1.6 KiB
Authentik Cutover
This cutover moves ATLAS customer identity from LLDAP + Authelia to
authentik + Postgres while preserving Stripe billing and Swarm stacks.
Existing Customer Import
Before retiring LLDAP, export each customer with:
- current LDAP username
- Stripe customer ID
- customer phone
- customer domain
- current stack name, usually
customer-<slug>
Insert those records into the new ss-atlas Postgres tables:
accounts.primary_emailaccounts.stripe_customer_idaccounts.phoneaccounts.subscription_status = 'active'instances.sluginstances.stack_nameinstances.customer_domain
Use the existing stack slug when possible so /i/<slug> URLs continue to work.
First Social Login
On first Authentik login, ss-atlas links the Authentik identity to an account
by email when no exact provider subject is known yet. After that, the stable
provider + subject tuple in account_identities owns the login mapping.
Stripe Reconciliation
Stripe remains the billing source of truth. Webhooks and /success both upsert
the same account rows using stripe_customer_id, and billing_events prevents
reprocessing the same Stripe event.
Retiring Old Services
Only retire Authelia and LLDAP after:
- all active Stripe customers exist in Postgres
- at least one Authentik identity is linked for each active customer
/dashboard,/stack-manage, and/i/<slug>work through Authentik- subscription cancellation archives/removes the correct stack
Keep a database snapshot and Swarm volume backup before deleting old identity volumes.