Add internal Traefik ingress for Pangolin and Authelia
This commit is contained in:
@@ -14,7 +14,25 @@ Authelia is the staged identity provider for the homelab.
|
||||
- stack path: identity/
|
||||
- host target: PlausibleDeniability
|
||||
- public entrypoint: auth.paccoco.com
|
||||
- status: repo-staged, not assumed live until deployed on PD
|
||||
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
|
||||
|
||||
## Access-control direction
|
||||
|
||||
Traefik is the internal router and Authelia is the policy engine.
|
||||
|
||||
Current intended protected domains:
|
||||
- `gitea.paccoco.com`
|
||||
- `grafana.paccoco.com`
|
||||
- `dns.paccoco.com`
|
||||
- `traefik.paccoco.com`
|
||||
|
||||
Current baseline group policy:
|
||||
- `admins` -> full access to the domains above
|
||||
|
||||
Planned expansion pattern:
|
||||
- create additional Authelia groups per audience or app class
|
||||
- grant access in `access_control.rules` by domain + `group:<name>` subject
|
||||
- keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth
|
||||
|
||||
## Initial bootstrap flow
|
||||
|
||||
|
||||
Reference in New Issue
Block a user