wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
238cce506d
tailwart/authelia
History
Wayne Hayes 783b09f463 authelia: set portal admin user to zarniwoop (match AUTHELIA_ADMIN_USER) 
The vendored user db carried the template `admin`, but the operator .env sets
AUTHELIA_ADMIN_USER=zarniwoop, so portal login failed ("user not found"). Rename
the file-backend user to `zarniwoop` with an argon2id hash of the .env
AUTHELIA_ADMIN_PASSWORD (verified via `authelia crypto hash validate`). Email
kept as admin@infinidim.net (a real Stalwart mailbox) so password-reset works.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-12 22:26:26 -04:00
..
config authelia: set portal admin user to zarniwoop (match AUTHELIA_ADMIN_USER) 2026-06-12 22:26:26 -04:00
acl-snippet.hujson authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
caddy-forward-auth.snippet authelia: sync caddy-forward-auth snippet to deployed reality 2026-06-13 02:24:59 +01:00
CLAUDE.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
docker-compose.yml authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
README.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00

README.md

authelia

SSO / 2FA / OIDC for infinidim.net, as a tailnet sidecar. Storage in Postgres, sessions in Redis, mail via the shared relay — no WAN presence; the main box Caddy fronts the portal and gates protected vhosts.

Standalone sibling to tailwart. See CLAUDE.md.

Layout

authelia/
├── docker-compose.yml          # ts-authelia sidecar + authelia
├── config/
│   ├── configuration.yml       # non-secret structure (4.38 strawman)
│   └── users_database.yml      # file backend — admin user (argon2id)
├── caddy-forward-auth.snippet  # portal vhost + (authelia) import for box Caddy
├── acl-snippet.hujson          # tag:authelia owner + backend/edge grants
├── .env.example                # operator surface
└── .gitignore

Quickstart

cp .env.example .env && $EDITOR .env       # (a generated .env is already here)

# 1. create the authelia role/db in shared Postgres:
docker exec -i federated-shared-db-postgres-1 psql -U postgres <<'SQL'
DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='authelia') THEN
    CREATE ROLE authelia LOGIN PASSWORD 'PASTE_AUTHELIA_DB_PASSWORD';
  END IF;
END $$;
SELECT 'CREATE DATABASE authelia OWNER authelia'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='authelia')\gexec
SQL

# 2. admin console: assign tag:authelia to the OAuth client + paste acl-snippet
# 3. bring up (tailnet-only)
docker compose up -d
# 4. add caddy-forward-auth.snippet to the main box Caddy + a cert for auth.infinidim.net

Then log in at https://auth.infinidim.net with the admin user from .env.

Status

Pinned to Authelia 4.39.20. configuration.yml passes authelia config validate against that image with the real env — schema and secrets check out. Runtime backends (Postgres/Redis/SMTP connectivity) get exercised on the first docker compose up.