Cut Doris over to Authentik ingress
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-24 18:59:36 +00:00
parent ffc1280f7c
commit 2057c8aaa5
4 changed files with 44 additions and 10 deletions

View File

@@ -25,8 +25,8 @@ All homelab services, their hosts, ports, and current status.
| Shlink | 8087 | http://pd:8087 | ✅ Active | | Shlink | 8087 | http://pd:8087 | ✅ Active |
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active | | Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
| RackPeek | 8283 | http://pd:8283 | ✅ Active | | RackPeek | 8283 | http://pd:8283 | ✅ Active |
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; currently fronts the Traefik-protected app layer | | Authelia | 9091 | http://pd:9091 | ✅ Active internally on PD as legacy migration-only auth plumbing; public `auth.paccoco.com` now redirects to Authentik |
| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public Pangolin hostname live for OIDC/SAML migration work | | Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public identity front door for OIDC/SAML and forward-auth flows |
## AI Stack ## AI Stack
@@ -62,6 +62,7 @@ OpenClaw is no longer treated as an active PD service in the operator inventory.
| Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars | | Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars |
| Karakeep | 3100 | ✅ Active | | Karakeep | 3100 | ✅ Active |
| n8n | 5678 | ✅ Active | | n8n | 5678 | ✅ Active |
| Doris Dashboard | 8787 | ✅ Active on N.O.M.A.D. behind Pangolin -> Traefik -> Authentik at `https://doris.paccoco.com` |
| KitchenOwl | 8086 | ✅ Active | | KitchenOwl | 8086 | ✅ Active |
| DoneTick | 2021 | ✅ Active | | DoneTick | 2021 | ✅ Active |
| Dakboard Bridge | 5087 | ✅ Active | | Dakboard Bridge | 5087 | ✅ Active |

View File

@@ -1,8 +1,9 @@
# Identity and SSO # Identity and SSO
Authelia is the staged identity provider for the homelab. Authentik is the public identity provider for the homelab.
Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
## Why Authelia ## Why Authentik
- centralizes auth for the growing pile of web apps - centralizes auth for the growing pile of web apps
- works with shared Postgres/Redis already in the lab - works with shared Postgres/Redis already in the lab
@@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab.
- stack path: identity/ - stack path: identity/
- host target: PlausibleDeniability - host target: PlausibleDeniability
- public entrypoint: auth.paccoco.com - public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect)
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer - status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use
## Access-control direction ## Access-control direction
Traefik is the internal router and Authelia is the policy engine. Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
Current intended protected domains: Current intended protected domains:
- `doris.paccoco.com`
- `gitea.paccoco.com` - `gitea.paccoco.com`
- `grafana.paccoco.com` - `grafana.paccoco.com`
- `traefik.paccoco.com` - `traefik.paccoco.com`

View File

@@ -15,10 +15,12 @@ Design choices:
- no ACME on PD - no ACME on PD
- no Docker provider / no docker.sock mount - no Docker provider / no docker.sock mount
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer - Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service. - Authentik is the public identity front door; `auth.paccoco.com` is now a compatibility redirect to `authentik.paccoco.com`.
- Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint.
Current routed hostnames in dynamic config: Current routed hostnames in dynamic config:
- `auth.paccoco.com` -> Authelia - `auth.paccoco.com` -> redirect to `https://authentik.paccoco.com/`
- `doris.paccoco.com` -> Doris Dashboard behind Authentik forward-auth
- `gitea.paccoco.com` -> Gitea - `gitea.paccoco.com` -> Gitea
- `grafana.paccoco.com` -> Grafana - `grafana.paccoco.com` -> Grafana
- `dns.paccoco.com` -> Technitium (native OIDC inside the app) - `dns.paccoco.com` -> Technitium (native OIDC inside the app)

View File

@@ -3,9 +3,26 @@ http:
auth: auth:
rule: Host(`auth.paccoco.com`) rule: Host(`auth.paccoco.com`)
entryPoints: [web] entryPoints: [web]
service: authelia service: authentik-outpost
middlewares: middlewares:
- security-headers - security-headers
- auth-host-redirect
doris-authentik-outpost:
rule: Host(`doris.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
priority: 15
entryPoints: [web]
service: authentik-outpost
middlewares:
- security-headers
doris:
rule: Host(`doris.paccoco.com`)
entryPoints: [web]
service: doris-dashboard
middlewares:
- security-headers
- authentik-forwardauth
gitea-authentik-outpost: gitea-authentik-outpost:
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`) rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
@@ -90,6 +107,12 @@ http:
servers: servers:
- url: https://technitium-dns-pilot:443 - url: https://technitium-dns-pilot:443
doris-dashboard:
loadBalancer:
passHostHeader: true
servers:
- url: http://10.5.30.7:8787
middlewares: middlewares:
authelia-forwardauth: authelia-forwardauth:
forwardAuth: forwardAuth:
@@ -124,6 +147,12 @@ http:
replacement: https://${1}/dashboard/ replacement: https://${1}/dashboard/
permanent: false permanent: false
auth-host-redirect:
redirectRegex:
regex: ^https?://auth\.paccoco\.com(?:/(.*))?$
replacement: https://authentik.paccoco.com/${1}
permanent: true
security-headers: security-headers:
headers: headers:
frameDeny: true frameDeny: true