# Add to the MAIN box Caddyfile (/etc/caddy/Caddyfile). Authelia is layer 7,
# so unlike tailwart's mail edge it's an ordinary reverse_proxy + forward_auth.
# Replace majikthise with your AUTHELIA_MAGIC_NAME.

# 1) The Authelia portal itself.
auth.infinidim.net {
    import common_log
    reverse_proxy majikthise.tail7b1641.ts.net:9091
    tls /etc/caddy/certs/auth.infinidim.net/fullchain.pem \
        /etc/caddy/certs/auth.infinidim.net/privkey.pem
}

# 2) A reusable forward-auth snippet — import it into any vhost you want SSO on.
(authelia) {
    forward_auth majikthise.tail7b1641.ts.net:9091 {
        uri /api/verify?rd=https://auth.infinidim.net
        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
    }
}

# 3) Example protected service: gate it behind Authelia, then proxy the backend.
# secure-app.infinidim.net {
#     import authelia
#     reverse_proxy some-backend.tail7b1641.ts.net:8080
#     tls /etc/caddy/certs/secure-app.infinidim.net/fullchain.pem \
#         /etc/caddy/certs/secure-app.infinidim.net/privkey.pem
# }