33 lines
1.6 KiB
Markdown
33 lines
1.6 KiB
Markdown
# Ingress / Traefik
|
|
|
|
This stack adds an internal Traefik layer on PD.
|
|
|
|
Why this exists:
|
|
- keep Pangolin as the public tunnel/edge from the VPS
|
|
- centralize app routing behind one internal reverse proxy
|
|
- put centralized auth in front of selected apps with domain-based policy when needed
|
|
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
|
|
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
|
|
|
|
Design choices:
|
|
- Traefik is internal-only on the `pangolin` Docker network
|
|
- no host port publishing
|
|
- no ACME on PD
|
|
- no Docker provider / no docker.sock mount
|
|
- Pangolin resources should target `traefik:80` on site 4 when an app is cut over to this layer
|
|
- Authentik is the public identity front door; `auth.paccoco.com` is now a compatibility redirect to `authentik.paccoco.com`.
|
|
- Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint.
|
|
|
|
Current routed hostnames in dynamic config:
|
|
- `auth.paccoco.com` -> redirect to `https://authentik.paccoco.com/`
|
|
- `doris.paccoco.com` -> Doris Dashboard behind Authentik forward-auth
|
|
- `gitea.paccoco.com` -> Gitea
|
|
- `grafana.paccoco.com` -> Grafana
|
|
- `dns.paccoco.com` -> Technitium (native OIDC inside the app)
|
|
- `traefik.paccoco.com` -> Traefik dashboard
|
|
|
|
Cutover note:
|
|
- Deploying this stack does not automatically rewrite Pangolin resources.
|
|
- The secure end state is: Pangolin tunnel -> Traefik -> app.
|
|
- If an existing Pangolin resource still points directly at an app, that app will keep behaving the old way until its target is changed.
|