mirror of https://github.com/RWejlgaard/pez-docs.git synced 2026-05-06 03:34:44 +00:00

Pez 8e7269611d Update docs to reflect current setup (March 2026)

- Add Hetzner Cloud location (helsinki-a, nuremberg-a)
- Update london-a to FreeBSD, london-b ZFS layout to 3x raidz1
- Note offline servers (london-c, copenhagen-b)
- Update Plex docs with accurate ZFS and exporter behaviour
- Add workload docs: Nextcloud AIO, Navidrome, slskd, Monitoring,
  Auth (Authelia/LLDAP/Bitwarden), Mail (poste.io), Gaming (Minecraft/MaNGOS)
- Update README/intro with current service and location index

2026-03-04 09:09:08 +00:00

1.3 KiB

Raw Permalink Blame History

Authentication

Overview

All web-facing services are protected by a unified auth stack running on helsinki-a. This gives SSO across everything without having to configure per-service authentication.

Stack

Authelia

Authelia is the authentication and authorization gateway. It sits in front of services proxied by Caddy and handles:

Username/password login
Two-factor authentication (TOTP)
Per-service access control rules

LLDAP

LLDAP (Lightweight LDAP) is the user directory Authelia uses for authentication. It's simpler and easier to manage than a full OpenLDAP install, while still being compatible with anything that speaks LDAP.

All user management goes through LLDAP's web interface.

Bitwarden (Vaultwarden)

Self-hosted Bitwarden running on helsinki-a. Stores all passwords and uses the official Bitwarden clients across devices.

Flow

User hits a subdomain (e.g. grafana.pez.sh)
Cloudflare routes traffic to helsinki-a
Caddy receives the request and forwards it to Authelia middleware
Authelia checks if the user has a valid session
If not, redirect to the Authelia login portal (which authenticates against LLDAP)
Once authenticated, Caddy proxies the request to the actual backend service (which may be on any server in the homelab)

1.3 KiB Raw Permalink Blame History