1.6 KiB
1.6 KiB
Ingress / Traefik
This stack adds an internal Traefik layer on PD.
Why this exists:
- keep Pangolin as the public tunnel/edge from the VPS
- centralize app routing behind one internal reverse proxy
- put centralized auth in front of selected apps with domain-based policy when needed
- fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
- avoid giving Traefik Docker socket access; routes are explicit file-provider config
Design choices:
- Traefik is internal-only on the
pangolinDocker network - no host port publishing
- no ACME on PD
- no Docker provider / no docker.sock mount
- Pangolin resources should target
traefik:80on site 4 when an app is cut over to this layer - Authentik is the public identity front door;
auth.paccoco.comis now a compatibility redirect toauthentik.paccoco.com. - Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint.
Current routed hostnames in dynamic config:
auth.paccoco.com-> redirect tohttps://authentik.paccoco.com/doris.paccoco.com-> Doris Dashboard behind Authentik forward-authgitea.paccoco.com-> Giteagrafana.paccoco.com-> Grafanadns.paccoco.com-> Technitium (native OIDC inside the app)traefik.paccoco.com-> Traefik dashboard
Cutover note:
- Deploying this stack does not automatically rewrite Pangolin resources.
- The secure end state is: Pangolin tunnel -> Traefik -> app.
- If an existing Pangolin resource still points directly at an app, that app will keep behaving the old way until its target is changed.