tailwart/authelia/caddy-forward-auth.snippet

# Add to the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
# Replace majikthise with your AUTHELIA_MAGIC_NAME.

# 1) The Authelia portal itself.
auth.infinidim.net {
    import common_log
    reverse_proxy majikthise.tail7b1641.ts.net:9091
    tls /etc/caddy/certs/auth.infinidim.net/fullchain.pem \
        /etc/caddy/certs/auth.infinidim.net/privkey.pem
}

# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
(authelia) {
    forward_auth majikthise.tail7b1641.ts.net:9091 {
        uri /api/verify?rd=https://auth.infinidim.net
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
}

# 3) Example protected service: gate it behind Authelia, then proxy the backend.
# secure-app.infinidim.net {
#     import authelia
#     reverse_proxy some-backend.tail7b1641.ts.net:8080
#     tls /etc/caddy/certs/secure-app.infinidim.net/fullchain.pem \
#         /etc/caddy/certs/secure-app.infinidim.net/privkey.pem
# }
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`# Add to the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,`
			`# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.`
			`# Replace majikthise with your AUTHELIA_MAGIC_NAME.`

			`# 1) The Authelia portal itself.`
			`auth.infinidim.net {`
			`import common_log`
			`reverse_proxy majikthise.tail7b1641.ts.net:9091`
			`tls /etc/caddy/certs/auth.infinidim.net/fullchain.pem \`
			`/etc/caddy/certs/auth.infinidim.net/privkey.pem`
			`}`

			`# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.`
			`(authelia) {`
			`forward_auth majikthise.tail7b1641.ts.net:9091 {`
			`uri /api/verify?rd=https://auth.infinidim.net`
			`copy_headers Remote-User Remote-Groups Remote-Name Remote-Email`
			`}`
			`}`

			`# 3) Example protected service: gate it behind Authelia, then proxy the backend.`
			`# secure-app.infinidim.net {`
			`# import authelia`
			`# reverse_proxy some-backend.tail7b1641.ts.net:8080`
			`# tls /etc/caddy/certs/secure-app.infinidim.net/fullchain.pem \`
			`# /etc/caddy/certs/secure-app.infinidim.net/privkey.pem`
			`# }`