Service access
How production apps are exposed and authenticated. Use this when adding a Traefik router or a new stack. For the auth components (Authelia, LLDAP, and deprecated IdPs), see Authentication.
Layers
| Layer | Scope | Role |
|---|---|---|
Traefik (*.dripdrop.pro) | Internet / HTTPS | TLS, routing, CrowdSec on websecure |
Authelia (authelia middleware) | Per-router | Forward-auth; rules in ${DOCKER_APPDATA}/authelia/config/configuration.yml |
| App-native auth | Inside the app | Login UI, OIDC client, or API keys |
| Host-published ports | LAN / Tailscale | Direct to the NAS; bypasses Traefik and CrowdSec |
| Docker networks | Container-to-container | Per-stack isolation; databases are not published publicly |
CrowdSec AppSec is configured fail-open when the AppSec component is down or returns an error (see Infrastructure). IP reputation bans from the LAPI still apply when CrowdSec is healthy.
Access patterns
| Pattern | Traefik | Who can access | Examples |
|---|---|---|---|
| Authelia forward-auth | authelia middleware (optionally admin-only in Authelia rules) | Authenticated users per access_control | Sonarr, Radarr, Bazarr, Prowlarr, Cleanuparr, Dispatcharr, Sportarr (UI), Homepage, Metube, Watchstate, Calibre Web Automated, Shelfmark, Notifiarr, qBitmanage, qui, Mousehole, OliveTin, Grafana, LLDAP UI, Windows VM console |
| App login (public URL) | No Authelia | Anyone with app credentials | Jellyfin, Seerr, Nextcloud, Navidrome |
| OIDC via Authelia | No forward-auth; app handles login | Users who complete Authelia OIDC in the app | Open WebUI |
| Public dashboard | No Authelia | Anyone who can reach the URL | Gatus |
| Public site | No Authelia | Internet | Dripdrop |
| App login (own UI) | No Authelia | Healthchecks credentials | Healthchecks |
| API without forward-auth | Separate router, often PathRegexp('^/api') | API key or app auth | Sonarr, Radarr, Bazarr, Dispatcharr, Sportarr, qBittorrent |
| Internal only | No Traefik router | docker-net / stack-local | Subgen, TVApp2, Apprise, Unpackerr, cross-seed, Ollama API (when not proxied) |
Grafana uses the authelia middleware with an admin-only Authelia rule. Inside
the container, anonymous admin is enabled so authenticated users do not need a
second Grafana login.
Notifiarr adds a Traefik x-webauth-user request header on top of Authelia
forward-auth. Seerr serves seerr.dripdrop.pro; jellyseerr.dripdrop.pro
redirects there. Nextcloud authenticates in-app against LLDAP
via Authelia's LDAP integration. Mousehole shares qBittorrent's network namespace;
its UI port is published on the qBittorrent container (5010 via
VPN_EXPOSE_PORTS_ON_LAN). Set MOUSEHOLE_ALLOWED_HOSTS and
MOUSEHOLE_ALLOWED_ORIGINS when reverse-proxying Mousehole.
Hostnames
| Hostname | Service |
|---|---|
bazarr.dripdrop.pro | Bazarr |
calibre-web-automated.dripdrop.pro | Calibre Web Automated |
dispatcharr.dripdrop.pro | Dispatcharr |
dripdrop.pro, www.dripdrop.pro | Dripdrop (public) |
gatus.dripdrop.pro | Gatus (public) |
home.dripdrop.pro, homepage.dripdrop.pro | Homepage |
jellyfin.dripdrop.pro | Jellyfin |
jellyseerr.dripdrop.pro | Seerr (redirect → seerr) |
macos.dripdrop.pro | macOS VM console |
metube.dripdrop.pro | Metube |
mousehole.dripdrop.pro | Mousehole |
navidrome.dripdrop.pro | Navidrome |
nextcloud.dripdrop.pro | Nextcloud |
notifiarr.dripdrop.pro | Notifiarr |
olivetin.dripdrop.pro | OliveTin |
ollama.dripdrop.pro | Open WebUI |
prowlarr.dripdrop.pro | Prowlarr |
qbittorrent.dripdrop.pro | qBittorrent |
qui.dripdrop.pro | qui |
radarr.dripdrop.pro | Radarr |
seerr.dripdrop.pro | Seerr |
shelfmark.dripdrop.pro | Shelfmark |
sonarr.dripdrop.pro | Sonarr |
sportarr.dripdrop.pro | Sportarr |
watchstate.dripdrop.pro | Watchstate |
windows.dripdrop.pro | Windows VM console |
Internal services (no public hostname): Subgen (http://subgen:9000), TVApp2,
Apprise (http://apprise:8000), Unpackerr, cross-seed, and other stack-local
APIs on docker-net.
Monitoring
| Tool | What it covers |
|---|---|
Gatus (builds/gatus/config.yaml) | Authelia-protected URLs (expects 401 + Authelia body) and internal docker-net health |
| Uptime Robot | Public and OIDC user-facing URLs (Jellyfin, Seerr, Nextcloud, Navidrome, Open WebUI, Dripdrop, …) |
| Healthchecks | Cron and backup job check-ins (separate app login) |
Do not duplicate Uptime Robot checks in Gatus unless you want Discord alerts on the same failure twice.
Adding a new service
- Pick a pattern above (admin tool → Authelia; family app → app login; etc.).
- Add Traefik labels in the stack's
docker-compose*.yaml(exposedByDefaultisfalse— settraefik.enable: "true"explicitly). - For Authelia-protected services, add a matching
access_controlrule in Authelia config and theautheliamiddleware on the router. - Add Gatus protected + internal checks for non-public admin services, or Uptime Robot for public user-facing URLs.
- Host-published ports are intentional for LAN/Tailscale (Jellyfin, VMs, Ollama API, etc.); they are outside the Traefik/CrowdSec path by design.