mirror of
https://github.com/RWejlgaard/pez-docs.git
synced 2026-05-06 03:34:44 +00:00
Pez
8e7269611d
- Add Hetzner Cloud location (helsinki-a, nuremberg-a) - Update london-a to FreeBSD, london-b ZFS layout to 3x raidz1 - Note offline servers (london-c, copenhagen-b) - Update Plex docs with accurate ZFS and exporter behaviour - Add workload docs: Nextcloud AIO, Navidrome, slskd, Monitoring, Auth (Authelia/LLDAP/Bitwarden), Mail (poste.io), Gaming (Minecraft/MaNGOS) - Update README/intro with current service and location index |
||
|---|---|---|
| .. | ||
| README.md | ||
Authentication
Overview
All web-facing services are protected by a unified auth stack running on helsinki-a. This gives SSO across everything without having to configure per-service authentication.
Stack
Authelia
Authelia is the authentication and authorization gateway. It sits in front of services proxied by Caddy and handles:
- Username/password login
- Two-factor authentication (TOTP)
- Per-service access control rules
LLDAP
LLDAP (Lightweight LDAP) is the user directory Authelia uses for authentication. It's simpler and easier to manage than a full OpenLDAP install, while still being compatible with anything that speaks LDAP.
All user management goes through LLDAP's web interface.
Bitwarden (Vaultwarden)
Self-hosted Bitwarden running on helsinki-a. Stores all passwords and uses the official Bitwarden clients across devices.
Flow
- User hits a subdomain (e.g.
grafana.pez.sh) - Cloudflare routes traffic to
helsinki-a - Caddy receives the request and forwards it to Authelia middleware
- Authelia checks if the user has a valid session
- If not, redirect to the Authelia login portal (which authenticates against LLDAP)
- Once authenticated, Caddy proxies the request to the actual backend service (which may be on any server in the homelab)