From db418619355a5aafa20e26339c39f0029a79a0ba Mon Sep 17 00:00:00 2001 From: Fizzlepoof Date: Sat, 23 May 2026 22:24:33 +0000 Subject: [PATCH] ingress: switch dns hostname to technitium native oidc --- docs/operations/IDENTITY_AND_SSO.md | 4 +- ingress/README.md | 12 +++--- ingress/traefik/dynamic/routes.yml | 62 ++++++++++++++++++++++++++--- 3 files changed, 66 insertions(+), 12 deletions(-) diff --git a/docs/operations/IDENTITY_AND_SSO.md b/docs/operations/IDENTITY_AND_SSO.md index 45b54ea..0373ffb 100644 --- a/docs/operations/IDENTITY_AND_SSO.md +++ b/docs/operations/IDENTITY_AND_SSO.md @@ -23,9 +23,11 @@ Traefik is the internal router and Authelia is the policy engine. Current intended protected domains: - `gitea.paccoco.com` - `grafana.paccoco.com` -- `dns.paccoco.com` - `traefik.paccoco.com` +App-native SSO exception: +- `dns.paccoco.com` now uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns `/sso/login` and `/sso/callback` directly. + Current baseline group policy: - `admins` -> full access to the domains above diff --git a/ingress/README.md b/ingress/README.md index ed5a8e2..cc2653e 100644 --- a/ingress/README.md +++ b/ingress/README.md @@ -5,7 +5,7 @@ This stack adds an internal Traefik layer on PD. Why this exists: - keep Pangolin as the public tunnel/edge from the VPS - centralize app routing behind one internal reverse proxy -- put Authelia in front of selected apps with domain-based policy +- put centralized auth in front of selected apps with domain-based policy when needed - fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend - avoid giving Traefik Docker socket access; routes are explicit file-provider config @@ -15,14 +15,14 @@ Design choices: - no ACME on PD - no Docker provider / no docker.sock mount - Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer -- Authelia remains the identity decision point for domain/group access +- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service. Current routed hostnames in dynamic config: - `auth.paccoco.com` -> Authelia -- `gitea.paccoco.com` -> Gitea (Authelia-protected) -- `grafana.paccoco.com` -> Grafana (Authelia-protected) -- `dns.paccoco.com` -> Technitium (Authelia-protected) -- `traefik.paccoco.com` -> Traefik dashboard (Authelia-protected) +- `gitea.paccoco.com` -> Gitea +- `grafana.paccoco.com` -> Grafana +- `dns.paccoco.com` -> Technitium (native OIDC inside the app) +- `traefik.paccoco.com` -> Traefik dashboard Cutover note: - Deploying this stack does not automatically rewrite Pangolin resources. diff --git a/ingress/traefik/dynamic/routes.yml b/ingress/traefik/dynamic/routes.yml index c4195ce..077964b 100644 --- a/ingress/traefik/dynamic/routes.yml +++ b/ingress/traefik/dynamic/routes.yml @@ -7,13 +7,20 @@ http: middlewares: - security-headers + gitea-authentik-outpost: + rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`) + priority: 15 + entryPoints: [web] + service: authentik-outpost + middlewares: + - security-headers + gitea: rule: Host(`gitea.paccoco.com`) entryPoints: [web] service: gitea middlewares: - security-headers - - authelia-forwardauth grafana: rule: Host(`grafana.paccoco.com`) @@ -28,15 +35,32 @@ http: service: technitium middlewares: - security-headers - - authelia-forwardauth - traefik-dashboard: - rule: Host(`traefik.paccoco.com`) + traefik-dashboard-authentik-outpost: + rule: Host(`traefik.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`) + priority: 20 + entryPoints: [web] + service: authentik-outpost + middlewares: + - security-headers + + traefik-dashboard-root: + rule: Host(`traefik.paccoco.com`) && Path(`/`) + priority: 15 entryPoints: [web] service: api@internal middlewares: - security-headers - - authelia-forwardauth + - traefik-dashboard-root-redirect + + traefik-dashboard: + rule: Host(`traefik.paccoco.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) + priority: 10 + entryPoints: [web] + service: api@internal + middlewares: + - security-headers + - authentik-forwardauth services: authelia: @@ -44,6 +68,11 @@ http: servers: - url: http://authelia:9091 + authentik-outpost: + loadBalancer: + servers: + - url: http://authentik-server:9000 + gitea: loadBalancer: servers: @@ -72,6 +101,29 @@ http: - Remote-Name - Remote-Email + authentik-forwardauth: + forwardAuth: + address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-entitlements + + traefik-dashboard-root-redirect: + redirectRegex: + regex: ^https?://([^/]+)/?$ + replacement: https://${1}/dashboard/ + permanent: false + security-headers: headers: frameDeny: true