Switch profile, twelve services come up. Authentik holds identity, n8n connects them in dataflows, Superset aggregates BI. One YAML change activates the whole suite.
Level: 3 · Reading time: 20 min
Already know this rung? Level 4 — SSO everywhere (planned) — will walk through the Authentik integration in depth.
PMA defines profiles in services.yaml — named subsets of
services. You start in minimal (Authentik + one service). To get
the full enterprise suite, switch to the enterprise profile:
Redmine, Mattermost, n8n, ERPNext, Superset, Wiki.js, Zammad,
Grafana, Prometheus, Loki, Postal, Authentik.
Same codebase. Same framework. Different services.yaml declaration.
The framework reads the profile, brings the listed services up.
1. Switch profile:
just profile set enterprise
# Updates services.yaml's active profile to "enterprise"
# Re-generates docker-compose.yml to include only enterprise services
2. Bring it up:
just up
# Or for a fresh bootstrap including all the SSO + backup setup:
just bootstrap-local enterprise
First-time bootstrap: 30-45 minutes (image pulls + per-service
initialisation + SSO wiring + n8n workflow import).
Subsequent just up: 1-2 minutes.
3. Get the URLs:
just tunnel-status
# Lists all services' public URLs + status
You'll see ~12 lines, one per service, each with its own
<svc>-<your-id>.<tunnel-host> URL.
4. Verify SSO works across services:
Open Redmine URL → log in via Authentik → close tab. Open
Mattermost URL → click "Sign in with OIDC" → you're already
authenticated (Authentik session is shared). Same for ERPNext,
Wiki.js, Superset, Zammad, Grafana.
5. Verify n8n integration is live:
just n8n-list-workflows
# Lists the n8n workflows imported during bootstrap
You'll see workflows like "Redmine → ERPNext customer sync",
"Zammad → Mattermost notification", etc. These were declared in
PMA's standard n8n workflow set and imported during bootstrap.
$ just status | grep healthy | wc -l
12 # or thereabouts, depending on profile
$ just urls | head
🔗 Active workspace URLs:
authentik https://authentik-xyz1.eu2.tn.example.com
redmine https://redmine-xyz1.eu2.tn.example.com
mattermost https://mattermost-xyz1.eu2.tn.example.com
n8n https://n8n-xyz1.eu2.tn.example.com
erpnext https://erpnext-xyz1.eu2.tn.example.com
...
You have a working enterprise stack. SSO is unified. n8n connects
services. Caddy fronts everything. The docker-compose.yml was
generated from the active profile — only enterprise services are
in it, no overhead from disabled ones.
To swap profile later:
just profile set development # subset (n8n, mattermost, redmine, wikijs)
just profile set support # different subset (n8n, mattermost, zammad, espocrm)
just profile set data # BI-focused (n8n, redash, superset)
just profile set full # everything
just compose-generate # regenerates docker-compose.yml for new profile
just up # brings the new set up
Three things to internalise:
services.yaml declares profiles. It's the project-wide
service registry — every service's manifest.yaml is the
service-level spec; services.yaml is the cross-service spec
(port allocation, profile membership, command structure).
Switching profile changes which services activate; framework
re-reads everything next bootstrap.
docker-compose.yml is generated, not hand-written.
just compose-generate reads the active profile + each
package's docker-compose.yaml fragment + merges into one
top-level compose file. Editing docker/docker-compose.yml
directly is blocked by a hook; you change a package
declaration or a profile, then regenerate.
SSO works across services because every service's manifest
declared sso.type. The bootstrap configured each one with
Authentik. There's no extra step for "wire Mattermost into the
same Authentik" — it happened automatically because the
manifest said so.
The framework treats "12 services running together" as the same
problem as "1 service running alone" — just bigger. Adding service
#13 (per Level 2) inherits all the
multi-service magic for free.
Reference: /pma/internals/package-system (planned).
services.yaml, list the services it includes, switch.packages/n8n/workflows/, framework imports it.