Files
truenas-stacks/ingress/README.md
Fizzlepoof 2057c8aaa5
Some checks failed
secret-guardrails / artifact-secret-scan (push) Has been cancelled
secret-guardrails / gitleaks (push) Has been cancelled
Cut Doris over to Authentik ingress
2026-05-24 18:59:36 +00:00

1.6 KiB

Ingress / Traefik

This stack adds an internal Traefik layer on PD.

Why this exists:

  • keep Pangolin as the public tunnel/edge from the VPS
  • centralize app routing behind one internal reverse proxy
  • put centralized auth in front of selected apps with domain-based policy when needed
  • fix browser cert pain for apps like Technitium by terminating the public HTTPS edge before the self-signed backend
  • avoid giving Traefik Docker socket access; routes are explicit file-provider config

Design choices:

  • Traefik is internal-only on the pangolin Docker network
  • no host port publishing
  • no ACME on PD
  • no Docker provider / no docker.sock mount
  • Pangolin resources should target traefik:80 on site 4 when an app is cut over to this layer
  • Authentik is the public identity front door; auth.paccoco.com is now a compatibility redirect to authentik.paccoco.com.
  • Authelia remains available internally on PD as a legacy component during migration work, but it is no longer the intended public login endpoint.

Current routed hostnames in dynamic config:

  • auth.paccoco.com -> redirect to https://authentik.paccoco.com/
  • doris.paccoco.com -> Doris Dashboard behind Authentik forward-auth
  • gitea.paccoco.com -> Gitea
  • grafana.paccoco.com -> Grafana
  • dns.paccoco.com -> Technitium (native OIDC inside the app)
  • traefik.paccoco.com -> Traefik dashboard

Cutover note:

  • Deploying this stack does not automatically rewrite Pangolin resources.
  • The secure end state is: Pangolin tunnel -> Traefik -> app.
  • If an existing Pangolin resource still points directly at an app, that app will keep behaving the old way until its target is changed.