Ingress¶
External access, authentication, and network security layer.
Authentik¶
Identity provider (IdP). Handles SSO, OAuth2/OIDC, SAML, and LDAP for all protected services. The primary auth system going forward.
Documentation · values.sops.yaml
Authelia¶
SSO and 2FA authentication proxy. Currently being decommissioned in favour of Authentik.
Documentation · values.sops.yaml
LLDAP¶
Lightweight LDAP server. Provides a simple user directory consumed by Authentik and other LDAP-aware services.
Documentation · values.sops.yaml
ingress-nginx¶
Kubernetes ingress controller. Routes external HTTP/HTTPS traffic to the appropriate services based on hostname and path rules.
Documentation · values.sops.yaml
Cloudflared¶
Cloudflare Tunnel daemon. Establishes an outbound-only connection from the cluster to the Cloudflare edge, exposing services publicly without opening inbound firewall ports.
Documentation · values.sops.yaml
Wireguard¶
VPN server. Provides direct, encrypted network-level access to the cluster for trusted devices.