wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
authelia-integration
tailwart/authelia
History
Wayne Hayes 7eefac0224 authelia: sync caddy-forward-auth snippet to deployed reality 
The portal vhost + forward-auth are now live on the main box Caddy. Align
the template with what was actually deployed:

- upstream host -> agrajag.tail7b1641.ts.net (the Authelia node's MagicDNS
  name), replacing the majikthise placeholder
- drop the explicit `tls` cert-file lines: this Caddy uses automatic HTTPS
  (no /etc/caddy/certs); ACME for auth.infinidim.net rides the :443->:8443
  SNI fan-out (tls-alpn-01) + :80 (http-01)
- forward-auth endpoint /api/verify?rd=... -> /api/authz/forward-auth, the
  Authelia 4.39 path; portal redirect comes from authelia_url in the yml
- note the infinidim.net CAA accounturi pin: a new L7 vhost 403s until this
  Caddy's LE account is allowlisted (now done alongside Stalwart's)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-13 02:24:59 +01:00
..
config authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
acl-snippet.hujson authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
caddy-forward-auth.snippet authelia: sync caddy-forward-auth snippet to deployed reality 2026-06-13 02:24:59 +01:00
CLAUDE.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
docker-compose.yml authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
README.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00

README.md

authelia

SSO / 2FA / OIDC for infinidim.net, as a tailnet sidecar. Storage in Postgres, sessions in Redis, mail via the shared relay — no WAN presence; the main box Caddy fronts the portal and gates protected vhosts.

Standalone sibling to tailwart. See CLAUDE.md.

Layout

authelia/
├── docker-compose.yml          # ts-authelia sidecar + authelia
├── config/
│   ├── configuration.yml       # non-secret structure (4.38 strawman)
│   └── users_database.yml      # file backend — admin user (argon2id)
├── caddy-forward-auth.snippet  # portal vhost + (authelia) import for box Caddy
├── acl-snippet.hujson          # tag:authelia owner + backend/edge grants
├── .env.example                # operator surface
└── .gitignore

Quickstart

cp .env.example .env && $EDITOR .env       # (a generated .env is already here)

# 1. create the authelia role/db in shared Postgres:
docker exec -i federated-shared-db-postgres-1 psql -U postgres <<'SQL'
DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='authelia') THEN
    CREATE ROLE authelia LOGIN PASSWORD 'PASTE_AUTHELIA_DB_PASSWORD';
  END IF;
END $$;
SELECT 'CREATE DATABASE authelia OWNER authelia'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='authelia')\gexec
SQL

# 2. admin console: assign tag:authelia to the OAuth client + paste acl-snippet
# 3. bring up (tailnet-only)
docker compose up -d
# 4. add caddy-forward-auth.snippet to the main box Caddy + a cert for auth.infinidim.net

Then log in at https://auth.infinidim.net with the admin user from .env.

Status

Pinned to Authelia 4.39.20. configuration.yml passes authelia config validate against that image with the real env — schema and secrets check out. Runtime backends (Postgres/Redis/SMTP connectivity) get exercised on the first docker compose up.