2206b809e7
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the request falls through to the embedded outpost, pinned to the application host via traefik_extra_hosts to stay on the LAN. - authentik: add authentik_outpost_domains; allow users group on drawio proxy so the Nextcloud drawio iframe works for non-admins - garage: point webui ForwardAuth at the new outpost FQDN - homarr: use public OIDC issuer to match the iss claim, enable auto-login, pin auth FQDN to LAN via extra_hosts - opnform: intercept / and /login for SSO, keep break-glass bypass - drawio: align comments with admins+users allow-list
20 lines
1 KiB
YAML
20 lines
1 KiB
YAML
---
|
|
drawio_domain: "draw.gymb.souveredu.ch"
|
|
|
|
# Internal FQDN the DMZ reverseproxy uses as backend host so its TLS
|
|
# verify matches a cert SAN (the canonical IP-only route has no SAN
|
|
# and breaks with "cannot validate certificate ... no IP SANs"). Same
|
|
# split-horizon pattern as cloud.int.* / auth.int.* / office.int.*.
|
|
drawio_extra_domains:
|
|
- "draw.int.gymb.souveredu.ch"
|
|
|
|
# Gate drawio behind the authentik embedded outpost. The allow-list is
|
|
# managed on the authentik proxy application (admins + users) so the
|
|
# Nextcloud drawio iframe works for every authenticated user.
|
|
# ForwardAuth talks to the embedded outpost on the authentik server's
|
|
# in-network address. Going via the public FQDN routes through a second
|
|
# traefik hop that strips/rewrites X-Forwarded-Host, which breaks
|
|
# authentik's provider matching (it returns 404). Plain HTTP to the
|
|
# container is the path docs recommend for the embedded outpost.
|
|
drawio_authentik_forward_auth: true
|
|
drawio_authentik_forward_auth_url: "http://authentik-server-1:9000/outpost.goauthentik.io/auth/traefik"
|