ingress: switch dns hostname to technitium native oidc
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled

This commit is contained in:
Fizzlepoof
2026-05-23 22:24:33 +00:00
parent 26d5407b86
commit db41861935
3 changed files with 66 additions and 12 deletions

View File

@@ -23,9 +23,11 @@ Traefik is the internal router and Authelia is the policy engine.
Current intended protected domains:
- `gitea.paccoco.com`
- `grafana.paccoco.com`
- `dns.paccoco.com`
- `traefik.paccoco.com`
App-native SSO exception:
- `dns.paccoco.com` now uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns `/sso/login` and `/sso/callback` directly.
Current baseline group policy:
- `admins` -> full access to the domains above

View File

@@ -5,7 +5,7 @@ This stack adds an internal Traefik layer on PD.
Why this exists:
- keep Pangolin as the public tunnel/edge from the VPS
- centralize app routing behind one internal reverse proxy
- put Authelia in front of selected apps with domain-based policy
- put centralized auth in front of selected apps with domain-based policy when needed
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
@@ -15,14 +15,14 @@ Design choices:
- no ACME on PD
- no Docker provider / no docker.sock mount
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
- Authelia remains the identity decision point for domain/group access
- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service.
Current routed hostnames in dynamic config:
- `auth.paccoco.com` -> Authelia
- `gitea.paccoco.com` -> Gitea (Authelia-protected)
- `grafana.paccoco.com` -> Grafana (Authelia-protected)
- `dns.paccoco.com` -> Technitium (Authelia-protected)
- `traefik.paccoco.com` -> Traefik dashboard (Authelia-protected)
- `gitea.paccoco.com` -> Gitea
- `grafana.paccoco.com` -> Grafana
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
- `traefik.paccoco.com` -> Traefik dashboard
Cutover note:
- Deploying this stack does not automatically rewrite Pangolin resources.

View File

@@ -7,13 +7,20 @@ http:
middlewares:
- security-headers
gitea-authentik-outpost:
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
priority: 15
entryPoints: [web]
service: authentik-outpost
middlewares:
- security-headers
gitea:
rule: Host(`gitea.paccoco.com`)
entryPoints: [web]
service: gitea
middlewares:
- security-headers
- authelia-forwardauth
grafana:
rule: Host(`grafana.paccoco.com`)
@@ -28,15 +35,32 @@ http:
service: technitium
middlewares:
- security-headers
- authelia-forwardauth
traefik-dashboard:
rule: Host(`traefik.paccoco.com`)
traefik-dashboard-authentik-outpost:
rule: Host(`traefik.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
priority: 20
entryPoints: [web]
service: authentik-outpost
middlewares:
- security-headers
traefik-dashboard-root:
rule: Host(`traefik.paccoco.com`) && Path(`/`)
priority: 15
entryPoints: [web]
service: api@internal
middlewares:
- security-headers
- authelia-forwardauth
- traefik-dashboard-root-redirect
traefik-dashboard:
rule: Host(`traefik.paccoco.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
priority: 10
entryPoints: [web]
service: api@internal
middlewares:
- security-headers
- authentik-forwardauth
services:
authelia:
@@ -44,6 +68,11 @@ http:
servers:
- url: http://authelia:9091
authentik-outpost:
loadBalancer:
servers:
- url: http://authentik-server:9000
gitea:
loadBalancer:
servers:
@@ -72,6 +101,29 @@ http:
- Remote-Name
- Remote-Email
authentik-forwardauth:
forwardAuth:
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-entitlements
traefik-dashboard-root-redirect:
redirectRegex:
regex: ^https?://([^/]+)/?$
replacement: https://${1}/dashboard/
permanent: false
security-headers:
headers:
frameDeny: true