====== Access Services ====== After deployment, access your homelab services through secure HTTPS URLs. ===== Service URLs ===== All services are accessible at `https://service-name.yourdomain.duckdns.org` | Category | Service | URL | Authentication | Purpose | |----------|---------|-----|----------------|---------| | **Management** | Dockge | `https://dockge.yourdomain.duckdns.org` | Authelia SSO | Stack management | | **Management** | Homepage | `https://home.yourdomain.duckdns.org` | Authelia SSO | Service dashboard | | **Security** | Authelia | `https://auth.yourdomain.duckdns.org` | Direct login | SSO authentication | | **Infrastructure** | Traefik | `https://traefik.yourdomain.duckdns.org` | Authelia SSO | Reverse proxy dashboard | | **Infrastructure** | Pi-hole | `http://pihole.yourdomain.duckdns.org` | Authelia SSO | DNS & ad blocking | | **Infrastructure** | Dozzle | `https://dozzle.yourdomain.duckdns.org` | Authelia SSO | Log viewer | | **Infrastructure** | Glances | `https://glances.yourdomain.duckdns.org` | Authelia SSO | System monitoring | | **Media** | Jellyfin | `https://jellyfin.yourdomain.duckdns.org` | None (app access) | Media server | | **Media** | Plex | `https://plex.yourdomain.duckdns.org` | None (app access) | Media server | | **Media** | qBittorrent | `https://qbit.yourdomain.duckdns.org` | Authelia SSO | Torrent client | | **Media Mgmt** | Sonarr | `https://sonarr.yourdomain.duckdns.org` | Authelia SSO | TV automation | | **Media Mgmt** | Radarr | `https://radarr.yourdomain.duckdns.org` | Authelia SSO | Movie automation | | **Productivity** | Nextcloud | `https://nextcloud.yourdomain.duckdns.org` | Authelia SSO | File sync | | **Productivity** | Gitea | `https://git.yourdomain.duckdns.org` | Authelia SSO | Git service | | **Productivity** | BookStack | `https://docs.yourdomain.duckdns.org` | Authelia SSO | Documentation | | **Monitoring** | Grafana | `https://grafana.yourdomain.duckdns.org` | Authelia SSO | Dashboards | | **Monitoring** | Prometheus | `https://prometheus.yourdomain.duckdns.org` | Authelia SSO | Metrics | | **Monitoring** | Uptime Kuma | `https://status.yourdomain.duckdns.org` | Authelia SSO | Status monitoring | | **Home Auto** | Home Assistant | `https://ha.yourdomain.duckdns.org` | None (built-in auth) | Home automation | | **Utilities** | Backrest | `https://backrest.yourdomain.duckdns.org` | Authelia SSO | Backup management | | **Development** | Code Server | `https://code.yourdomain.duckdns.org` | Authelia SSO | VS Code in browser | ===== Authentication ===== ==== Authelia SSO (Single Sign-On) ==== **Protected Services:** * Most admin interfaces require Authelia login * One login grants access to all protected services * Supports 2FA (Two-Factor Authentication) **Login Process:** 1. Visit any protected service URL 2. Redirected to Authelia login page 3. Enter username and password 4. (Optional) Enter 2FA code 5. Redirected back to original service **Default Credentials:** * Username: `admin` (or custom from setup) * Password: Secure password from setup ==== Service-Specific Authentication ==== **No SSO (Direct Access):** * **Jellyfin/Plex**: Use service's built-in user management * **Home Assistant**: Built-in authentication system * **Nextcloud**: Can use Authelia or built-in auth **VPN-Protected Services:** * **qBittorrent**: Routes through Gluetun VPN * Access via web UI after Authelia login ===== Security Features ===== ==== SSL/TLS Encryption ==== **Wildcard Certificate:** * Covers all `*.yourdomain.duckdns.org` subdomains * Issued by Let's Encrypt (free) * Automatic renewal every 90 days * A+ SSL rating **Certificate Details:** * **Issuer**: Let's Encrypt Authority X3 * **Algorithm**: ECDSA P-256 * **Validity**: 90 days * **Renewal**: Automatic via Traefik ==== Firewall Protection ==== **UFW Configuration:** * Only ports 80, 443, and 22 (SSH) open * All other ports blocked * Docker containers isolated **Network Security:** * Services