Infra apps — single Authentik login¶
Status of each *.infra.realemail.app service for dropping the second login wall
after Traefik forward-auth (or native OIDC). Parent: ADR-002.
| Service | URL | Edge auth | App login | Action |
|---|---|---|---|---|
| Grafana | grafana.infra… |
forward-auth | auth proxy | Done |
| Komodo | komodo.infra… |
native OIDC | — | Done |
| Homepage | homepage.infra… |
forward-auth | none | Edge only — no change |
| ARA | ara.infra… |
forward-auth | none | Edge only — no change |
| Prometheus | prometheus.infra… |
forward-auth | none | Edge only — no change |
| Alertmanager | alertmanager.infra… |
forward-auth | none | Edge only — no change |
| AdGuard | adguard.infra… |
forward-auth | disabled | adguard-edge-sso.md |
| Wazuh | wazuh.infra… |
forward-auth | proxy (when deployed) | wazuh-edge-sso.md |
| Traefik | traefik.infra… |
forward-auth | none | Edge only — no change |
Pattern summary¶
| Pattern | When | Examples |
|---|---|---|
| Forward-auth only | App has no login UI | Homepage, ARA, Prometheus, Alertmanager, Traefik |
| Auth proxy | App supports trusted reverse-proxy headers | Grafana |
| Native OIDC | App OIDC conflicts with forward-auth | Komodo |
| Disable app auth | App allows empty users / no local login |
AdGuard |
| OpenSearch proxy auth | Dashboard + indexer security config | Wazuh |
Host Validation¶
Homepage requires the hostname in HOMEPAGE_ALLOWED_HOSTS (set in compose.yml).
Use the Traefik URL only — host port :3000 is not published (avoids bypassing Authentik).
Access scope¶
*.infra.realemail.app names resolve to 192.168.6.17 via AdGuard DNS rewrites on the
LAN. They are not in public DNS. Off-LAN access requires Tailscale (or VPN) with split
DNS — mobile carrier data alone will not resolve or reach these URLs.
Verify any service (incognito)¶
- Open the URL — one Authentik login at the edge
- Land in the app with no second username/password prompt
- If a login form appears inside the app, see the service runbook in the table above
Troubleshooting¶
No Authentik redirect (app loads open on LAN)¶
Traefik reads authentik@file from container labels. If compose was updated but containers
were never recreated, labels are missing and the app is wide open on its HTTPS URL.
docker inspect homepage --format '{{index .Config.Labels "traefik.http.routers.homepage.middlewares"}}'
# must print: authentik@file
Recreate affected stacks after git pull:
cd /opt/homelab/services/homepage && docker compose up -d --force-recreate
cd /opt/homelab/services/ara && docker compose up -d --force-recreate
cd /opt/homelab/services/adguard && docker compose up -d --no-deps adguard
cd /opt/homelab/services/monitoring && docker compose up -d --no-deps prometheus alertmanager grafana
Works on Wi‑Fi but not mobile carrier¶
Expected. Infra hostnames are private (192.168.6.17 via AdGuard), not on the public
internet. Use Tailscale on the phone or wait until on home LAN.
AdGuard / ARA / Homepage “no auth” after AdGuard script¶
AdGuard users: [] removes AdGuard’s login only — Authentik at Traefik must still run.
Both layers are required; missing Traefik middleware feels like “no auth at all”.