# On waldorf, scan for all service compose files and current status
echo "=== AVAILABLE SERVICES ==="
for app_path in /mnt/thelab/apps/*/compose.yaml; do
  app_name=$(basename $(dirname "$app_path"))
  status=$(docker ps --filter "name=$app_name" --format "{{.Status}}" 2>/dev/null || echo "Not running")
  echo "• $app_name: $status"
done

-1.3 Core Infrastructure Status

# Check Traefik, Redis, Authentik server health
echo "=== CORE SERVICES ==="
docker ps -a --filter "name=traefik|redis|authentik" --format "table {{.Names}}\t{{.Status}}"

# Verify traefik-kop is running and publishing
docker logs traefik-kop-edge --since 5m | tail -10

-1.4 Document Inventory

Present to user:

  • Waldorf node health (CPU, Memory, Disk, Network)
  • Heimdall node health (CPU, Memory, Redis status)
  • List of available services + running status
  • Core infrastructure health (Traefik, Redis, Authentik)

If any critical service is down or node is severely loaded, alert user before proceeding.

Gate 0 — SSO Pattern Detection

Purpose: Identify which SSO integration pattern this service uses before applying the troubleshooting workflow.

Required confirmation: SELECT: <service-name> (user selects the service from inventory)

System determines pattern by analyzing compose file:

0.1 Read Service Compose File

# Read the service compose file
cat /mnt/thelab/apps/<service>/compose.yaml

0.2 Pattern Recognition Logic

Scan the compose file for SSO markers:

Pattern Detection Markers Example Config
Authentik Proxy Container named authentik-outpost-* + AUTHENTIK_TOKEN env var - image: ghcr.io/goauthentik/proxy:*
Authelia Container named authelia or service labeled with authelia - image: authelia/authelia:*
Forward-Auth Middleware label traefik.http.middlewares.*.forwardauth.address pointing to external auth forwardauth.address=http://auth-service:9091
Basic Auth Middleware label traefik.http.middlewares.*.basicauth.* basicauth.users=user:hashed-password
No SSO None of the above; service has no auth integration Plain compose with no auth containers

0.3 Present Findings & Confirm

Pattern detected: [Authentik Proxy | Authelia | Forward-Auth | Basic Auth | None]

If AMBIGUOUS (multiple patterns):
  "Multiple SSO patterns detected. Which does this service use?"
  - Authentik Proxy Outpost
  - Authelia
  - Forward-Auth
  - Basic Auth
  - None / Not configured

If CLEAR:
  "Confirmed: <service> uses [Pattern]. Proceeding with [Pattern]-specific workflow."

Required confirmation: CONFIRM: <pattern-name>

Gate 0.5 — Pattern-Specific Workflow Selection

Based on the detected/confirmed pattern, branch to the appropriate workflow:

[WORKFLOW A: Authentik Proxy Outpost]

Applied when: Service has authentik-outpost-* container + AUTHENTIK_TOKEN env var

Step 1 — Observe (Evidence Gathering)

1.1 Service Status

# On waldorf
docker ps | grep <service>
docker logs <service> --tail 30

1.2 Outpost Status

# Check Authentik outpost container
docker ps | grep "authentik-outpost-<service>"
docker logs "authentik-outpost-<service>" --tail 30

1.3 Port Binding Check

# Verify service exposes a host port (REQUIRED for traefik-kop discovery)
ss -tuln | grep -E ":<HOST_PORT>"
# Should show: 0.0.0.0:<HOST_PORT> LISTEN (service port)

# Verify outpost port is exposed
ss -tuln | grep -E ":<OUTPOST_PORT>"
# Should show: 0.0.0.0:<OUTPOST_PORT> LISTEN (outpost port)

1.4 traefik-kop Discovery

# Check if outpost is published to Redis (NOT the service)
docker logs traefik-kop-edge --tail 20 | grep <service>
# Should show: {"level":"info","service":"authentik-outpost-<service>","message":"publishing..."}

1.5 Redis Config Verification

# On waldorf, query Redis to confirm outpost config
docker run --rm --network host redis:alpine redis-cli -h 10.0.0.151 KEYS '*<service>*'
# Should return keys like: traefik/http/routers/<service>/rule, traefik/http/services/<service>/...

