Cut Doris over to Authentik ingress
This commit is contained in:
@@ -25,8 +25,8 @@ All homelab services, their hosts, ports, and current status.
|
|||||||
| Shlink | 8087 | http://pd:8087 | ✅ Active |
|
| Shlink | 8087 | http://pd:8087 | ✅ Active |
|
||||||
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
|
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
|
||||||
| RackPeek | 8283 | http://pd:8283 | ✅ Active |
|
| RackPeek | 8283 | http://pd:8283 | ✅ Active |
|
||||||
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; currently fronts the Traefik-protected app layer |
|
| Authelia | 9091 | http://pd:9091 | ✅ Active internally on PD as legacy migration-only auth plumbing; public `auth.paccoco.com` now redirects to Authentik |
|
||||||
| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public Pangolin hostname live for OIDC/SAML migration work |
|
| Authentik | 9000 | http://pd:9000 / https://authentik.paccoco.com | ✅ Active; public identity front door for OIDC/SAML and forward-auth flows |
|
||||||
|
|
||||||
## AI Stack
|
## AI Stack
|
||||||
|
|
||||||
@@ -62,6 +62,7 @@ OpenClaw is no longer treated as an active PD service in the operator inventory.
|
|||||||
| Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars |
|
| Paperless-NGX | 8083 | ✅ Active; DOCX/Office ingestion via internal Tika + Gotenberg sidecars |
|
||||||
| Karakeep | 3100 | ✅ Active |
|
| Karakeep | 3100 | ✅ Active |
|
||||||
| n8n | 5678 | ✅ Active |
|
| n8n | 5678 | ✅ Active |
|
||||||
|
| Doris Dashboard | 8787 | ✅ Active on N.O.M.A.D. behind Pangolin -> Traefik -> Authentik at `https://doris.paccoco.com` |
|
||||||
| KitchenOwl | 8086 | ✅ Active |
|
| KitchenOwl | 8086 | ✅ Active |
|
||||||
| DoneTick | 2021 | ✅ Active |
|
| DoneTick | 2021 | ✅ Active |
|
||||||
| Dakboard Bridge | 5087 | ✅ Active |
|
| Dakboard Bridge | 5087 | ✅ Active |
|
||||||
|
|||||||
@@ -1,8 +1,9 @@
|
|||||||
# Identity and SSO
|
# Identity and SSO
|
||||||
|
|
||||||
Authelia is the staged identity provider for the homelab.
|
Authentik is the public identity provider for the homelab.
|
||||||
|
Authelia remains available internally on PD as legacy migration-only plumbing while older routes are retired.
|
||||||
|
|
||||||
## Why Authelia
|
## Why Authentik
|
||||||
|
|
||||||
- centralizes auth for the growing pile of web apps
|
- centralizes auth for the growing pile of web apps
|
||||||
- works with shared Postgres/Redis already in the lab
|
- works with shared Postgres/Redis already in the lab
|
||||||
@@ -13,14 +14,15 @@ Authelia is the staged identity provider for the homelab.
|
|||||||
|
|
||||||
- stack path: identity/
|
- stack path: identity/
|
||||||
- host target: PlausibleDeniability
|
- host target: PlausibleDeniability
|
||||||
- public entrypoint: auth.paccoco.com
|
- public entrypoint: `https://authentik.paccoco.com` (`https://auth.paccoco.com` is now just a compatibility redirect)
|
||||||
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
|
- status: Authentik is the public login front door; Traefik now protects `doris.paccoco.com` through the embedded outpost and Authelia is no longer intended for direct public use
|
||||||
|
|
||||||
## Access-control direction
|
## Access-control direction
|
||||||
|
|
||||||
Traefik is the internal router and Authelia is the policy engine.
|
Traefik is the internal router. Authentik is now the preferred public auth layer via native OIDC or embedded outpost forward-auth; Authelia is retained only for legacy/internal migration cases still being retired.
