Cloud Services
Overview
The infrastructure depends on externally operated services even though primary applications run on premises.
Configuration
| Service | Purpose | Local dependency | Owner/status |
|---|---|---|---|
| Public DNS provider | Resolves public KH3Group hostnames | Traefik routes | Provider and account owner to be verified |
| ACME certificate authority | Issues TLS certificates | Traefik certificate store | Active |
| Google OAuth/OpenID | Optional Forgejo sign-in | Forgejo | Client ownership to be verified |
| Starlink service | WAN connectivity | pfSense WAN path | Active |
| Forgejo/Drone webhooks | CI event delivery | Forgejo, Drone CI | Active |
Operational Procedures
- Keep account recovery and billing ownership in the approved password manager.
- Record domain renewal dates and provider contacts outside public documentation.
- Test certificate renewal after DNS, routing, or Traefik changes.
- Remove OAuth clients when a service is decommissioned.
Troubleshooting
- Public DNS failure: query authoritative records and compare them with the intended ingress address.
- Certificate failure: inspect Traefik ACME logs and confirm ports
80and443reach the host. - OAuth failure: verify callback URLs and client status without exposing client secrets.
Related Systems
References
- Environment variable names and Traefik runtime configuration observed June 9, 2026