mirror of
https://github.com/RWejlgaard/pez-docs.git
synced 2026-05-06 03:34:44 +00:00
Pez
8e7269611d
- Add Hetzner Cloud location (helsinki-a, nuremberg-a) - Update london-a to FreeBSD, london-b ZFS layout to 3x raidz1 - Note offline servers (london-c, copenhagen-b) - Update Plex docs with accurate ZFS and exporter behaviour - Add workload docs: Nextcloud AIO, Navidrome, slskd, Monitoring, Auth (Authelia/LLDAP/Bitwarden), Mail (poste.io), Gaming (Minecraft/MaNGOS) - Update README/intro with current service and location index
34 lines
1.3 KiB
Markdown
34 lines
1.3 KiB
Markdown
# Authentication
|
|
|
|
## Overview
|
|
|
|
All web-facing services are protected by a unified auth stack running on `helsinki-a`. This gives SSO across everything without having to configure per-service authentication.
|
|
|
|
## Stack
|
|
|
|
### Authelia
|
|
|
|
Authelia is the authentication and authorization gateway. It sits in front of services proxied by Caddy and handles:
|
|
|
|
- Username/password login
|
|
- Two-factor authentication (TOTP)
|
|
- Per-service access control rules
|
|
|
|
### LLDAP
|
|
|
|
LLDAP (Lightweight LDAP) is the user directory Authelia uses for authentication. It's simpler and easier to manage than a full OpenLDAP install, while still being compatible with anything that speaks LDAP.
|
|
|
|
All user management goes through LLDAP's web interface.
|
|
|
|
### Bitwarden (Vaultwarden)
|
|
|
|
Self-hosted Bitwarden running on `helsinki-a`. Stores all passwords and uses the official Bitwarden clients across devices.
|
|
|
|
## Flow
|
|
|
|
1. User hits a subdomain (e.g. `grafana.pez.sh`)
|
|
2. Cloudflare routes traffic to `helsinki-a`
|
|
3. Caddy receives the request and forwards it to Authelia middleware
|
|
4. Authelia checks if the user has a valid session
|
|
5. If not, redirect to the Authelia login portal (which authenticates against LLDAP)
|
|
6. Once authenticated, Caddy proxies the request to the actual backend service (which may be on any server in the homelab)
|