gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Enable Authentik installation and add support for extra public hostnames in the configuration. Updated README and values files to reflect changes for improved deployment flexibility and documentation clarity.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-05-14 19:58:56 -04:00
parent b90ee2d531
commit 032ffee866
6 changed files with 84 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
clusters/noble/bootstrap/newt/README.md
View File

@@ -88,6 +88,24 @@ curl -sS -X PUT -H "Authorization: Bearer ${TOKEN}" -H 'Content-Type: applicatio
Exact JSON fields and IDs differ by domain type (**ns** vs **cname** vs **wildcard**); see [Common API routes](https://docs.pangolin.net/manage/common-api-routes) and Swagger.
### Authentik on a public name
Use **`noble_authentik_ingress_extra_hosts`** (see **`ansible/roles/noble_authentik/README.md`**) so the Authentik Ingress (and **cert-manager** SANs) include your public FQDN, then create the Pangolin **HTTP** resource + **target** to the same Traefik **:443** endpoint as other apps. One Newt site can carry many hostnames.
### What to put in Pangolin (resource + target)
1. **Public hostname** — the FQDN users type in the browser (must match **`noble_authentik_ingress_extra_hosts`** and your **CNAME** at the DNS host Pangolin documents for that domain).
2. **Site** — the Pangolin **site** that owns your **Newt** pair (same **`NEWT_ID`** / **`NEWT_SECRET`** as the cluster Secret). In the UI: **Sites** → pick the site connected to this cluster.
3. **Target `ip`** — an address **reachable from inside the tunnel** to **Traefik HTTPS**. On noble this is usually the Traefik **LoadBalancer** IP (repo pins **`192.168.50.211`** in **`clusters/noble/bootstrap/traefik/values.yaml`**). Confirm live:
`kubectl -n traefik get svc -l app.kubernetes.io/name=traefik -o wide`
Use **`EXTERNAL-IP`** (or **`LOAD_BALANCER_IP`** from the Service status) as **`ip`**. If Newt runs **in** the cluster, that MetalLB/LAN VIP is correct; if you run Newt elsewhere, use whatever L3 path reaches Traefik from that host.
4. **Target `port`****`443`** (TLS to Traefik; SNI carries the public hostname).
5. **Target `method`****`http`** in the Integration API examples above (TLS is still terminated at Traefik; Pangolins field names follow their docs).
Discovery in Pangolins UI: **Domains** (see required CNAME) → **Resources****Add** HTTP resource for the subdomain/FQDN → **Targets** / **Backends** → attach **site** + **ip:port**. Official flow: [Domains](https://docs.pangolin.net/manage/common-api-routes#list-domains), [Integration API](https://docs.pangolin.net/manage/integration-api), and your deployments **Swagger** at **`https://<integration-api-host>/v1/docs`** when enabled.
## LAN vs internet
- **LAN / VPN:** point **`*.apps.noble.lab.pcenicni.dev`** at the Traefik **LoadBalancer** (**`192.168.50.211`**) with local or split-horizon DNS if you want direct in-lab access.