tailwart/authelia/caddy-forward-auth.snippet

# Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
# This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the
# Authelia node's MagicDNS name (currently `agrajag`).
#
# Two deliberate differences from a vanilla Authelia example, to match this host:
#  - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
#    vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via
#    the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).
#    NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by
#    accounturi — this Caddy's LE account must be listed there or issuance 403s
#    ("CAA record prevents issuance"). Stalwart's account + this Caddy's account
#    are both allowlisted.
#  - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy
#    /api/verify?rd=... is deprecated; the portal redirect comes from
#    `authelia_url` in configuration.yml, so no ?rd= query is needed.

# 1) The Authelia portal itself (access_control marks it `bypass`).
auth.infinidim.net {
    reverse_proxy agrajag.tail7b1641.ts.net:9091
}

# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
(authelia) {
    forward_auth agrajag.tail7b1641.ts.net:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
}

# 3) Example protected service: gate it behind Authelia, then proxy the backend.
# secure-app.infinidim.net {
#     import authelia
#     reverse_proxy some-backend.tail7b1641.ts.net:8080
# }
authelia: sync caddy-forward-auth snippet to deployed reality The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 21:24:59 -04:00			`# Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,`
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.`
authelia: sync caddy-forward-auth snippet to deployed reality The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 21:24:59 -04:00			`# This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the`
			# Authelia node's MagicDNS name (currently `agrajag`).
			`#`
			`# Two deliberate differences from a vanilla Authelia example, to match this host:`
			# - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
			`# vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via`
			`# the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).`
			`# NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by`
			`# accounturi — this Caddy's LE account must be listed there or issuance 403s`
			`# ("CAA record prevents issuance"). Stalwart's account + this Caddy's account`
			`# are both allowlisted.`
			`# - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy`
			`# /api/verify?rd=... is deprecated; the portal redirect comes from`
			# `authelia_url` in configuration.yml, so no ?rd= query is needed.
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00
authelia: sync caddy-forward-auth snippet to deployed reality The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 21:24:59 -04:00			# 1) The Authelia portal itself (access_control marks it `bypass`).
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`auth.infinidim.net {`
authelia: sync caddy-forward-auth snippet to deployed reality The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 21:24:59 -04:00			`reverse_proxy agrajag.tail7b1641.ts.net:9091`
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`}`

			`# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.`
			`(authelia) {`
authelia: sync caddy-forward-auth snippet to deployed reality The portal vhost + forward-auth are now live on the main box Caddy. Align the template with what was actually deployed: - upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS name), replacing the majikthise placeholder - drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443 SNI fan-out (tls-alpn-01) + :80 (http-01) - forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the Authelia 4.39 path; portal redirect comes from authelia_url in the yml - note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this Caddy's LE account is allowlisted (now done alongside Stalwart's) Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-12 21:24:59 -04:00			`forward_auth agrajag.tail7b1641.ts.net:9091 {`
			`uri /api/authz/forward-auth`
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`copy_headers Remote-User Remote-Groups Remote-Name Remote-Email`
			`}`
			`}`

			`# 3) Example protected service: gate it behind Authelia, then proxy the backend.`
			`# secure-app.infinidim.net {`
			`# import authelia`
			`# reverse_proxy some-backend.tail7b1641.ts.net:8080`
			`# }`