1.6 Current Compose Structure

# Verify service does NOT have traefik labels
docker inspect <service> | grep -A 10 'Labels' | grep traefik
# Should return: (nothing) — no traefik labels on service

# Verify outpost HAS traefik labels
docker inspect "authentik-outpost-<service>" | grep -A 15 'Labels' | grep traefik
# Should return multiple traefik.* labels

1.7 Authentik Token Verification

# Check if outpost can reach Authentik
docker logs "authentik-outpost-<service>" | grep -i "connected\|error" | tail -10
# Should show successful connection, not token errors

Gate 1 — Confirm Facts (Authentik)

Required confirmation: CONFIRM FACTS: <service-name>

Document:

  • Service container running? (YES/NO)
  • Outpost container running? (YES/NO)
  • Service host port exposed? (YES/NO) — e.g., 0.0.0.0:8989
  • Outpost port exposed? (YES/NO) — e.g., 0.0.0.0:9001
  • traefik-kop discovered OUTPOST? (YES/NO)
  • Outpost config in Redis? (YES/NO)
  • Authentik token valid (no connection errors)? (YES/NO)
  • Traefik on heimdall can reach outpost? (Test: curl -kI https://<service>.castaldifamily.com)

If any are NO, diagnose before proceeding to Gate 2.

Step 2 — Orient & Decide (Authentik Pattern Review)

2.1 Architecture Confirmation

Service → Outpost → Traefik → Browser

  • Service: Runs on waldorf, exposes <HOST_PORT>, NO auth awareness
  • Outpost: Intercepts requests, checks Authentik session, forwards to service if valid
  • Traefik: Routes external HTTPS → Outpost on heimdall
  • Authentik: Provides login UI and session tokens

2.2 Authentik Admin Checklist

Verify these exist in Authentik:

# Log into Authentik Admin UI (https://sso.castaldifamily.com/if/admin/)
# Navigate to: Administration → System → Outposts
  • Outpost named <service> exists
  • Outpost is assigned a Proxy Provider (or multiple providers)
  • Proxy Provider has Authorization Flow set (usually: default-provider-authorization-implicit-consent)
  • AUTHENTIK_TOKEN is valid (get from Outpost details → Edit → Scroll to Token)

2.3 Standard Authentik Proxy Pattern (Proven on Sonarr)

Required Configuration:

services:
  <service>:
    image: <image>
    container_name: <service>
    ports:
      - "<HOST_PORT>:<CONTAINER_PORT>"  # ← MUST expose host port
    networks:
      - proxy-net
    labels:
      - homepage.name=<Service>
      - homepage.icon=<icon>
      # ↑ NO traefik labels on service itself
    # ... rest of config

  authentik-outpost-<service>:
    image: ghcr.io/goauthentik/proxy:2025.10.3
    container_name: authentik-outpost-<service>
    networks:
      - proxy-net
    restart: unless-stopped
    ports:
      - "<OUTPOST_PORT>:9000"      # ← Unique per service (9001, 9002, 9003...)
      - "<OUTPOST_PORT_HTTPS>:9443"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.<service>.entrypoints=websecure"
      - "traefik.http.routers.<service>.rule=Host(`<service>.castaldifamily.com`)"
      - "traefik.http.routers.<service>.tls=true"
      - "traefik.http.routers.<service>.tls.certresolver=cloudflare"
      - "traefik.http.services.<service>.loadbalancer.server.port=<OUTPOST_PORT>"
    environment:
      AUTHENTIK_HOST: https://sso.castaldifamily.com
      AUTHENTIK_INSECURE: "false"
      AUTHENTIK_TOKEN: <TOKEN_FROM_AUTHENTIK>
      AUTHENTIK_HOST_BROWSER: https://sso.castaldifamily.com

networks:
  proxy-net:
    name: proxy-net
    external: true

2.4 Port Assignment Convention

Service Host Port Outpost Port HTTPS Port
sonarr 8989 9001 9444
radarr 7878 9002 9445
prowlarr 9696 9003 9446
sabnzbd 8080 9004 9447
qbit 6969 9005 9448

Gate 2 — Confirm Theory (Authentik)

Required confirmation: CONFIRM THEORY: <service-name>

Decision Points:

  • Service will expose port <HOST_PORT> on waldorf?
  • Authentik outpost will use port <OUTPOST_PORT> on waldorf?
  • Traefik labels will route <service>.castaldifamily.com to outpost on <OUTPOST_PORT>?
  • Authentik token is valid and ready to use?
  • Traefik on heimdall can reach waldorf on 10.0.0.251?
  • Authentik Outpost exists in Authentik Admin UI?

