wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
main
tailwart/authelia/acl-snippet.hujson

19 lines
972 B
Plaintext
Raw Permalink Normal View History

authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 21:30:18 -04:00
// authelia — merge into your live Tailscale policy (admin console). Snippet only.
// 1) tagOwners — self-ownership required for auth-key node creation:
// "tag:authelia": ["autogroup:admin", "tag:authelia"],
// 2) grants — Authelia reaches its two shared backends:
{ "src": ["tag:authelia"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
{ "src": ["tag:authelia"], "dst": ["tag:db-redis"], "ip": ["tcp:6379"] },
// 3) grant — the main Caddy (tag:reverse-proxy) reaches the portal/verify API.
{ "src": ["tag:reverse-proxy"], "dst": ["tag:authelia"], "ip": ["tcp:9091"] },
// 4) admin console (not this file): assign tag:authelia to the same OAuth
// client, on the Devices/Core + Keys/AuthKeys scopes.
// NOTE on SMTP: the sidecar reaches the relay (smtp.infinidim.net:587) the same
// way the fediverse apps do. If that relay is a TAILNET host (not public),
// add: { "src": ["tag:authelia"], "dst": ["<relay-tag-or-host>"], "ip": ["tcp:587"] }
Reference in New Issue Copy Permalink