wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
ddf00fbf90
tailwart/authelia/README.md
Wayne Hayes ddf00fbf90 authelia: vendor into the tree under authelia/ with a single root .env 
Move the Authelia stack (compose, config, snippets, docs) out of the separate
/opt/authelia repo into authelia/, so the whole deployment shares ONE operator
.env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET,
TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is
a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore
folded in.

Run from the repo root:  docker compose -f authelia/docker-compose.yml up -d
(or: cd authelia && docker compose up -d  — the .env symlink makes it resolve).

The standalone /opt/authelia is left intact as a history archive; remove once
this is verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 21:30:18 -04:00

53 lines
1.9 KiB
Markdown
Raw Blame History

# authelia
> SSO / 2FA / OIDC for `infinidim.net`, as a tailnet sidecar. Storage in
> Postgres, sessions in Redis, mail via the shared relay — no WAN presence;
> the main box Caddy fronts the portal and gates protected vhosts.
Standalone sibling to [tailwart](/opt/tailwart). See [CLAUDE.md](./CLAUDE.md).
## Layout
```
authelia/
├── docker-compose.yml # ts-authelia sidecar + authelia
├── config/
│ ├── configuration.yml # non-secret structure (4.38 strawman)
│ └── users_database.yml # file backend — admin user (argon2id)
├── caddy-forward-auth.snippet # portal vhost + (authelia) import for box Caddy
├── acl-snippet.hujson # tag:authelia owner + backend/edge grants
├── .env.example # operator surface
└── .gitignore
```
## Quickstart
```bash
cp .env.example .env && $EDITOR .env # (a generated .env is already here)
# 1. create the authelia role/db in shared Postgres:
docker exec -i federated-shared-db-postgres-1 psql -U postgres <<'SQL'
DO $$ BEGIN
IF NOT EXISTS (SELECT FROM pg_roles WHERE rolname='authelia') THEN
CREATE ROLE authelia LOGIN PASSWORD 'PASTE_AUTHELIA_DB_PASSWORD';
END IF;
END $$;
SELECT 'CREATE DATABASE authelia OWNER authelia'
WHERE NOT EXISTS (SELECT FROM pg_database WHERE datname='authelia')\gexec
SQL
# 2. admin console: assign tag:authelia to the OAuth client + paste acl-snippet
# 3. bring up (tailnet-only)
docker compose up -d
# 4. add caddy-forward-auth.snippet to the main box Caddy + a cert for auth.infinidim.net
```
Then log in at `https://auth.infinidim.net` with the admin user from `.env`.
## Status
Pinned to Authelia **4.39.20**. `configuration.yml` passes `authelia config
validate` against that image with the real env — schema and secrets check out.
Runtime backends (Postgres/Redis/SMTP connectivity) get exercised on the first
`docker compose up`.
Reference in New Issue View Git Blame Copy Permalink