Summary
- add a Kanboard stack at kanban.ai.dephekt.net with LAN fallback on containers.home.arpa:8097
- add a small /i/<TASK_REF> redirector for stable references such as HGC-001
- bake the Kanboard OAuth2 plugin into the local Kanboard image and bootstrap Keycloak OAuth settings
- configure the Keycloak home realm with a kanboard client, one kanboard access group, one kanboard client role, and a client-specific browser flow gate
- keep Kanboard application roles local to Kanboard; Keycloak only gates login eligibility
- disable Pangolin SSO for the Kanban route; Pangolin/Newt now only routes traffic
- render Kanboard admin/API/OIDC secrets from the Agents 1Password vault through make inject-agent-secrets
- wire the stack into media-stack Makefile targets and docs
Validation
- git diff --check
- bash -n kanban/keycloak/configure-kanboard-client.sh
- php -l kanban/kanboard/configure-oauth.php
- DOMAIN=dephekt.net DOCKER_CONTEXT=media-server docker --context media-server compose -p kanban -f kanban/docker-compose.yml config --no-env-resolution --quiet
- kanban/keycloak/configure-kanboard-client.sh, including a second idempotence run
- make kanban-up
- curl http://containers.home.arpa:8097/healthcheck.php
- curl https://kanban.ai.dephekt.net/healthcheck.php
- curl https://kanban.ai.dephekt.net/oauth/callback follows one redirect to Keycloak and returns HTTP 200
- verified live Keycloak state: only kanboard group, only kanboard client role, no kanboard_roles mapper, active gate requires kanboard.kanboard
- verified Kanboard OAuth group settings are blank and legacy imported groups were removed
- KANBOARD_URL=http://containers.home.arpa:8097 tools/kb task get HGC-001
Notes
- Deployed on the media-server Docker context.
- Public route now goes directly to Kanboard login and the OAuth2 login redirects to Keycloak.
- Kanboard stores a single application URL, so the OIDC callback is the public kanban.ai.dephekt.net URL; the LAN route remains available for direct access and local admin fallback.
- Kanboard app roles remain manually assigned inside Kanboard. The dan@dephekt.net OAuth user currently remains app-user until promoted locally.
- The local Kanboard admin password, JSON-RPC token, and Keycloak client secret were rotated after command output exposed old rendered values during validation.
Summary
- add a Kanboard stack at kanban.ai.dephekt.net with LAN fallback on containers.home.arpa:8097
- add a small /i/<TASK_REF> redirector for stable references such as HGC-001
- bake the Kanboard OAuth2 plugin into the local Kanboard image and bootstrap Keycloak OAuth settings
- configure the Keycloak home realm with a kanboard client, one kanboard access group, one kanboard client role, and a client-specific browser flow gate
- keep Kanboard application roles local to Kanboard; Keycloak only gates login eligibility
- disable Pangolin SSO for the Kanban route; Pangolin/Newt now only routes traffic
- render Kanboard admin/API/OIDC secrets from the Agents 1Password vault through make inject-agent-secrets
- wire the stack into media-stack Makefile targets and docs
Validation
- git diff --check
- bash -n kanban/keycloak/configure-kanboard-client.sh
- php -l kanban/kanboard/configure-oauth.php
- DOMAIN=dephekt.net DOCKER_CONTEXT=media-server docker --context media-server compose -p kanban -f kanban/docker-compose.yml config --no-env-resolution --quiet
- kanban/keycloak/configure-kanboard-client.sh, including a second idempotence run
- make kanban-up
- curl http://containers.home.arpa:8097/healthcheck.php
- curl https://kanban.ai.dephekt.net/healthcheck.php
- curl https://kanban.ai.dephekt.net/oauth/callback follows one redirect to Keycloak and returns HTTP 200
- verified live Keycloak state: only kanboard group, only kanboard client role, no kanboard_roles mapper, active gate requires kanboard.kanboard
- verified Kanboard OAuth group settings are blank and legacy imported groups were removed
- KANBOARD_URL=http://containers.home.arpa:8097 tools/kb task get HGC-001
Notes
- Deployed on the media-server Docker context.
- Public route now goes directly to Kanboard login and the OAuth2 login redirects to Keycloak.
- Kanboard stores a single application URL, so the OIDC callback is the public kanban.ai.dephekt.net URL; the LAN route remains available for direct access and local admin fallback.
- Kanboard app roles remain manually assigned inside Kanboard. The dan@dephekt.net OAuth user currently remains app-user until promoted locally.
- The local Kanboard admin password, JSON-RPC token, and Keycloak client secret were rotated after command output exposed old rendered values during validation.