Cut Doris over to Authentik ingress
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-24 18:59:36 +00:00
parent ffc1280f7c
commit 2057c8aaa5
4 changed files with 44 additions and 10 deletions

View File

@@ -1,8 +1,9 @@
# Identity and SSO
Authelia is the staged identity provider for the homelab.
Authentik is the public identity provider for the homelab.
Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
## Why Authelia
## Why Authentik
- centralizes auth for the growing pile of web apps
- works with shared Postgres/Redis already in the lab
@@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab.
- stack path: identity/
- host target: PlausibleDeniability
- public entrypoint: auth.paccoco.com
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
- public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect)
- status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use
## Access-control direction
Traefik is the internal router and Authelia is the policy engine.
Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
Current intended protected domains:
- `doris.paccoco.com`
- `gitea.paccoco.com`
- `grafana.paccoco.com`
- `traefik.paccoco.com`