All SpaceMusic subdomains and their routing configuration.
DNS¶
All A records point to a single IP: 136.243.124.138. There is no load balancer -- Traefik handles all routing on the server itself.
Subdomain Map¶
| Subdomain | Service | Technology | Deploy | Auth |
|---|---|---|---|---|
stream.spacemusic.tv |
Stream Dashboard | SvelteKit + LiveKit SDK | devpush (Node.js 20) | Authentik forward auth |
livekit.spacemusic.tv |
LiveKit SFU | LiveKit Server v1.6.1 | Docker (host network) | LiveKit JWT |
livekit-whip.spacemusic.tv |
WHIP Ingest | LiveKit Ingress | Docker (host network) | LiveKit JWT |
livekit-turn.spacemusic.tv |
TURN Server | LiveKit built-in | Docker (host network) | TURN credentials |
api.spacemusic.tv |
API Gateway | SvelteKit | Docker Compose + GitHub Actions | SSO headers / API key |
auth.spacemusic.tv |
SSO | Authentik 2026.2 | Docker Compose + GitHub Actions | (identity provider) |
dashboard.spacemusic.tv |
Monitoring | Grafana | Docker Compose + GitHub Actions | Authentik OIDC |
storage.spacemusic.tv |
Storage Console | MinIO | Docker Compose + GitHub Actions | Authentik OIDC |
storage-api.spacemusic.tv |
S3 API | MinIO | Docker Compose + GitHub Actions | S3 credentials |
relay.spacemusic.tv |
WebSocket Relay | Centrifugo v6 | Docker Compose + GitHub Actions | JWT / API key |
uptime.spacemusic.tv |
Uptime Monitoring | Kuvasz | Docker Compose + GitHub Actions | Authentik forward auth |
docs.spacemusic.tv |
Documentation | MkDocs (shadcn) | devpush (Python) | Authentik forward auth |
deploy.spacemusic.tv |
Deployment UI | devpu.sh | (platform itself) | devpush admin |
edit.spacemusic.com |
UWD Editor | SvelteKit | devpush (Node.js 20) | Authentik forward auth |
edit.origin-infinite.com |
UWD Editor | SvelteKit | devpush (Node.js 20) | Authentik forward auth |
preset-dashboard.spacemusic.tv |
Dashboard Preset | SvelteKit | devpush (Node.js 20) | Authentik forward auth |
Traefik Routing¶
Traefik is the reverse proxy handling all HTTPS routing and TLS certificates. It uses file-based dynamic configuration stored at /var/lib/devpush/traefik/ on the server.
Each service has its own Traefik config file (e.g., authentik.yml, storage.yml, relay.yml) that defines:
- A router matching the hostname
- A service pointing to the container's internal port
- TLS via Let's Encrypt (
certResolver: le) - Optional middleware (e.g.,
authentik@filefor forward auth)
Example Traefik config structure:
http:
routers:
my-service:
rule: "Host(`my-service.spacemusic.tv`)"
entrypoints:
- websecure
service: my-service
tls:
certResolver: le
middlewares:
- authentik@file
services:
my-service:
loadBalancer:
servers:
- url: "http://container-name:8000"devpush-managed services get their Traefik config generated automatically by devpush. The devpush-auth-patch.sh systemd watcher then injects the authentik@file middleware into those generated configs after every deploy.
Adding a New Subdomain¶
- Create a DNS A record pointing to
136.243.124.138 - Create a Traefik config file at
/var/lib/devpush/traefik/<service>.yml - If the service needs SSO, add
authentik@filemiddleware and create a Proxy Provider in Authentik - Traefik will automatically detect the new config file and request a Let's Encrypt certificate