ingress: switch dns hostname to technitium native oidc
This commit is contained in:
@@ -23,9 +23,11 @@ Traefik is the internal router and Authelia is the policy engine.
|
|||||||
Current intended protected domains:
|
Current intended protected domains:
|
||||||
- `gitea.paccoco.com`
|
- `gitea.paccoco.com`
|
||||||
- `grafana.paccoco.com`
|
- `grafana.paccoco.com`
|
||||||
- `dns.paccoco.com`
|
|
||||||
- `traefik.paccoco.com`
|
- `traefik.paccoco.com`
|
||||||
|
|
||||||
|
App-native SSO exception:
|
||||||
|
- `dns.paccoco.com` now uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns `/sso/login` and `/sso/callback` directly.
|
||||||
|
|
||||||
Current baseline group policy:
|
Current baseline group policy:
|
||||||
- `admins` -> full access to the domains above
|
- `admins` -> full access to the domains above
|
||||||
|
|
||||||
|
|||||||
@@ -5,7 +5,7 @@ This stack adds an internal Traefik layer on PD.
|
|||||||
Why this exists:
|
Why this exists:
|
||||||
- keep Pangolin as the public tunnel/edge from the VPS
|
- keep Pangolin as the public tunnel/edge from the VPS
|
||||||
- centralize app routing behind one internal reverse proxy
|
- centralize app routing behind one internal reverse proxy
|
||||||
- put Authelia in front of selected apps with domain-based policy
|
- put centralized auth in front of selected apps with domain-based policy when needed
|
||||||
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
|
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
|
||||||
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
|
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
|
||||||
|
|
||||||
@@ -15,14 +15,14 @@ Design choices:
|
|||||||
- no ACME on PD
|
- no ACME on PD
|
||||||
- no Docker provider / no docker.sock mount
|
- no Docker provider / no docker.sock mount
|
||||||
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
||||||
- Authelia remains the identity decision point for domain/group access
|
- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service.
|
||||||
|
|
||||||
Current routed hostnames in dynamic config:
|
Current routed hostnames in dynamic config:
|
||||||
- `auth.paccoco.com` -> Authelia
|
- `auth.paccoco.com` -> Authelia
|
||||||
- `gitea.paccoco.com` -> Gitea (Authelia-protected)
|
- `gitea.paccoco.com` -> Gitea
|
||||||
- `grafana.paccoco.com` -> Grafana (Authelia-protected)
|
- `grafana.paccoco.com` -> Grafana
|
||||||
- `dns.paccoco.com` -> Technitium (Authelia-protected)
|
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
|
||||||
- `traefik.paccoco.com` -> Traefik dashboard (Authelia-protected)
|
- `traefik.paccoco.com` -> Traefik dashboard
|
||||||
|
|
||||||
Cutover note:
|
Cutover note:
|
||||||
- Deploying this stack does not automatically rewrite Pangolin resources.
|
- Deploying this stack does not automatically rewrite Pangolin resources.
|
||||||
|
|||||||
@@ -7,13 +7,20 @@ http:
|
|||||||
middlewares:
|
middlewares:
|
||||||
- security-headers
|
- security-headers
|
||||||
|
|
||||||
|
gitea-authentik-outpost:
|
||||||
|
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
|
priority: 15
|
||||||
|
entryPoints: [web]
|
||||||
|
service: authentik-outpost
|
||||||
|
middlewares:
|
||||||
|
- security-headers
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
rule: Host(`gitea.paccoco.com`)
|
rule: Host(`gitea.paccoco.com`)
|
||||||
entryPoints: [web]
|
entryPoints: [web]
|
||||||
service: gitea
|
service: gitea
|
||||||
middlewares:
|
middlewares:
|
||||||
- security-headers
|
- security-headers
|
||||||
- authelia-forwardauth
|
|
||||||
|
|
||||||
grafana:
|
grafana:
|
||||||
rule: Host(`grafana.paccoco.com`)
|
rule: Host(`grafana.paccoco.com`)
|
||||||
@@ -28,15 +35,32 @@ http:
|
|||||||
service: technitium
|
service: technitium
|
||||||
middlewares:
|
middlewares:
|
||||||
- security-headers
|
- security-headers
|
||||||
- authelia-forwardauth
|
|
||||||
|
|
||||||
traefik-dashboard:
|
traefik-dashboard-authentik-outpost:
|
||||||
rule: Host(`traefik.paccoco.com`)
|
rule: Host(`traefik.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||||
|
priority: 20
|
||||||
|
entryPoints: [web]
|
||||||
|
service: authentik-outpost
|
||||||
|
middlewares:
|
||||||
|
- security-headers
|
||||||
|
|
||||||
|
traefik-dashboard-root:
|
||||||
|
rule: Host(`traefik.paccoco.com`) && Path(`/`)
|
||||||
|
priority: 15
|
||||||
entryPoints: [web]
|
entryPoints: [web]
|
||||||
service: api@internal
|
service: api@internal
|
||||||
middlewares:
|
middlewares:
|
||||||
- security-headers
|
- security-headers
|
||||||
- authelia-forwardauth
|
- traefik-dashboard-root-redirect
|
||||||
|
|
||||||
|
traefik-dashboard:
|
||||||
|
rule: Host(`traefik.paccoco.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
|
||||||
|
priority: 10
|
||||||
|
entryPoints: [web]
|
||||||
|
service: api@internal
|
||||||
|
middlewares:
|
||||||
|
- security-headers
|
||||||
|
- authentik-forwardauth
|
||||||
|
|
||||||
services:
|
services:
|
||||||
authelia:
|
authelia:
|
||||||
@@ -44,6 +68,11 @@ http:
|
|||||||
servers:
|
servers:
|
||||||
- url: http://authelia:9091
|
- url: http://authelia:9091
|
||||||
|
|
||||||
|
authentik-outpost:
|
||||||
|
loadBalancer:
|
||||||
|
servers:
|
||||||
|
- url: http://authentik-server:9000
|
||||||
|
|
||||||
gitea:
|
gitea:
|
||||||
loadBalancer:
|
loadBalancer:
|
||||||
servers:
|
servers:
|
||||||
@@ -72,6 +101,29 @@ http:
|
|||||||
- Remote-Name
|
- Remote-Name
|
||||||
- Remote-Email
|
- Remote-Email
|
||||||
|
|
||||||
|
authentik-forwardauth:
|
||||||
|
forwardAuth:
|
||||||
|
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
|
||||||
|
trustForwardHeader: true
|
||||||
|
authResponseHeaders:
|
||||||
|
- X-authentik-username
|
||||||
|
- X-authentik-groups
|
||||||
|
- X-authentik-email
|
||||||
|
- X-authentik-name
|
||||||
|
- X-authentik-uid
|
||||||
|
- X-authentik-jwt
|
||||||
|
- X-authentik-meta-jwks
|
||||||
|
- X-authentik-meta-outpost
|
||||||
|
- X-authentik-meta-provider
|
||||||
|
- X-authentik-meta-app
|
||||||
|
- X-authentik-entitlements
|
||||||
|
|
||||||
|
traefik-dashboard-root-redirect:
|
||||||
|
redirectRegex:
|
||||||
|
regex: ^https?://([^/]+)/?$
|
||||||
|
replacement: https://${1}/dashboard/
|
||||||
|
permanent: false
|
||||||
|
|
||||||
security-headers:
|
security-headers:
|
||||||
headers:
|
headers:
|
||||||
frameDeny: true
|
frameDeny: true
|
||||||
|
|||||||
Reference in New Issue
Block a user