Cut Doris over to Authentik ingress
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-24 18:59:36 +00:00
parent ffc1280f7c
commit 2057c8aaa5
4 changed files with 44 additions and 10 deletions

View File

@@ -25,8 +25,8 @@ All homelab services, their hosts, ports, and current status.
| Shlink | 8087 | http://pd:8087 | ✅ Active |
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
| RackPeek | 8283 | http://pd:8283 | ✅ Active |
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; currently fronts the Traefik-protected app layer |
| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public Pangolin hostname live for OIDC/SAML migration work |
| Authelia | 9091 | http://pd:9091 | ✅ Active internally on PD as legacy migration-only auth plumbing; public `auth.paccoco.com` now redirects to Authentik |
| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public identity front door for OIDC/SAML and forward-auth flows |
## AI Stack
@@ -62,6 +62,7 @@ OpenClaw is no longer treated as an active PD service in the operator inventory.
| Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars |
| Karakeep | 3100 | ✅ Active |
| n8n | 5678 | ✅ Active |
| Doris Dashboard | 8787 | ✅ Active on N.O.M.A.D. behind Pangolin -> Traefik -> Authentik at `https://doris.paccoco.com` |
| KitchenOwl | 8086 | ✅ Active |
| DoneTick | 2021 | ✅ Active |
| Dakboard Bridge | 5087 | ✅ Active |

View File

@@ -1,8 +1,9 @@
# Identity and SSO
Authelia is the staged identity provider for the homelab.
Authentik is the public identity provider for the homelab.
Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
## Why Authelia
## Why Authentik
- centralizes auth for the growing pile of web apps
- works with shared Postgres/Redis already in the lab
@@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab.
- stack path: identity/
- host target: PlausibleDeniability
- public entrypoint: auth.paccoco.com
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
- public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect)
- status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use
## Access-control direction
Traefik is the internal router and Authelia is the policy engine.
Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
Current intended protected domains:
- `doris.paccoco.com`
- `gitea.paccoco.com`
- `grafana.paccoco.com`
- `traefik.paccoco.com`