# authelia — SSO / 2FA / OIDC provider as a Tailscale sidecar (NO WAN presence).
#
# Storage → shared Postgres, sessions → shared Redis, mail → shared SMTP relay,
# all over the tailnet via MagicDNS. The portal (auth.infinidim.net) and any
# forward-auth-protected vhosts are wired on the main box Caddy — see
# caddy-forward-auth.snippet.
#
# Prereq: the `authelia` Postgres role/db (see README). Bring up: docker compose up -d

name: authelia

services:

  ts-authelia:
    image: tailscale/tailscale:latest
    hostname: ${AUTHELIA_MAGIC_NAME}
    environment:
      TS_AUTHKEY: ${TS_OAUTH_CLIENT_SECRET}?ephemeral=true
      TS_EXTRA_ARGS: --advertise-tags=tag:authelia
      TS_HOSTNAME: ${AUTHELIA_MAGIC_NAME}
      TS_ACCEPT_DNS: "true"
      TS_AUTH_ONCE: "true"
      TS_USERSPACE: "false"
      TS_ENABLE_HEALTH_CHECK: "true"
      TS_LOCAL_ADDR_PORT: "127.0.0.1:9002"
    dns: [1.1.1.1, 1.0.0.1]
    devices:
      - /dev/net/tun:/dev/net/tun
    cap_add:
      - NET_ADMIN
      - NET_RAW
    healthcheck:
      test: ["CMD", "wget", "-qO-", "http://127.0.0.1:9002/healthz"]
      interval: 10s
      timeout: 5s
      retries: 6
      start_period: 30s
    restart: unless-stopped

  authelia:
    image: authelia/authelia:4.39.20
    network_mode: "service:ts-authelia"
    environment:
      X_AUTHELIA_CONFIG: /config/configuration.yml
      # Secrets + infra hosts via env so configuration.yml stays commit-safe and
      # free of hardcoded MagicDNS names. Env overrides win over the yml.
      AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
      AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET: ${AUTHELIA_JWT_SECRET}
      AUTHELIA_STORAGE_POSTGRES_ADDRESS: tcp://${DB_MAGIC_NAME}.${TS_TAILNET}:5432
      AUTHELIA_STORAGE_POSTGRES_DATABASE: ${AUTHELIA_DB_NAME}
      AUTHELIA_STORAGE_POSTGRES_USERNAME: ${AUTHELIA_DB_USER}
      AUTHELIA_STORAGE_POSTGRES_PASSWORD: ${AUTHELIA_DB_PASSWORD}
      AUTHELIA_SESSION_REDIS_HOST: ${REDIS_MAGIC_NAME}.${TS_TAILNET}
      AUTHELIA_SESSION_REDIS_PORT: "6379"
      AUTHELIA_SESSION_REDIS_DATABASE_INDEX: ${AUTHELIA_REDIS_DB}
      AUTHELIA_NOTIFIER_SMTP_ADDRESS: submission://${SMTP_HOST}:${SMTP_PORT}
      AUTHELIA_NOTIFIER_SMTP_USERNAME: ${SMTP_USER}
      AUTHELIA_NOTIFIER_SMTP_PASSWORD: ${SMTP_PASSWORD}
      AUTHELIA_NOTIFIER_SMTP_SENDER: ${AUTHELIA_SMTP_SENDER}
    volumes:
      - ./config/configuration.yml:/config/configuration.yml:ro
      - ./config/users_database.yml:/config/users_database.yml:ro
      - authelia-data:/data
    depends_on:
      ts-authelia:
        condition: service_healthy
    restart: unless-stopped

volumes:
  authelia-data: