Add internal Traefik ingress for Pangolin and Authelia
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 10:59:20 +00:00
parent 889783e621
commit 5c6b3cab4d
14 changed files with 499 additions and 6 deletions

View File

@@ -14,7 +14,25 @@ Authelia is the staged identity provider for the homelab.
- stack path: identity/
- host target: PlausibleDeniability
- public entrypoint: auth.paccoco.com
- status: repo-staged, not assumed live until deployed on PD
- status: Authelia is live on PD; Traefik-based protected app routing is the next cutover layer
## Access-control direction
Traefik is the internal router and Authelia is the policy engine.
Current intended protected domains:
- `gitea.paccoco.com`
- `grafana.paccoco.com`
- `dns.paccoco.com`
- `traefik.paccoco.com`
Current baseline group policy:
- `admins` -> full access to the domains above
Planned expansion pattern:
- create additional Authelia groups per audience or app class
- grant access in `access_control.rules` by domain + `group:<name>` subject
- keep Pangolin SSO disabled for routes that Traefik/Authelia protect, to avoid double auth
## Initial bootstrap flow