From 35bb14028f6bb58eeb7306ba93c957a979a4d75e Mon Sep 17 00:00:00 2001
From: Eduardo David Paredes Vara <34484630+epava1516@users.noreply.github.com>
Date: Thu, 18 Dec 2025 10:50:07 +0100
Subject: [PATCH] Refactor Traefik configuration for Authentik

Updated Traefik router rules and added new callback for www.thehomelesssherlock.com.
---
 authentik/docker-compose.yml | 28 ++++++++++++++++++++--------
 1 file changed, 20 insertions(+), 8 deletions(-)

diff --git a/authentik/docker-compose.yml b/authentik/docker-compose.yml
index 9b61016..1019d9b 100644
--- a/authentik/docker-compose.yml
+++ b/authentik/docker-compose.yml
@@ -37,7 +37,6 @@ services:
 
       AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS_HOST}
 
-      # Bootstrap inicial (primera vez)
       AUTHENTIK_BOOTSTRAP_EMAIL: ${AUTHENTIK_BOOTSTRAP_EMAIL}
       AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
       AUTHENTIK_BOOTSTRAP_TOKEN: ${AUTHENTIK_BOOTSTRAP_TOKEN}
@@ -57,24 +56,37 @@ services:
       traefik.enable: "true"
       traefik.docker.network: "${TRAEFIK_DOCKER_NETWORK}"
 
-      # Router del panel de Authentik
-      traefik.http.routers.authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
-      traefik.http.routers.authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
-      traefik.http.routers.authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      # Service Authentik (panel + endpoints)
       traefik.http.services.authentik.loadbalancer.server.port: "${AUTHENTIK_HTTP_PORT}"
 
-      # Middleware de forwardAuth que usaremos en Portainer, Pi-hole, etc.
+      # Panel Authentik (auth.thehomelesssherlock.com)
+      traefik.http.routers.authentik.rule: "Host(`${AUTHENTIK_DOMAIN}`)"
+      traefik.http.routers.authentik.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.authentik.tls: "true"
+      traefik.http.routers.authentik.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.routers.authentik.service: "authentik"
+
+      # Middleware forwardAuth (para proteger otros servicios)
       traefik.http.middlewares.authentik.forwardauth.address: "http://authentik-server:${AUTHENTIK_HTTP_PORT}/outpost.goauthentik.io/auth/traefik"
       traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: "true"
       traefik.http.middlewares.authentik.forwardauth.authResponseHeaders: "X-Authentik-Username,X-Authentik-Groups,X-Authentik-Email,X-Authentik-Uid,X-Authentik-Jwt"
 
-      # Callback del outpost en gitea hacia Authentik
+      # Callback del outpost en gitea hacia Authentik (ya lo tenías)
       traefik.http.routers.authentik-outpost-gitea.rule: "Host(`${GITEA_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
       traefik.http.routers.authentik-outpost-gitea.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.authentik-outpost-gitea.tls: "true"
       traefik.http.routers.authentik-outpost-gitea.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
       traefik.http.routers.authentik-outpost-gitea.service: "authentik"
       traefik.http.routers.authentik-outpost-gitea.priority: "50"
 
+      # ✅ CORRECCIÓN: Callback del outpost para tu WEB (www.thehomelesssherlock.com)
+      traefik.http.routers.authentik-outpost-ths.rule: "Host(`${THS_DOMAIN}`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      traefik.http.routers.authentik-outpost-ths.entrypoints: "${TRAEFIK_ENTRYPOINT_SECURE}"
+      traefik.http.routers.authentik-outpost-ths.tls: "true"
+      traefik.http.routers.authentik-outpost-ths.tls.certresolver: "${TRAEFIK_CERTRESOLVER}"
+      traefik.http.routers.authentik-outpost-ths.service: "authentik"
+      traefik.http.routers.authentik-outpost-ths.priority: "250"
+
   authentik-worker:
     image: ${AUTHENTIK_IMAGE}
     container_name: authentik-worker
@@ -93,6 +105,7 @@ services:
     depends_on:
       - authentik-postgres
       - authentik-redis
+
     networks:
       - authentik_internal
 
@@ -101,4 +114,3 @@ networks:
     external: true
   authentik_internal:
     driver: bridge
-