From b21d96b69fda5fdadfc0684cd57344767ad783a8 Mon Sep 17 00:00:00 2001 From: EnigmaCurry Date: Thu, 17 Oct 2024 00:56:48 -0600 Subject: [PATCH] TFA diagram --- books/portable-docker.org | 35 ++++++++++++++++++++++++++++++++++- 1 file changed, 34 insertions(+), 1 deletion(-) diff --git a/books/portable-docker.org b/books/portable-docker.org index b35fa8119..4ff0f938f 100644 --- a/books/portable-docker.org +++ b/books/portable-docker.org @@ -114,7 +114,14 @@ proxy (ingress), which forwards incoming connections through a backdoor VPN connection to the Raspberry Pi. The Pi automatically initiates this connection to the sentry whenever it boots and comes online. -[[/img/portable-docker/vpn-diagram.webp]] +#+begin_mermaid +graph TD; + Web1[Web browser] -->|Internet| Sentry[Public Sentry] + Web2[curl] -->|Internet| Sentry + SFTP[SFTP client] -->|Internet| Sentry + Sentry <---->|WireGuard VPN| C[Raspberry Pi] +#+end_mermaid + ** WireGuard VPN @@ -2717,6 +2724,20 @@ the Raspberry Pi even during emergency maintenance cycles, including restarting Traefik, restarting Docker, or even rebooting the system (the persistent tunnels will be restarted on boot). +#+begin_mermaid +--- +title: SSH and wireguard operate independently +--- +graph TD; +S1[SSH client] -->|Public TCP port 2220| SSH +W1[Wireguard client] -->|Public UDP port 51820| WG +subgraph Docker server + SSH[SSH server] + WG[Wireguard server] +end +#+end_mermaid + + *** Ensure the SSH server is secure During the =rpi-imager= configuration, you should have selected the @@ -3287,6 +3308,18 @@ git clone ssh://git@git.pi.example.com:2222/username/repository.git :EXPORT_HUGO_WEIGHT: 630 :END: +#+begin_mermaid +--- +title: Traefik Forward Auth +--- +graph LR; + Start[Request...] -->|HTTP| Traefik + Traefik -->|Sends the request to AuthServer| TFA[Traefik-Forward-Auth] + TFA -->|Returns OK / KO| Traefik + Traefik -->|If OK, proceed...| Proceed[...Access Granted] + Traefik -->|If KO, returns the error| Start +#+end_mermaid + *** Sentry authorization Some apps may already have their own authentication mechanisms, while