// authelia — merge into your live Tailscale policy (admin console). Snippet only.

// 1) tagOwners — self-ownership required for auth-key node creation:
//    "tag:authelia": ["autogroup:admin", "tag:authelia"],

// 2) grants — Authelia reaches its two shared backends:
{ "src": ["tag:authelia"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
{ "src": ["tag:authelia"], "dst": ["tag:db-redis"],    "ip": ["tcp:6379"] },

// 3) grant — the main Caddy (tag:reverse-proxy) reaches the portal/verify API.
{ "src": ["tag:reverse-proxy"], "dst": ["tag:authelia"], "ip": ["tcp:9091"] },

// 4) admin console (not this file): assign tag:authelia to the same OAuth
//    client, on the Devices/Core + Keys/AuthKeys scopes.

// NOTE on SMTP: the sidecar reaches the relay (smtp.infinidim.net:587) the same
// way the fediverse apps do. If that relay is a TAILNET host (not public),
// add: { "src": ["tag:authelia"], "dst": ["<relay-tag-or-host>"], "ip": ["tcp:587"] }