diff --git a/docs/architecture/SERVICES_DIRECTORY.md b/docs/architecture/SERVICES_DIRECTORY.md index d120167..8b5946d 100644 --- a/docs/architecture/SERVICES_DIRECTORY.md +++ b/docs/architecture/SERVICES_DIRECTORY.md @@ -25,8 +25,8 @@ All homelab services, their hosts, ports, and current status. | Shlink | 8087 | http://pd:8087 | ✅ Active | | Shlink Web Client | 8088 | http://pd:8088 | ✅ Active | | RackPeek | 8283 | http://pd:8283 | ✅ Active | -| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; currently fronts the Traefik-protected app layer | -| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public Pangolin hostname live for OIDC/SAML migration work | +| Authelia | 9091 | http://pd:9091 | ✅ Active internally on PD as legacy migration-only auth plumbing; public `auth.paccoco.com` now redirects to Authentik | +| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public identity front door for OIDC/SAML and forward-auth flows | ## AI Stack @@ -62,6 +62,7 @@ OpenClaw is no longer treated as an active PD service in the operator inventory. | Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars | | Karakeep | 3100 | ✅ Active | | n8n | 5678 | ✅ Active | +| Doris Dashboard | 8787 | ✅ Active on N.O.M.A.D. behind Pangolin -> Traefik -> Authentik at `https://doris.paccoco.com` | | KitchenOwl | 8086 | ✅ Active | | DoneTick | 2021 | ✅ Active | | Dakboard Bridge | 5087 | ✅ Active | diff --git a/docs/operations/IDENTITY_AND_SSO.md b/docs/operations/IDENTITY_AND_SSO.md index 0373ffb..56d8633 100644 --- a/docs/operations/IDENTITY_AND_SSO.md +++ b/docs/operations/IDENTITY_AND_SSO.md @@ -1,8 +1,9 @@ # Identity and SSO -Authelia is the staged identity provider for the homelab. +Authentik is the public identity provider for the homelab. +Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired. -## Why Authelia +## Why Authentik - centralizes auth for the growing pile of web apps - works with shared Postgres/Redis already in the lab @@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab. - stack path: identity/ - host target: PlausibleDeniability -- public entrypoint: auth.paccoco.com -- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer +- public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect) +- status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use ## Access-control direction -Traefik is the internal router and Authelia is the policy engine. +Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired. Current intended protected domains: +- `doris.paccoco.com` - `gitea.paccoco.com` - `grafana.paccoco.com` - `traefik.paccoco.com` diff --git a/ingress/README.md b/ingress/README.md index cc2653e..907b96d 100644 --- a/ingress/README.md +++ b/ingress/README.md @@ -15,10 +15,12 @@ Design choices: - no ACME on PD - no Docker provider / no docker.sock mount - Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer -- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service. +- Authentik is the public identity front door; `auth.paccoco.com` is now a compatibility redirect to `authentik.paccoco.com`. +- Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint. Current routed hostnames in dynamic config: -- `auth.paccoco.com` -> Authelia +- `auth.paccoco.com` -> redirect to `https://authentik.paccoco.com/` +- `doris.paccoco.com` -> Doris Dashboard behind Authentik forward-auth - `gitea.paccoco.com` -> Gitea - `grafana.paccoco.com` -> Grafana - `dns.paccoco.com` -> Technitium (native OIDC inside the app) diff --git a/ingress/traefik/dynamic/routes.yml b/ingress/traefik/dynamic/routes.yml index 077964b..869fc45 100644 --- a/ingress/traefik/dynamic/routes.yml +++ b/ingress/traefik/dynamic/routes.yml @@ -3,9 +3,26 @@ http: auth: rule: Host(`auth.paccoco.com`) entryPoints: [web] - service: authelia + service: authentik-outpost middlewares: - security-headers + - auth-host-redirect + + doris-authentik-outpost: + rule: Host(`doris.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`) + priority: 15 + entryPoints: [web] + service: authentik-outpost + middlewares: + - security-headers + + doris: + rule: Host(`doris.paccoco.com`) + entryPoints: [web] + service: doris-dashboard + middlewares: + - security-headers + - authentik-forwardauth gitea-authentik-outpost: rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`) @@ -90,6 +107,12 @@ http: servers: - url: https://technitium-dns-pilot:443 + doris-dashboard: + loadBalancer: + passHostHeader: true + servers: + - url: http://10.5.30.7:8787 + middlewares: authelia-forwardauth: forwardAuth: @@ -124,6 +147,12 @@ http: replacement: https://${1}/dashboard/ permanent: false + auth-host-redirect: + redirectRegex: + regex: ^https?://auth\.paccoco\.com(?:/(.*))?$ + replacement: https://authentik.paccoco.com/${1} + permanent: true + security-headers: headers: frameDeny: true