behind reverse proxy * No direct container exposure * VPN routing for downloads ==== Access Control ==== **Authelia Policies:** * **One Factor**: Username + password * **Two Factor**: Username + password + TOTP * **Bypass**: No authentication required **Default Policies:** * Admin services: Two-factor recommended * Media services: Bypass (app compatibility) * Public services: Bypass when appropriate ===== First-Time Access ===== ==== Configure Authelia ==== 1. **Access Authelia:** * URL: `https://auth.yourdomain.duckdns.org` * Login with admin credentials 2. **Enable 2FA:** * Go to **Settings** → **One-Time Password** * Scan QR code with authenticator app * Enter verification code 3. **Configure Access Rules:** * Edit `/opt/stacks/core/authelia/configuration.yml` * Modify access policies as needed ==== Set Up Homepage Dashboard ==== 1. **Access Homepage:** * URL: `https://home.yourdomain.duckdns.org` 2. **Initial Configuration:** * Click settings icon (gear) * Add deployed services * Configure widgets 3. **API Integration:** * Add API keys for enhanced widgets * Configure service integrations ==== Test Service Access ==== **Verification Checklist:** * [ ] Authelia login works * [ ] Homepage loads correctly * [ ] Dockge accessible * [ ] SSL certificates valid * [ ] No mixed content warnings ===== Troubleshooting Access ===== ==== SSL Certificate Issues ==== **"Not Secure" warnings:** * Wait 2-5 minutes after deployment * Check DNS propagation: `nslookup yourdomain.duckdns.org` * Verify ports 80/443 forwarded * Check Traefik logs: `docker logs traefik` **Certificate errors:** ```bash # Check certificate status echo | openssl s_client -connect yourdomain.duckdns.org:443 -servername dockge.yourdomain.duckdns.org 2>/dev/null | openssl x509 -noout -subject -dates ``` ==== Authentication Problems ==== **Can't log in to Authelia:** * Verify username/password * Check 2FA setup * Clear browser cache * Check Authelia logs: `docker logs authelia` **Redirect loops:** * Check Traefik configuration * Verify middleware labels * Restart Traefik: `docker restart traefik` ==== Service Not Accessible ==== **404 errors:** * Service not deployed * Traefik route not configured * Wrong subdomain **Connection refused:** * Service not running * Port mapping issues * Network connectivity problems ==== DNS Issues ==== **Domain not resolving:** * Check DuckDNS configuration * Verify token in `.env` * Wait for DNS propagation **Local network access:** * Use internal IP for local access * Configure local DNS overrides ===== Advanced Access ===== ==== External Service Proxying ==== **Proxy non-Docker services:** * Raspberry Pi Home Assistant * NAS devices * Other network services **Configuration:** * Add routes to `/opt/stacks/core/traefik/dynamic/external.yml` * Include Authelia middleware * Test connectivity ==== VPN Access ==== **Remote Access:** * Configure VPN server (OpenVPN/WireGuard) * Route traffic through VPN * Access local services remotely ==== API Access ==== **Service APIs:** * Most services expose REST APIs * Use API keys for authentication * Configure in Homepage widgets ===== Mobile Access ===== **Mobile Apps:** * **Jellyfin/Plex**: Dedicated mobile apps * **Nextcloud**: Mobile sync client * **Home Assistant**: Mobile companion app * **Bitwarden**: Password manager **Browser Access:** * All services work in mobile browsers * Responsive design for most interfaces * Authelia SSO works on mobile ===== Performance Optimization ===== **Loading Speed:** * Enable HTTP/2 in Traefik * Use CDN for static assets * Optimize service configurations **Resource Usage:** * Monitor with Glances * Set appropriate resource limits * Use lazy loading for unused services Ready to access your services? Start with the [[getting_started:security|Security Setup]] guide. **Need help?** Check [[troubleshooting:networking|Network Troubleshooting]] or visit [[https://github.com/kelinfoxy/AI-Homelab/discussions|GitHub Discussions]].