tailwart/authelia/README.md

# authelia

> SSO / 2FA / OIDC for `infinidim.net`, as a tailnet sidecar. Storage in
> Postgres, sessions in Redis, mail via the shared relay — no WAN presence;
> the main box Caddy fronts the portal and gates protected vhosts.

Standalone sibling to [tailwart](/opt/tailwart). See [CLAUDE.md](./CLAUDE.md).

## Layout

```
authelia/
├── docker-compose.yml          # ts-authelia sidecar + authelia
├── config/
│   ├── configuration.yml       # non-secret structure (4.38 strawman)
│   └── users_database.yml      # file backend — admin user (argon2id)
├── caddy-forward-auth.snippet  # portal vhost + (authelia) import for box Caddy
├── acl-snippet.hujson          # tag:authelia owner + backend/edge grants
├── .env.example                # operator surface
└── .gitignore
```

## Quickstart

```bash
cp .env.example .env && $EDITOR .env       # (a generated .env is already here)

# 1. create the authelia role/db in shared Postgres:
docker exec -i federated-shared-db-postgres-1 psql -U postgres <<'SQL'
DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='authelia') THEN
    CREATE ROLE authelia LOGIN PASSWORD 'PASTE_AUTHELIA_DB_PASSWORD';
  END IF;
END $$;
SELECT 'CREATE DATABASE authelia OWNER authelia'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='authelia')\gexec
SQL

# 2. admin console: assign tag:authelia to the OAuth client + paste acl-snippet
# 3. bring up (tailnet-only)
docker compose up -d
# 4. add caddy-forward-auth.snippet to the main box Caddy + a cert for auth.infinidim.net
```

Then log in at `https://auth.infinidim.net` with the admin user from `.env`.

## Status

Pinned to Authelia **4.39.20**. `configuration.yml` passes `authelia config
validate` against that image with the real env — schema and secrets check out.
Runtime backends (Postgres/Redis/SMTP connectivity) get exercised on the first
`docker compose up`.