Authentik Level-Based Access & User Management Tutorial

This guide defines how to configure your H5H Homelab with a 4-tier access system, how to set up auto-enrollment for new users, and how to manage those users.

The 4-Tier Access Model

Source of truth is code/docker/scripts/setup_rbac.py (APPS = [...]). The table below reflects what the script actually binds.

Level	Name	Access	Services (bound by setup_rbac.py)
Level 1	Public	No login required.	h5h.me (portfolio, hosted on Vercel — outside this stack)
Level 2	Friends / Basic	Any signed-in user. Auto-assigned on sign-up via the default user-write stage.	plex.h5h.me, torrent.h5h.me
Level 3	Family	Manual promotion. Inherits Level 2.	drive.h5h.me, photos.h5h.me, notes.h5h.me
Admin	Superuser	Full access. Inherits all lower tiers.	traefik.h5h.me, prometheus.h5h.me, sh.h5h.me (Dashboard)

Grafana (grafana.h5h.me) is not behind forward-auth. It uses Authentik as an OIDC provider instead: anyone can view as anonymous Viewer; signing in through the OIDC flow maps Authentik groups → Grafana roles (Admin if the user is in a group named admins, otherwise Viewer). Configured in docker-compose.yml under the grafana service.

---

Part 1: Automated Configuration

You no longer need to configure Groups, Applications, Providers, or Policies manually. The entire setup is automated via a backend script that interacts with the Authentik Database.

Step 1: Run the Setup Script

From the code/ directory, simply run:

make setup-authentik

This single command accomplishes the following:

1. Creates Groups: Automatically generates Level 2, Level 3, and verifies authentik Admins.
2. Assigns Admin: Adds 54321hemanth@gmail.com to the Admins group.
3. Auto-Enrollment: Updates the default enrollment flow so any new user is instantly dropped into Level 2.
4. Creates Policies: Sets up "Require Level X" locking mechanisms.
5. Provisions Services: Creates a separate ProxyProvider and Application for every service (qBittorrent, Plex, Nextcloud, Immich, Notes, etc.) and binds them to the Embedded Outpost.
6. Enforces Access: Binds the correct policy (Level 2, Level 3, or Admin) to each application.

Once the command finishes, your 4-Tier access system is fully active and protecting your entire domain (*.h5h.me) automatically.

---

Part 2: User Management Tutorial

As an admin (54321hemanth@gmail.com), here is how you manage your homelab users.

How to See Who is Registered

1. Log in to auth.h5h.me and click the grid icon in the top right to enter the Admin Interface.
2. Navigate to Directory -> Users.
3. Here you will see a list of everyone who has signed up or been created.

How to Promote a Friend (Level 2) to Family (Level 3)

When someone signs up, they get Level 2 automatically. If you want to give them access to Nextcloud/Immich:

1. Go to Directory -> Users.
2. Click on the user's name.
3. Go to the Groups tab for that user.
4. Click Add to group and select Level 3.
5. You can safely remove them from Level 2 to keep their group list clean; Level 3 automatically inherits access to all Level 2 apps.

How to Disable or Ban a User

If someone is abusing your Plex or you want to revoke their access:

1. Go to Directory -> Users.
2. Click on the user's name.
3. Click the Edit button.
4. Uncheck the Is active box.
   • Result: They are immediately logged out and cannot log back in.

How to Manually Create a User (No Sign-Up Required)

If you just want to hand a friend a username and password instead of them using Google SSO:

1. Go to Directory -> Users.
2. Click Create User.
3. Fill in their Username and Name.
4. Click Create.
5. Click on the new user, go to the Pass/App passwords tab.
6. Click Set Password and type a temporary password for them.
7. Go to their Groups tab and add them to Level 2 or Level 3.
8. Hand them the credentials.