Skip to content

Cloud Services

Overview

The infrastructure depends on externally operated services even though primary applications run on premises.

Configuration

Service Purpose Local dependency Owner/status
Public DNS provider Resolves public KH3Group hostnames Traefik routes Provider and account owner to be verified
ACME certificate authority Issues TLS certificates Traefik certificate store Active
Google OAuth/OpenID Optional Forgejo sign-in Forgejo Client ownership to be verified
Starlink service WAN connectivity pfSense WAN path Active
Forgejo/Drone webhooks CI event delivery Forgejo, Drone CI Active

Operational Procedures

  • Keep account recovery and billing ownership in the approved password manager.
  • Record domain renewal dates and provider contacts outside public documentation.
  • Test certificate renewal after DNS, routing, or Traefik changes.
  • Remove OAuth clients when a service is decommissioned.

Troubleshooting

  • Public DNS failure: query authoritative records and compare them with the intended ingress address.
  • Certificate failure: inspect Traefik ACME logs and confirm ports 80 and 443 reach the host.
  • OAuth failure: verify callback URLs and client status without exposing client secrets.

References

  • Environment variable names and Traefik runtime configuration observed June 9, 2026