Enable Authentik installation and add support for extra public hostnames in the configuration. Updated README and values files to reflect changes for improved deployment flexibility and documentation clarity.

clusters/noble/bootstrap/authentik/values.yaml

@@ -3,12 +3,38 @@
 # Secrets (secret_key, postgres password, bootstrap) are supplied at install time by Ansible
 # (-f authentik-extra-values.yaml from noble_authentik role). Do not commit real secrets here.
 #
-# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml).
+# DNS: auth.apps.noble.lab.pcenicni.dev → Traefik LB (see traefik/values.yaml). Optional **extra** Ingress hostnames
+# (e.g. a public Pangolin FQDN) are merged by Ansible — **`noble_authentik_ingress_extra_hosts`** in **group_vars** (see **noble_authentik** README).
 #
 # helm repo add goauthentik https://charts.goauthentik.io && helm repo update
 # kubectl apply -f clusters/noble/bootstrap/authentik/namespace.yaml
 # helm upgrade --install authentik goauthentik/authentik -n authentik --create-namespace \
 #   --version 2026.2.3 -f clusters/noble/bootstrap/authentik/values.yaml -f /path/to/extra.yaml --wait
+#
+# **Media / uploads:** server + worker mount **PVC `authentik-data`** at **`/data`** (Authentik stores media under **`/data/media`**). Chart **`additionalObjects`** creates the PVC (**Longhorn**, RWO). Increase **storage** or use another **storageClassName** if needed.
+
+global:
+  volumes:
+    - name: authentik-data
+      persistentVolumeClaim:
+        claimName: authentik-data
+  volumeMounts:
+    - name: authentik-data
+      mountPath: /data
+
+additionalObjects:
+  - apiVersion: v1
+    kind: PersistentVolumeClaim
+    metadata:
+      name: authentik-data
+      namespace: "{{ .Release.Namespace }}"
+    spec:
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: longhorn
+      resources:
+        requests:
+          storage: 10Gi
 
 postgresql:
   enabled: true

clusters/noble/bootstrap/newt/README.md

@@ -88,6 +88,24 @@ curl -sS -X PUT -H "Authorization: Bearer ${TOKEN}" -H 'Content-Type: applicatio
 
 Exact JSON fields and IDs differ by domain type (**ns** vs **cname** vs **wildcard**); see [Common API routes](https://docs.pangolin.net/manage/common-api-routes) and Swagger.
 
+### Authentik on a public name
+
+Use **`noble_authentik_ingress_extra_hosts`** (see **`ansible/roles/noble_authentik/README.md`**) so the Authentik Ingress (and **cert-manager** SANs) include your public FQDN, then create the Pangolin **HTTP** resource + **target** to the same Traefik **:443** endpoint as other apps. One Newt site can carry many hostnames.
+
+### What to put in Pangolin (resource + target)
+
+1. **Public hostname** — the FQDN users type in the browser (must match **`noble_authentik_ingress_extra_hosts`** and your **CNAME** at the DNS host Pangolin documents for that domain).
+2. **Site** — the Pangolin **site** that owns your **Newt** pair (same **`NEWT_ID`** / **`NEWT_SECRET`** as the cluster Secret). In the UI: **Sites** → pick the site connected to this cluster.
+3. **Target `ip`** — an address **reachable from inside the tunnel** to **Traefik HTTPS**. On noble this is usually the Traefik **LoadBalancer** IP (repo pins **`192.168.50.211`** in **`clusters/noble/bootstrap/traefik/values.yaml`**). Confirm live:
+
+   `kubectl -n traefik get svc -l app.kubernetes.io/name=traefik -o wide`
+
+   Use **`EXTERNAL-IP`** (or **`LOAD_BALANCER_IP`** from the Service status) as **`ip`**. If Newt runs **in** the cluster, that MetalLB/LAN VIP is correct; if you run Newt elsewhere, use whatever L3 path reaches Traefik from that host.
+4. **Target `port`** — **`443`** (TLS to Traefik; SNI carries the public hostname).
+5. **Target `method`** — **`http`** in the Integration API examples above (TLS is still terminated at Traefik; Pangolin’s field names follow their docs).
+
+Discovery in Pangolin’s UI: **Domains** (see required CNAME) → **Resources** → **Add** HTTP resource for the subdomain/FQDN → **Targets** / **Backends** → attach **site** + **ip:port**. Official flow: [Domains](https://docs.pangolin.net/manage/common-api-routes#list-domains), [Integration API](https://docs.pangolin.net/manage/integration-api), and your deployment’s **Swagger** at **`https://<integration-api-host>/v1/docs`** when enabled.
+
 ## LAN vs internet
 
 - **LAN / VPN:** point **`*.apps.noble.lab.pcenicni.dev`** at the Traefik **LoadBalancer** (**`192.168.50.211`**) with local or split-horizon DNS if you want direct in-lab access.