If any NO, clarify before proceeding.

Step 3 — Act (Deployment for Authentik)

3.1 Prepare Compose File

On waldorf, update /mnt/thelab/apps/<service>/compose.yaml:

# Backup current
cp /mnt/thelab/apps/<service>/compose.yaml /mnt/thelab/apps/<service>/compose.yaml.backup

# Add host port binding to service (if not present)
# Remove any traefik labels from service (if present)
# Add complete authentik-outpost-<service> section (use template from 2.3)
# Verify YAML syntax
docker compose -f /mnt/thelab/apps/<service>/compose.yaml config > /dev/null && echo "✅ YAML valid"

3.2 Deploy

cd /mnt/thelab/apps/<service>
docker compose down
docker compose up -d

3.3 Verify Integration Chain

# 1. Service running?
docker ps | grep <service>

# 2. Outpost running?
docker ps | grep "authentik-outpost-<service>"

# 3. Port exposed?
ss -tuln | grep <HOST_PORT>
ss -tuln | grep <OUTPOST_PORT>

# 4. traefik-kop picked it up?
docker logs traefik-kop-edge --since 30s | grep <service>

# 5. Config in Redis?
docker run --rm --network host redis:alpine redis-cli -h 10.0.0.151 GET "traefik/http/routers/<service>/rule"
# Should return: Host(`<service>.castaldifamily.com`)

# 6. Test endpoint (from any host)
curl -kI https://<service>.castaldifamily.com
# Should return HTTP/2 302 (redirect to Authentik login)

# 7. Outpost connectivity to Authentik
docker logs "authentik-outpost-<service>" | tail -20
# Should show successful connections, no token errors

3.4 Test SSO Flow (Browser)

  1. Visit https://<service>.castaldifamily.com
  2. Should redirect to Authentik login
  3. Log in with Authentik credentials
  4. Should redirect back to <service> and auto-login
  5. Confirm you see the service dashboard (not login page)

Gate 3 — Confirm Resolution (Authentik)

Required confirmation: RESOLUTION COMPLETE: <service-name>

Checklist:

  • Service dashboard accessible via https://<service>.castaldifamily.com
  • Redirected to Authentik login when not authenticated
  • Auto-logged-in after Authentik login
  • Service login page NOT shown (headers trusted from outpost)
  • Service appears in Homepage with correct icon/description

[WORKFLOW B: Authelia Forward-Auth]

Applied when: Service has authelia container + traefik.http.middlewares.*.forwardauth.address label

Overview

Authelia integrates as a Traefik forward-auth middleware:

Browser → Traefik → [Auth Check via Forward-Auth to Authelia] → Service

Unlike Authentik Proxy (which acts as an outpost), Authelia runs on heimdall and Traefik middleware redirects unauthenticated requests to it.

Step 1 — Observe (Evidence Gathering for Authelia)

# Check Authelia container on heimdall
ssh heimdall "docker ps | grep authelia"
ssh heimdall "docker logs authelia --tail 30"

# On waldorf, check service configuration
docker ps | grep <service>
docker logs <service> --tail 30

# Verify service is NOT running an auth outpost
docker ps | grep <service> | grep -i auth
# Should return: (nothing) — no auth container for service

# Check if service or traefik labels reference authelia
docker inspect <service> | grep -A 10 'Labels' | grep -i "forward\|authelia"
# Should show something like: "traefik.http.routers.<service>.middlewares=authelia"

Step 2 — Confirm Theory (Authelia)

Required confirmation: CONFIRM THEORY: <service-name>-authelia

  • Authelia running on heimdall? (SSH check)
  • Service has NO dedicated auth container?
  • Traefik labels reference Authelia middleware? (forward-auth)
  • Service middleware points to http://authelia:9091?

