forked from Nixius/authelia
53 lines
1.6 KiB
Markdown
53 lines
1.6 KiB
Markdown
# Authentik Cutover
|
|
|
|
This cutover moves ATLAS customer identity from `LLDAP + Authelia` to
|
|
`authentik + Postgres` while preserving Stripe billing and Swarm stacks.
|
|
|
|
## Existing Customer Import
|
|
|
|
Before retiring LLDAP, export each customer with:
|
|
|
|
- current LDAP username
|
|
- email
|
|
- Stripe customer ID
|
|
- customer phone
|
|
- customer domain
|
|
- current stack name, usually `customer-<slug>`
|
|
|
|
Insert those records into the new `ss-atlas` Postgres tables:
|
|
|
|
- `accounts.primary_email`
|
|
- `accounts.stripe_customer_id`
|
|
- `accounts.phone`
|
|
- `accounts.subscription_status = 'active'`
|
|
- `instances.slug`
|
|
- `instances.stack_name`
|
|
- `instances.customer_domain`
|
|
|
|
Use the existing stack slug when possible so `/i/<slug>` URLs continue to work.
|
|
|
|
## First Social Login
|
|
|
|
On first Authentik login, `ss-atlas` links the Authentik identity to an account
|
|
by email when no exact provider subject is known yet. After that, the stable
|
|
`provider + subject` tuple in `account_identities` owns the login mapping.
|
|
|
|
## Stripe Reconciliation
|
|
|
|
Stripe remains the billing source of truth. Webhooks and `/success` both upsert
|
|
the same account rows using `stripe_customer_id`, and `billing_events` prevents
|
|
reprocessing the same Stripe event.
|
|
|
|
## Retiring Old Services
|
|
|
|
Only retire Authelia and LLDAP after:
|
|
|
|
- all active Stripe customers exist in Postgres
|
|
- at least one Authentik identity is linked for each active customer
|
|
- `/dashboard`, `/stack-manage`, and `/i/<slug>` work through Authentik
|
|
- subscription cancellation archives/removes the correct stack
|
|
|
|
Keep a database snapshot and Swarm volume backup before deleting old identity
|
|
volumes.
|
|
|