Add internal Traefik ingress for Pangolin and Authelia
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 10:59:20 +00:00
parent 889783e621
commit 5c6b3cab4d
14 changed files with 499 additions and 6 deletions

View File

@@ -64,6 +64,14 @@ networks:
external: true
```
### Internal Ingress Pattern
- Pangolin remains the public edge on the VPS.
- PD now runs an internal-only Traefik container on the `pangolin` network.
- Secure routed apps should move toward: `Pangolin -> Traefik -> app`.
- Traefik does not mount `docker.sock`; routes are explicit file-provider config.
- Authelia is the policy decision point for per-domain and per-group access.
- Internal services can stay HTTP-only behind Traefik unless a backend specifically needs HTTPS.
### Internal Service Model
Internal services run HTTP only behind the reverse proxy. Compose service names used for internal DNS between services in the same stack/network.

View File

@@ -19,12 +19,13 @@ All homelab services, their hosts, ports, and current status.
| Homepage | 3300 | http://pd:3300 | ✅ Active |
| Dockhand | 3230 | http://pd:3230 | ✅ Active |
| Uptime Kuma | 3001 | http://pd:3001 | ✅ Active |
| Traefik | internal only | Pangolin-targeted internal ingress on `pangolin` network | ✅ Active |
| Gotify | 8443 | https://gotify.paccoco.com | ✅ Active |
| Gitea | 3002 / 2222 | http://pd:3002 / http://10.5.30.6:3002 (SSH: `ssh://git@10.5.30.6:2222/<owner>/<repo>.git`) | ✅ Active |
| Shlink | 8087 | http://pd:8087 | ✅ Active |
| Shlink Web Client | 8088 | http://pd:8088 | ✅ Active |
| RackPeek | 8283 | http://pd:8283 | ✅ Active |
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; public Pangolin route still pending |
| Authelia | 9091 | http://pd:9091 / https://auth.paccoco.com | ✅ Active internally on PD; Traefik is ready to enforce app auth once Pangolin targets are cut over |
## AI Stack

View File

@@ -14,7 +14,25 @@ Authelia is the staged identity provider for the homelab.
- stack path: identity/
- host target: PlausibleDeniability
- public entrypoint: auth.paccoco.com
- status: repo-staged, not assumed live until deployed on PD
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
## Access-control direction
Traefik is the internal router and Authelia is the policy engine.
Current intended protected domains:
- `gitea.paccoco.com`
- `grafana.paccoco.com`
- `dns.paccoco.com`
- `traefik.paccoco.com`
Current baseline group policy:
- `admins` -> full access to the domains above
Planned expansion pattern:
- create additional Authelia groups per audience or app class
- grant access in `access_control.rules` by domain + `group:<name>` subject
- keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth
## Initial bootstrap flow