Cut Doris over to Authentik ingress
This commit is contained in:
@@ -1,8 +1,9 @@
|
||||
# Identity and SSO
|
||||
|
||||
Authelia is the staged identity provider for the homelab.
|
||||
Authentik is the public identity provider for the homelab.
|
||||
Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
|
||||
|
||||
## Why Authelia
|
||||
## Why Authentik
|
||||
|
||||
- centralizes auth for the growing pile of web apps
|
||||
- works with shared Postgres/Redis already in the lab
|
||||
@@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab.
|
||||
|
||||
- stack path: identity/
|
||||
- host target: PlausibleDeniability
|
||||
- public entrypoint: auth.paccoco.com
|
||||
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
|
||||
- public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect)
|
||||
- status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use
|
||||
|
||||
## Access-control direction
|
||||
|
||||
Traefik is the internal router and Authelia is the policy engine.
|
||||
Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
|
||||
|
||||
Current intended protected domains:
|
||||
- `doris.paccoco.com`
|
||||
- `gitea.paccoco.com`
|
||||
- `grafana.paccoco.com`
|
||||
- `traefik.paccoco.com`
|
||||
|
||||
Reference in New Issue
Block a user