wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ddf00fbf90
tailwart/authelia
History
Wayne Hayes ddf00fbf90 authelia: vendor into the tree under authelia/ with a single root .env 
Move the Authelia stack (compose, config, snippets, docs) out of the separate
/opt/authelia repo into authelia/, so the whole deployment shares ONE operator
.env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET,
TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is
a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore
folded in.

Run from the repo root:  docker compose -f authelia/docker-compose.yml up -d
(or: cd authelia && docker compose up -d  — the .env symlink makes it resolve).

The standalone /opt/authelia is left intact as a history archive; remove once
this is verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 21:30:18 -04:00
..
config authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
acl-snippet.hujson authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
caddy-forward-auth.snippet authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
CLAUDE.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
docker-compose.yml authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00
README.md authelia: vendor into the tree under authelia/ with a single root .env 2026-06-11 21:30:18 -04:00

README.md

authelia

SSO / 2FA / OIDC for infinidim.net, as a tailnet sidecar. Storage in Postgres, sessions in Redis, mail via the shared relay — no WAN presence; the main box Caddy fronts the portal and gates protected vhosts.

Standalone sibling to tailwart. See CLAUDE.md.

Layout

authelia/
├── docker-compose.yml          # ts-authelia sidecar + authelia
├── config/
│   ├── configuration.yml       # non-secret structure (4.38 strawman)
│   └── users_database.yml      # file backend — admin user (argon2id)
├── caddy-forward-auth.snippet  # portal vhost + (authelia) import for box Caddy
├── acl-snippet.hujson          # tag:authelia owner + backend/edge grants
├── .env.example                # operator surface
└── .gitignore

Quickstart

cp .env.example .env && $EDITOR .env       # (a generated .env is already here)

# 1. create the authelia role/db in shared Postgres:
docker exec -i federated-shared-db-postgres-1 psql -U postgres <<'SQL'
DO $$ BEGIN
  IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='authelia') THEN
    CREATE ROLE authelia LOGIN PASSWORD 'PASTE_AUTHELIA_DB_PASSWORD';
  END IF;
END $$;
SELECT 'CREATE DATABASE authelia OWNER authelia'
 WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='authelia')\gexec
SQL

# 2. admin console: assign tag:authelia to the OAuth client + paste acl-snippet
# 3. bring up (tailnet-only)
docker compose up -d
# 4. add caddy-forward-auth.snippet to the main box Caddy + a cert for auth.infinidim.net

Then log in at https://auth.infinidim.net with the admin user from .env.

Status

Pinned to Authelia 4.39.20. configuration.yml passes authelia config validate against that image with the real env — schema and secrets check out. Runtime backends (Postgres/Redis/SMTP connectivity) get exercised on the first docker compose up.