Digitalboard/reference-ansible
6
1
Fork 0
Code Pull requests Activity Actions
reference-ansible/inventories/demo-gymburgdorf/host_vars/storage/traefik.yml
Simon Bärlocher 2206b809e7
fix(demo-gymburgdorf): route cross-host ForwardAuth via dedicated outpost FQDN 
Storage Traefik calling the public auth.gymb.* FQDN hit Authentik's ASGI
handler, which 404s the /outpost.goauthentik.io/auth/traefik path. Add a
dedicated outpost.auth.int.gymb.* FQDN outside authentik_domains so the
request falls through to the embedded outpost, pinned to the application
host via traefik_extra_hosts to stay on the LAN.

- authentik: add authentik_outpost_domains; allow users group on drawio
  proxy so the Nextcloud drawio iframe works for non-admins
- garage: point webui ForwardAuth at the new outpost FQDN
- homarr: use public OIDC issuer to match the iss claim, enable
  auto-login, pin auth FQDN to LAN via extra_hosts
- opnform: intercept / and /login for SSO, keep break-glass bypass
- drawio: align comments with admins+users allow-list
2026-06-04 11:07:48 +02:00

31 lines
1.4 KiB
YAML
Raw Blame History

---
# Local traefik needs to reach authentik for the ForwardAuth subrequest
# the garage-webui router fires. The public IP is unreachable from this
# subnet (no DMZ hairpin), so pin both auth FQDNs directly at the
# application host where authentik runs. Without this the forwardauth
# middleware would time out and every garage-console request would 502.
# - auth.gymb.* covers any future server-to-server traffic on the public
# FQDN.
# - outpost.auth.int.gymb.* is the dedicated outpost endpoint actually
# used by the ForwardAuth middleware (see garage.yml). It exists only
# to skip Authentik's ASGI handler, which 404s the outpost path when
# Host is one of the configured authentik_domains.
traefik_extra_hosts:
- "auth.gymb.souveredu.ch:172.16.19.101"
- "outpost.auth.int.gymb.souveredu.ch:172.16.19.101"
# Services hosted on `storage` that the DMZ reverseproxy should forward
# public traffic to. See application/traefik.yml for the mechanism.
traefik_dmz_exposed_services:
- name: garage-s3
domain: s3.gymb.souveredu.ch
backend_host: s3.int.gymb.souveredu.ch
port: 443
protocol: https
- name: garage-webui
domain: console.s3.gymb.souveredu.ch
# No internal FQDN/cert SAN for console.s3 yet — would need an
# extra_domain on garage-webui. Until then this route will 500
# against the storage backend (cert mismatch on raw IP).
port: 443
protocol: https
View git blame Copy permalink