Vish/homelab-optimized
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Sanitized mirror from private repository - 2026-04-20 01:24:42 UTC
Some checks failed
Documentation / Build Docusaurus (push) Failing after 5m5s
Details
Documentation / Deploy to GitHub Pages (push) Has been skipped
Details

Browse Source
This commit is contained in:
Gitea Mirror Bot
2026-04-20 01:24:42 +00:00
commit e71c8ddb4b
1441 changed files with 363888 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

122
docs/infrastructure/domain-migration-synology.md Normal file
View File

@@ -0,0 +1,122 @@
# Synology Domain Migration Guide
Migrating from `*.vishconcord.synology.me` to `*.vish.gg` domains.
## Why Migrate?
- **Consistency**: All services under your own domain
- **Control**: Full DNS control via Cloudflare
- **Security**: Can proxy through Cloudflare (orange cloud)
- **Professional**: Cleaner URLs for sharing
- **SSO**: Easier Authentik integration with single domain
## Current → New Domain Mapping
### Calypso Services (Stay at Location A)
| Current | New | Service | Expose? |
|---------|-----|---------|---------|
| `sf.vishconcord.synology.me` | `sf.vish.gg` | Seafile | Yes - sharing |
| `dav.vishconcord.synology.me` | `dav.vish.gg` | Seafile WebDAV | Internal |
| `actual.vishconcord.synology.me` | `actual.vish.gg` | Actual Budget | Internal |
| `paperlessngx.vishconcord.synology.me` | `docs.vish.gg` | Paperless-NGX | Internal |
| `ost.vishconcord.synology.me` | `ost.vish.gg` | OST | Internal |
| `retro.vishconcord.synology.me` | `retro.vish.gg` | Retro site | Maybe |
| `rackula.vishconcord.synology.me` | - | Rackula (broken) | Remove |
### Atlantis Services (Move to Location B)
| Current | New | Service | Expose? |
|---------|-----|---------|---------|
| `ollama.vishconcord.synology.me` | `ollama.vish.gg` | Ollama AI | Internal |
| `ssh.vishconcord.synology.me` | - | Termix SSH | Internal/VPN |
| `rxv4access.vishconcord.synology.me` | - | RXV4 Access | Internal |
| `rxv4download.vishconcord.synology.me` | - | RXV4 Download | Internal |
## Migration Steps
### Step 1: Create DNS Records
For each new domain, create an A record in Cloudflare:
```bash
# Example: sf.vish.gg
curl -X POST "https://api.cloudflare.com/client/v4/zones/ZONE_ID/dns_records" \
-H "Authorization: Bearer TOKEN" \
-H "Content-Type: application/json" \
--data '{
"type": "A",
"name": "sf.vish.gg",
"content": "YOUR_WAN_IP",
"ttl": 1,
"proxied": true
}'
```
### Step 2: Update Synology Reverse Proxy
For each service, add a new reverse proxy entry with the new domain:
1. DSM → Control Panel → Login Portal → Advanced → Reverse Proxy
2. Create new entry with same backend, new domain
3. Assign SSL certificate (Cloudflare origin cert)
### Step 3: Update SSL Certificates
The existing `*.vish.gg` Cloudflare origin certificate should cover new subdomains.
If needed, generate a new certificate covering:
- `*.vish.gg`
- `vish.gg`
### Step 4: Test New Domains
Test each new domain before removing old ones.
### Step 5: Remove Old Entries
Once confirmed working, remove the `*.synology.me` reverse proxy entries.
## Authentik Protection
### Services to Protect with SSO
| Domain | Service | Auth Required? |
|--------|---------|----------------|
| `sf.vish.gg` | Seafile | Yes (has share links) |
| `docs.vish.gg` | Paperless | Yes |
| `actual.vish.gg` | Actual Budget | Yes |
| `gf.vish.gg` | Grafana | Yes (already configured) |
| `git.vish.gg` | Gitea | Yes (already configured) |
### Services to Keep Public (or with built-in auth)
| Domain | Service | Reason |
|--------|---------|--------|
| `sso.vish.gg` | Authentik | Is the auth provider |
| `pw.vish.gg` | Vaultwarden | Has own auth |
| `mastodon.vish.gg` | Mastodon | Public social |
| `ntfy.vish.gg` | Ntfy | Notification endpoint |
### Forward Auth Setup
Use Authentik as a forward auth proxy:
```nginx
# In reverse proxy config
location / {
auth_request /outpost.goauthentik.io/auth/nginx;
# ... rest of config
}
```
See [Authentik Proxy Provider docs](https://docs.goauthentik.io/docs/providers/proxy/) for full setup.
## Implementation Order
1. **Phase 1**: Create DNS records for new domains
2. **Phase 2**: Add reverse proxy entries (keep old ones working)
3. **Phase 3**: Test new domains thoroughly
4. **Phase 4**: Add Authentik protection where needed
5. **Phase 5**: Remove old `*.synology.me` entries
6. **Phase 6**: Update any apps/configs using old URLs