# Wired into the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
# This file mirrors what is deployed. Upstream host = AUTHELIA_MAGIC_NAME, the
# Authelia node's MagicDNS name (currently `agrajag`).
#
# Two deliberate differences from a vanilla Authelia example, to match this host:
#  - No explicit `tls` cert files: this Caddy uses automatic HTTPS like its other
#    vhosts (there is no /etc/caddy/certs). ACME for auth.infinidim.net works via
#    the :443→:8443 SNI fan-out (tls-alpn-01) and :80 (http-01).
#    NOTE: infinidim.net has a CAA record pinning issuance to Let's Encrypt by
#    accounturi — this Caddy's LE account must be listed there or issuance 403s
#    ("CAA record prevents issuance"). Stalwart's account + this Caddy's account
#    are both allowlisted.
#  - Endpoint is /api/authz/forward-auth (Authelia 4.38+/4.39 path). The legacy
#    /api/verify?rd=... is deprecated; the portal redirect comes from
#    `authelia_url` in configuration.yml, so no ?rd= query is needed.

# 1) The Authelia portal itself (access_control marks it `bypass`).
auth.infinidim.net {
    reverse_proxy agrajag.tail7b1641.ts.net:9091
}

# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
(authelia) {
    forward_auth agrajag.tail7b1641.ts.net:9091 {
        uri /api/authz/forward-auth
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
}

# 3) Example protected service: gate it behind Authelia, then proxy the backend.
# secure-app.infinidim.net {
#     import authelia
#     reverse_proxy some-backend.tail7b1641.ts.net:8080
# }