Step 3 — Act (Fix Authelia Integration)

If Authelia is configured but broken:

# On heimdall, restart Authelia
docker compose restart authelia

# Verify forward-auth config in Traefik labels on waldorf service
# Labels should include:
# - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091
# - traefik.http.routers.<service>.middlewares=authelia

# Verify service still running
docker ps | grep <service>

# Test endpoint
curl -kI https://<service>.castaldifamily.com
# Should redirect to Authelia login URL

[WORKFLOW C: Generic Forward-Auth]

Applied when: Service has traefik.http.middlewares.*.forwardauth.address pointing to an external auth service (not Authelia or Authentik)

Overview

Generic forward-auth pattern delegates authentication to an external service:

Browser → Traefik → [Forward-Auth Check] → External Auth Service → Service

Step 1 — Identify Auth Service

# From service labels, extract the forward-auth address
docker inspect <service> | grep -i forwardauth.address
# Example output: "traefik.http.middlewares.*.forwardauth.address=http://auth-service:9091"

AUTH_SERVICE=$(extracted-from-label)  # e.g., http://auth-service:9091

Step 2 — Verify Auth Service

# Check if auth service is running
docker ps | grep auth-service

# Test connectivity from waldorf
curl -I "$AUTH_SERVICE/health"
# Should return 200 OK or similar success code

Step 3 — Act

If auth service is down or unreachable:

# Restart auth service
docker compose up -d auth-service

# Verify Traefik middleware config
docker inspect <service> | grep 'traefik.http.middlewares.*forwardauth'

# Test full chain
curl -kI https://<service>.castaldifamily.com
# Should route through forward-auth to external service

[WORKFLOW D: Traefik BasicAuth Middleware]

Applied when: Service has traefik.http.middlewares.*.basicauth.* labels

Overview

BasicAuth is a simple username:password protection (no SSO):

Browser → [HTTP Basic Auth Prompt] → Traefik → Service

Step 1 — Observe

# Check for basicauth middleware
docker inspect <service> | grep -i basicauth
# Should show: traefik.http.middlewares.*.basicauth.users=user:hashed-password

Step 2 — Verify

# Test access without credentials
curl -kI https://<service>.castaldifamily.com
# Should return HTTP/2 401 Unauthorized

# Test access with credentials
curl -kI -u "username:password" https://<service>.castaldifamily.com
# Should return HTTP/2 200 or redirect (depending on service)

Step 3 — Fix (if needed)

# BasicAuth users are typically set in Traefik labels
# If broken, regenerate hash:
echo $(htpasswd -nb user password) | sed -e s/\\$/\\$\\$/g

# Update Traefik label with new hash:
# traefik.http.middlewares.<service>-auth.basicauth.users=user:$hashed$

# Redeploy
docker compose up -d

[TROUBLESHOOTING: Common Issues (All Patterns)]

Issue: Service not discovered by traefik-kop

Cause: Host port not exposed Fix: Add ports: - "<HOST_PORT>:<CONTAINER_PORT>" to service in compose

Issue: 404 when accessing service domain

Cause: Traefik labels not on outpost, or outpost not healthy Fix:

  • Verify labels exist: docker inspect authentik-outpost-<service> | grep traefik
  • Check outpost health: docker logs authentik-outpost-<service> | grep "error"
  • Recreate if needed: docker compose up -d --force-recreate authentik-outpost-<service>

Issue: Redirect loop (keep going back to Authentik login)

Cause: Outpost not reaching Authentik Server Fix: Verify AUTHENTIK_TOKEN is valid; regenerate in Authentik UI if needed

Issue: Service login page shown after Authentik login

Cause: Service not configured to trust X-Authentik-* headers Fix: Service configuration varies by app; may require setting "trusted proxy" headers

[OUTPUT STYLE]

  • Mechanism focus: Explain why each step matters in the integration chain
  • Verification first: Always confirm before moving to next phase
  • Clear dependencies: Show which components talk to which
  • Reusable: Document decisions for template improvements