Add internal Traefik ingress for Pangolin and Authelia
This commit is contained in:
30
ingress/README.md
Normal file
30
ingress/README.md
Normal file
@@ -0,0 +1,30 @@
|
||||
# Ingress / Traefik
|
||||
|
||||
This stack adds an internal Traefik layer on PD.
|
||||
|
||||
Why this exists:
|
||||
- keep Pangolin as the public tunnel/edge from the VPS
|
||||
- centralize app routing behind one internal reverse proxy
|
||||
- put Authelia in front of selected apps with domain-based policy
|
||||
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
|
||||
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
|
||||
|
||||
Design choices:
|
||||
- Traefik is internal-only on the `pangolin` Docker network
|
||||
- no host port publishing
|
||||
- no ACME on PD
|
||||
- no Docker provider / no docker.sock mount
|
||||
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
||||
- Authelia remains the identity decision point for domain/group access
|
||||
|
||||
Current routed hostnames in dynamic config:
|
||||
- `auth.paccoco.com` -> Authelia
|
||||
- `gitea.paccoco.com` -> Gitea (Authelia-protected)
|
||||
- `grafana.paccoco.com` -> Grafana (Authelia-protected)
|
||||
- `dns.paccoco.com` -> Technitium (Authelia-protected)
|
||||
- `traefik.paccoco.com` -> Traefik dashboard (Authelia-protected)
|
||||
|
||||
Cutover note:
|
||||
- Deploying this stack does not automatically rewrite Pangolin resources.
|
||||
- The secure end state is: Pangolin tunnel -> Traefik -> app.
|
||||
- If an existing Pangolin resource still points directly at an app, that app will keep behaving the old way until its target is changed.
|
||||
Reference in New Issue
Block a user