# Core Infrastructure Services This directory contains the core infrastructure services that form the foundation of the homelab. These services should be deployed **on the core server only** and are critical for the operation of all other services across all servers. ## Services ### DuckDNS - **Purpose**: Dynamic DNS service for domain resolution and wildcard SSL certificates - **Subdomain**: Configurable via environment variables - **Token**: Configured in environment variables - **SSL Certificates**: Generates wildcard cert used by all services on all servers - **Deploy**: Core server only ### Traefik (v3) - **Purpose**: Reverse proxy and SSL termination with multi-server routing - **Ports**: 80 (HTTP), 443 (HTTPS), 8080 (Dashboard) - **Configuration**: Located in `traefik/config/traefik.yml` - **Multi-Server**: Discovers services on all servers via Docker providers - **SSL**: Let's Encrypt with DNS-01 challenge (wildcard certificate) - **Dashboard**: Available at configured domain - **Deploy**: Core server only ### Authelia (v4.37.5) - **Purpose**: Single sign-on authentication service for all services across all servers - **Port**: 9091 (internal) - **Access**: Configured authentication domain - **Configuration**: Located in `authelia/config/` - **Database**: SQLite database in `authelia/config/db.sqlite3` - **Deploy**: Core server only ## Multi-Server Architecture The core stack on the main server provides centralized services for the entire homelab: **Core Server:** - Receives all external traffic (ports 80/443 forwarded from router) - Runs DuckDNS for domain management and SSL certificates - Runs Authelia for centralized authentication - Runs Sablier for lazyloading local containers - Traefik lables route servies on the core server - Traekif external-host-servername.yml defines routes for Remote Servers **Remote Server:** - Each container exposes ports - No port forwarding from router needed - No Traefik lables - Traefik configured by an external-host yaml file on Core Server - Runs Sablier for lazyloading local containers **Service Access:** - All services accessible via: `https://service.yourdomain.duckdns.org` - Core Traefik routes to appropriate server (local or remote) - Single wildcard SSL certificate used for all services - Authelia provides SSO for all protected services ## ⚠️ Version Pinning & Breaking Changes ### Authelia Version Pinning **Current Version**: `authelia/authelia:4.37.5` **Breaking Changes Identified**: - Authelia v4.39.15+ has breaking configuration changes that are incompatible with the current setup - Database schema changes may require migration or recreation - Configuration file format changes may break existing setups **Action Taken**: - Pinned to v4.37.5 which is confirmed working - Database recreated from scratch to ensure compatibility - Configuration files verified and working **Upgrade Path**: - Test upgrades in a separate environment first - Backup configuration and database before upgrading - Check Authelia changelog for breaking changes - Consider using Authelia's migration tools if available ### Traefik Version Pinning **Current Version**: `traefik:v3` **Notes**: - Traefik v3 is stable and working with current configuration - Configuration format is compatible - No breaking changes identified in current setup ## Configuration Requirements ### File Structure ``` core/ ├── docker-compose.yml # Main service definitions ├── .env # Environment variables ├── authelia/ │ ├── config/ │ | ├── configuration.yml # Authelia main config │ | └── notification.txt | └── secrets/ | └── users_database.yml # User credentials ├── duckdns/ │ └── config/ # DuckDNS configuration ├── traefik/ │ ├── config/ │ │ └── traefik.yml # Traefik static config │ ├── dynamic/ # Dynamic configurations │ │ ├── routes.yml │ │ ├── sablier.yml │ │ └── external-host-*.yml # Remote server routing │ └── letsencrypt/ │ └── acme.json # SSL certificates ```