ingress: switch dns hostname to technitium native oidc
This commit is contained in:
@@ -23,9 +23,11 @@ Traefik is the internal router and Authelia is the policy engine.
|
||||
Current intended protected domains:
|
||||
- `gitea.paccoco.com`
|
||||
- `grafana.paccoco.com`
|
||||
- `dns.paccoco.com`
|
||||
- `traefik.paccoco.com`
|
||||
|
||||
App-native SSO exception:
|
||||
- `dns.paccoco.com` now uses Technitium's own OIDC flow with Authentik instead of Traefik forward-auth, so the app owns `/sso/login` and `/sso/callback` directly.
|
||||
|
||||
Current baseline group policy:
|
||||
- `admins` -> full access to the domains above
|
||||
|
||||
|
||||
@@ -5,7 +5,7 @@ This stack adds an internal Traefik layer on PD.
|
||||
Why this exists:
|
||||
- keep Pangolin as the public tunnel/edge from the VPS
|
||||
- centralize app routing behind one internal reverse proxy
|
||||
- put Authelia in front of selected apps with domain-based policy
|
||||
- put centralized auth in front of selected apps with domain-based policy when needed
|
||||
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
|
||||
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
|
||||
|
||||
@@ -15,14 +15,14 @@ Design choices:
|
||||
- no ACME on PD
|
||||
- no Docker provider / no docker.sock mount
|
||||
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
||||
- Authelia remains the identity decision point for domain/group access
|
||||
- Authelia remains the identity decision point for `auth.paccoco.com` while migrated apps can use either Traefik forward-auth or app-native OIDC depending on the service.
|
||||
|
||||
Current routed hostnames in dynamic config:
|
||||
- `auth.paccoco.com` -> Authelia
|
||||
- `gitea.paccoco.com` -> Gitea (Authelia-protected)
|
||||
- `grafana.paccoco.com` -> Grafana (Authelia-protected)
|
||||
- `dns.paccoco.com` -> Technitium (Authelia-protected)
|
||||
- `traefik.paccoco.com` -> Traefik dashboard (Authelia-protected)
|
||||
- `gitea.paccoco.com` -> Gitea
|
||||
- `grafana.paccoco.com` -> Grafana
|
||||
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
|
||||
- `traefik.paccoco.com` -> Traefik dashboard
|
||||
|
||||
Cutover note:
|
||||
- Deploying this stack does not automatically rewrite Pangolin resources.
|
||||
|
||||
@@ -7,13 +7,20 @@ http:
|
||||
middlewares:
|
||||
- security-headers
|
||||
|
||||
gitea-authentik-outpost:
|
||||
rule: Host(`gitea.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||
priority: 15
|
||||
entryPoints: [web]
|
||||
service: authentik-outpost
|
||||
middlewares:
|
||||
- security-headers
|
||||
|
||||
gitea:
|
||||
rule: Host(`gitea.paccoco.com`)
|
||||
entryPoints: [web]
|
||||
service: gitea
|
||||
middlewares:
|
||||
- security-headers
|
||||
- authelia-forwardauth
|
||||
|
||||
grafana:
|
||||
rule: Host(`grafana.paccoco.com`)
|
||||
@@ -28,15 +35,32 @@ http:
|
||||
service: technitium
|
||||
middlewares:
|
||||
- security-headers
|
||||
- authelia-forwardauth
|
||||
|
||||
traefik-dashboard:
|
||||
rule: Host(`traefik.paccoco.com`)
|
||||
traefik-dashboard-authentik-outpost:
|
||||
rule: Host(`traefik.paccoco.com`) && PathPrefix(`/outpost.goauthentik.io/`)
|
||||
priority: 20
|
||||
entryPoints: [web]
|
||||
service: authentik-outpost
|
||||
middlewares:
|
||||
- security-headers
|
||||
|
||||
traefik-dashboard-root:
|
||||
rule: Host(`traefik.paccoco.com`) && Path(`/`)
|
||||
priority: 15
|
||||
entryPoints: [web]
|
||||
service: api@internal
|
||||
middlewares:
|
||||
- security-headers
|
||||
- authelia-forwardauth
|
||||
- traefik-dashboard-root-redirect
|
||||
|
||||
traefik-dashboard:
|
||||
rule: Host(`traefik.paccoco.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
|
||||
priority: 10
|
||||
entryPoints: [web]
|
||||
service: api@internal
|
||||
middlewares:
|
||||
- security-headers
|
||||
- authentik-forwardauth
|
||||
|
||||
services:
|
||||
authelia:
|
||||
@@ -44,6 +68,11 @@ http:
|
||||
servers:
|
||||
- url: http://authelia:9091
|
||||
|
||||
authentik-outpost:
|
||||
loadBalancer:
|
||||
servers:
|
||||
- url: http://authentik-server:9000
|
||||
|
||||
gitea:
|
||||
loadBalancer:
|
||||
servers:
|
||||
@@ -72,6 +101,29 @@ http:
|
||||
- Remote-Name
|
||||
- Remote-Email
|
||||
|
||||
authentik-forwardauth:
|
||||
forwardAuth:
|
||||
address: http://authentik-server:9000/outpost.goauthentik.io/auth/traefik
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-authentik-username
|
||||
- X-authentik-groups
|
||||
- X-authentik-email
|
||||
- X-authentik-name
|
||||
- X-authentik-uid
|
||||
- X-authentik-jwt
|
||||
- X-authentik-meta-jwks
|
||||
- X-authentik-meta-outpost
|
||||
- X-authentik-meta-provider
|
||||
- X-authentik-meta-app
|
||||
- X-authentik-entitlements
|
||||
|
||||
traefik-dashboard-root-redirect:
|
||||
redirectRegex:
|
||||
regex: ^https?://([^/]+)/?$
|
||||
replacement: https://${1}/dashboard/
|
||||
permanent: false
|
||||
|
||||
security-headers:
|
||||
headers:
|
||||
frameDeny: true
|
||||
|
||||
Reference in New Issue
Block a user