ddf00fbf90
Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
19 lines
972 B
Plaintext
19 lines
972 B
Plaintext
// authelia — merge into your live Tailscale policy (admin console). Snippet only.
|
|
|
|
// 1) tagOwners — self-ownership required for auth-key node creation:
|
|
// "tag:authelia": ["autogroup:admin", "tag:authelia"],
|
|
|
|
// 2) grants — Authelia reaches its two shared backends:
|
|
{ "src": ["tag:authelia"], "dst": ["tag:db-postgres"], "ip": ["tcp:5432"] },
|
|
{ "src": ["tag:authelia"], "dst": ["tag:db-redis"], "ip": ["tcp:6379"] },
|
|
|
|
// 3) grant — the main Caddy (tag:reverse-proxy) reaches the portal/verify API.
|
|
{ "src": ["tag:reverse-proxy"], "dst": ["tag:authelia"], "ip": ["tcp:9091"] },
|
|
|
|
// 4) admin console (not this file): assign tag:authelia to the same OAuth
|
|
// client, on the Devices/Core + Keys/AuthKeys scopes.
|
|
|
|
// NOTE on SMTP: the sidecar reaches the relay (smtp.infinidim.net:587) the same
|
|
// way the fediverse apps do. If that relay is a TAILNET host (not public),
|
|
// add: { "src": ["tag:authelia"], "dst": ["<relay-tag-or-host>"], "ip": ["tcp:587"] }
|