|
||||||
|
|
||||||
Current intended protected domains:
|
Current intended protected domains:
|
||||||
|
- `doris.paccoco.com`
|
||||||
- `gitea.paccoco.com`
|
- `gitea.paccoco.com`
|
||||||
- `grafana.paccoco.com`
|
- `grafana.paccoco.com`
|
||||||
- `traefik.paccoco.com`
|
- `traefik.paccoco.com`
|
||||||
|
|||||||
@@ -15,10 +15,12 @@ Design choices:
|
|||||||
- no ACME on PD
|
- no ACME on PD
|
||||||
- no Docker provider / no docker.sock mount
|
- no Docker provider / no docker.sock mount
|
||||||
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
||||||
- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service.
|
- Authentik is the public identity front door; `auth.paccoco.com` is now a compatibility redirect to `authentik.paccoco.com`.
|
||||||
|
- Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint.
|
||||||
|
|
||||||
Current routed hostnames in dynamic config:
|
Current routed hostnames in dynamic config:
|
||||||
- `auth.paccoco.com` -> Authelia
|
- `auth.paccoco.com` -> redirect to `https://authentik.paccoco.com/`
|
||||||
|
- `doris.paccoco.com` -> Doris Dashboard behind Authentik forward-auth
|
||||||
- `gitea.paccoco.com` -> Gitea
|
- `gitea.paccoco.com` -> Gitea
|
||||||
- `grafana.paccoco.com` -> Grafana
|
- `grafana.paccoco.com` -> Grafana
|
||||||
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
|
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
|
||||||
|
|||||||
@@ -3,9 +3,26 @@ http:
|
|||||||
auth:
|
auth:
|
||||||
rule: Host(`auth.paccoco.com`)
|
rule: Host(`auth.paccoco.com`)
|
||||||
entryPoints: [web]
|
entryPoints: [web]
|
||||||
service: authelia
|
service: authentik-outpost
|
||||||
middlewares:
|
middlewares:
|
||||||
- security-headers
|
- security-headers
|
||||||
|
- auth-host-redirect
|
||||||
|
|
||||||
|
doris-authentik-outpost:
|
||||||
|
rule: Host(`doris.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
|
priority: 15
|
||||||
|
entryPoints: [web]
|
||||||
|
service: authentik-outpost
|
||||||
|
middlewares:
|
||||||
|
- security-headers
|
||||||
|
|
||||||
|
doris:
|
||||||
|
rule: Host(`doris.paccoco.com`)
|
||||||
|
entryPoints: [web]
|
||||||
|
service: doris-dashboard
|
||||||
|
middlewares:
|
||||||
|
- security-headers
|
||||||
|
- authentik-forwardauth
|
||||||
|
|
||||||
gitea-authentik-outpost:
|
gitea-authentik-outpost:
|
||||||
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
@@ -90,6 +107,12 @@ http:
|
|||||||
servers:
|
servers:
|
||||||
- url: https://technitium-dns-pilot:443
|
- url: https://technitium-dns-pilot:443
|
||||||
|
|
||||||
|
doris-dashboard:
|
||||||
|
loadBalancer:
|
||||||
|
passHostHeader: true
|
||||||
|
servers:
|
||||||
|
- url: http://10.5.30.7:8787
|
||||||
|
|
||||||
middlewares:
|
middlewares:
|
||||||
authelia-forwardauth:
|
authelia-forwardauth:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
@@ -124,6 +147,12 @@ http:
|
|||||||
replacement: https://${1}/dashboard/
|
replacement: https://${1}/dashboard/
|
||||||
permanent: false
|
permanent: false
|
||||||
|
|
||||||
|
auth-host-redirect:
|
||||||
|
redirectRegex:
|
||||||
|
regex: ^https?://auth\.paccoco\.com(?:/(.*))?$
|
||||||
|
replacement: https://authentik.paccoco.com/${1}
|
||||||
|
permanent: true
|
||||||
|
|
||||||
security-headers:
|
security-headers:
|
||||||
headers:
|
headers:
|
||||||
frameDeny: true
|
frameDeny: true
|
||||||
|
|||||||
Reference in New Issue
Block a user