# Ingress / Traefik This stack adds an internal Traefik layer on PD. Why this exists: - keep Pangolin as the public tunnel/edge from the VPS - centralize app routing behind one internal reverse proxy - put centralized auth in front of selected apps with domain-based policy when needed - fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend - avoid giving Traefik Docker socket access; routes are explicit file-provider config Design choices: - Traefik is internal-only on the `pangolin` Docker network - no host port publishing - no ACME on PD - no Docker provider / no docker.sock mount - Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer - Authentik is the public identity front door; `auth.paccoco.com` is now a compatibility redirect to `authentik.paccoco.com`. - Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint. Current routed hostnames in dynamic config: - `auth.paccoco.com` -> redirect to `https://authentik.paccoco.com/` - `doris.paccoco.com` -> Doris Dashboard behind Authentik forward-auth - `gitea.paccoco.com` -> Gitea - `grafana.paccoco.com` -> Grafana - `dns.paccoco.com` -> Technitium (native OIDC inside the app) - `traefik.paccoco.com` -> Traefik dashboard Cutover note: - Deploying this stack does not automatically rewrite Pangolin resources. - The secure end state is: Pangolin tunnel -> Traefik -> app. - If an existing Pangolin resource still points directly at an app, that app will keep behaving the old way until its target is changed.