Why
The dominant motivation for HaLOS's multi-hostname support is "access the device from a network other than the LAN it's plugged into" — typically over a VPN. The mechanics exist (per-hostname Authelia cookies, per-hostname OIDC redirect_uris, path-only Traefik routing), but there is no user-facing page that pulls them together into a task-oriented "I want to access HaLOS away from home" workflow. Today an operator has to read three architecture docs and a hostnames.conf comment block to assemble the picture.
Proposed page
Location: docs/user-guide/remote-access-vpn.md, listed in mkdocs.yml nav after Networking in the User Guide.
Outline:
- Why VPN access — short framing: ssh works, but Cockpit/Homarr/Signal K behind SSO need an OIDC bounce, and the OIDC issuer is
*.local by default, which doesn't resolve over most VPNs.
- The name-resolution requirement — the device needs at least one hostname that resolves to its IP both from the LAN and from the VPN. The page should explain why this is unavoidable (single-issuer OIDC constraint, brief) and what the failure mode looks like (browser shows DNS error when clicking Login).
- Recipe: Tailscale (recommended) — easiest because MagicDNS gives every device a name that resolves from anywhere on the tailnet without extra DNS setup. Worked example: install Tailscale, get
halosdev.<tailnet>.ts.net, add it to /etc/halos/hostnames.conf as the first line, sudo systemctl restart halos-core-containers.service, verify by browsing from a Tailscale-connected client.
- Recipe: WireGuard + split-horizon DNS — for users running their own VPN. Same shape, but the user is responsible for ensuring the chosen hostname resolves on both networks (e.g., dnsmasq sidecar on the WireGuard server, internal DNS A record). Less hand-holding than Tailscale.
- Recipe:
/etc/hosts on each client — the escape hatch. Not recommended but documented because it always works.
- Gotchas:
- DoH (Firefox, mobile browsers): the browser's resolver may bypass the VPN's DNS entirely. Test from the actual client browser, not just
nslookup.
- Mobile clients on cellular: Tailscale works; raw WireGuard requires the client to be configured with the VPN's DNS.
- mDNS does not cross VPN tunnels by default (and shouldn't be made to — mDNS reflection has its own footguns).
- Verifying it works —
nslookup halosdev.<vpn-name> from a VPN client, then full browser login flow, then check that the URL bar stays on the VPN hostname end-to-end (not just the Authelia bounce).
- Reverting — move
${hostname}.local back to the first line in hostnames.conf, restart. Active OIDC sessions will need to re-authenticate (cookies are scoped to the old canonical).
Cross-links to add
user-guide/networking.md → "For remote access over a VPN, see Remote Access (VPN)."
architecture/sso.md → "The single-issuer constraint shapes how VPN access works in practice — see Remote Access (VPN)."
Out of scope (separate issues if wanted)
- Documenting
hostnames.conf syntax exhaustively (the in-file comments already do a decent job; could be promoted to a Reference page later).
- Tailscale subnet routes vs. direct device-on-tailnet trade-offs (audience overlap is small enough to defer).
Why
The dominant motivation for HaLOS's multi-hostname support is "access the device from a network other than the LAN it's plugged into" — typically over a VPN. The mechanics exist (per-hostname Authelia cookies, per-hostname OIDC
redirect_uris, path-only Traefik routing), but there is no user-facing page that pulls them together into a task-oriented "I want to access HaLOS away from home" workflow. Today an operator has to read three architecture docs and ahostnames.confcomment block to assemble the picture.Proposed page
Location:
docs/user-guide/remote-access-vpn.md, listed inmkdocs.ymlnav after Networking in the User Guide.Outline:
*.localby default, which doesn't resolve over most VPNs.halosdev.<tailnet>.ts.net, add it to/etc/halos/hostnames.confas the first line,sudo systemctl restart halos-core-containers.service, verify by browsing from a Tailscale-connected client./etc/hostson each client — the escape hatch. Not recommended but documented because it always works.nslookup.nslookup halosdev.<vpn-name>from a VPN client, then full browser login flow, then check that the URL bar stays on the VPN hostname end-to-end (not just the Authelia bounce).${hostname}.localback to the first line inhostnames.conf, restart. Active OIDC sessions will need to re-authenticate (cookies are scoped to the old canonical).Cross-links to add
user-guide/networking.md→ "For remote access over a VPN, see Remote Access (VPN)."architecture/sso.md→ "The single-issuer constraint shapes how VPN access works in practice — see Remote Access (VPN)."Out of scope (separate issues if wanted)
hostnames.confsyntax exhaustively (the in-file comments already do a decent job; could be promoted to a Reference page later).