Add internal Traefik ingress for Pangolin and Authelia
This commit is contained in:
@@ -64,6 +64,14 @@ networks:
|
||||
external: true
|
||||
```
|
||||
|
||||
### Internal Ingress Pattern
|
||||
- Pangolin remains the public edge on the VPS.
|
||||
- PD now runs an internal-only Traefik container on the `pangolin` network.
|
||||
- Secure routed apps should move toward: `Pangolin -> Traefik -> app`.
|
||||
- Traefik does not mount `docker.sock`; routes are explicit file-provider config.
|
||||
- Authelia is the policy decision point for per-domain and per-group access.
|
||||
- Internal services can stay HTTP-only behind Traefik unless a backend specifically needs HTTPS.
|
||||
|
||||
### Internal Service Model
|
||||
Internal services run HTTP only behind the reverse proxy. Compose service names used for internal DNS between services in the same stack/network.
|
||||
|
||||
|
||||
@@ -19,12 +19,13 @@ All homelab services, their hosts, ports, and current status.
|
||||
| Homepage | 3300 | http://pd:3300 | ✅ Active |
|
||||
| Dockhand | 3230 | http://pd:3230 | ✅ Active |
|
||||
| Uptime Kuma | 3001 | http://pd:3001 | ✅ Active |
|
||||
| Traefik | internal only | Pangolin-targeted internal ingress on `pangolin` network | ✅ Active |
|
||||
| Gotify | 8443 | https://gotify.paccoco.com | ✅ Active |
|
||||
| Gitea | 3002 / 2222 | http://pd:3002 / http://10.5.30.6:3002 (SSH: `ssh://git@10.5.30.6:2222/<owner>/<repo>.git`) | ✅ Active |
|
||||
| Shlink | 8087 | http://pd:8087 | ✅ Active |
|
||||
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
|
||||
| RackPeek | 8283 | http://pd:8283 | ✅ Active |
|
||||
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; public Pangolin route still pending |
|
||||
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; Traefik is ready to enforce app auth once Pangolin targets are cut over |
|
||||
|
||||
## AI Stack
|
||||
|
||||
|
||||
@@ -14,7 +14,25 @@ Authelia is the staged identity provider for the homelab.
|
||||
- stack path: identity/
|
||||
- host target: PlausibleDeniability
|
||||
- public entrypoint: auth.paccoco.com
|
||||
- status: repo-staged, not assumed live until deployed on PD
|
||||
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
|
||||
|
||||
## Access-control direction
|
||||
|
||||
Traefik is the internal router and Authelia is the policy engine.
|
||||
|
||||
Current intended protected domains:
|
||||
- `gitea.paccoco.com`
|
||||
- `grafana.paccoco.com`
|
||||
- `dns.paccoco.com`
|
||||
- `traefik.paccoco.com`
|
||||
|
||||
Current baseline group policy:
|
||||
- `admins` -> full access to the domains above
|
||||
|
||||
Planned expansion pattern:
|
||||
- create additional Authelia groups per audience or app class
|
||||
- grant access in `access_control.rules` by domain + `group:<name>` subject
|
||||
- keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth
|
||||
|
||||
## Initial bootstrap flow
|
||||
|
||||
|
||||
Reference in New Issue
Block a user