chore: migrate from authelia -> authentik

.gitignore

@@ -5,3 +5,4 @@
 **/redis-data/
 **/data/
 **/komodo/
+**/authelia

master/Caddyfile

@@ -12,8 +12,6 @@
 }
 
 # --- PUBLIC PRODUCTION (.ca) ---
-# Cloudflare DNS points these to your Public IP (136.112.149.254)
-# Caddy will automatically get REAL Let's Encrypt certificates.
 
 auth.corebot.ca {
     reverse_proxy authelia:9091 {
@@ -27,17 +25,19 @@ git.corebot.ca {
     reverse_proxy 100.98.158.31:3000 {
         header_up Host {host}
         header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
     }
 }
 
 core.corebot.ca {
-    import authelia_auth
+    reverse_proxy komodo-core:9120 {
-    reverse_proxy 100.80.179.128:9120
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
 }
 
 vault.corebot.ca {
-    # Vaultwarden usually handles its own OIDC/SSO, but you can 
-    # add a layer of Authelia here for double-security.
     import authelia_auth
     reverse_proxy 100.120.171.124:8081 {
         header_up Host {host}
@@ -57,7 +57,6 @@ privacy.corebot.ca {
 }
 
 # --- INTERNAL LAB (.io) ---
-# Managed by Pi-hole, only accessible via Tailscale/Internal Network.
 
 main.bray.io {
     tls internal

master/docker-compose.yml

@@ -8,30 +8,100 @@ services:
       environment:
         - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
         - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
-      # Path updated to include the database name and the admin auth source
         - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
         - KOMODO_LOCAL_AUTH=true
         - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
         - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
         - KOMODO_HOST=https://core.corebot.ca
+        - KOMODO_OIDC_ENABLED=true
+        - KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID}
+        - KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET}
+        - KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER}
+        - KOMODO_OIDC_INSECURE=true
+        - KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca
       volumes:
         - ./komodo:/config
         - /var/run/docker.sock:/var/run/docker.sock
+        # FIX 1: Remove the /etc/ssl/certs mount. 
+        # Mount ONLY your custom CA to the injection point.
+        - /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro
+      extra_hosts:
+        - "auth.corebot.ca:host-gateway"
       networks:
         - monitor-net
 
-  caddy:
+    authentik-server:
-    image: caddy:latest
+      image: ghcr.io/goauthentik/server:latest
-    container_name: caddy
+      container_name: authentik-server
-    restart: unless-stopped
+      command: server
-    ports:
+      environment:
-      - "80:80"
+        # Database Connection to VM3
-      - "443:443"
+        AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
+        AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
+        AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
+        AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
+        AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+
+        AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
+        AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
+        AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
+        AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
+        AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}      
+        AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
       volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile
+        - ./media:/media
-      - ./legal:/usr/share/caddy/legal
+        - ./custom-templates:/templates
-      - caddy_data:/data
+      networks:
-      - caddy_config:/config
+        - monitor-net
+      ports:
+        - "9000:9000"
+
+    authentik-worker:
+      image: ghcr.io/goauthentik/server:latest
+      container_name: authentik-worker
+      command: worker
+      environment:
+        AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
+        AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
+        AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
+        AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
+
+        AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
+        AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
+        AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
+        AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
+        AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}      
+        AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+        AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
+      user: root
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+        - ./media:/media
+        - ./certs:/certs
+        - ./custom-templates:/templates
+      networks:
+        - monitor-net
+
+    mystic-legal:
+      image: nginx:alpine
+      container_name: mystic-legal
+      restart: always
+      volumes:
+        - ./legal/html:/usr/share/nginx/html:ro
+      networks:
+        - monitor-net
+
+    npm:
+      image: 'jc21/nginx-proxy-manager:latest'
+      container_name: npm
+      restart: always
+      ports:
+        - '80:80'
+        - '81:81' # This is your new Admin UI
+        - '443:443'
+      volumes:
+        - ./npm/data:/data
+        - ./npm/letsencrypt:/etc/letsencrypt
       networks:
         - monitor-net
 
@@ -58,12 +128,12 @@ services:
       restart: always
       volumes:
         - ./authelia:/config
-    env_file: .env
       environment:
         - TZ=America/New_York
         - JWT_SECRET=${JWT_SECRET}
         - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
         - SESSION_SECRET=${SECRET}
+        - ENCRYPT_KEY=${ENCRYPT_KEY}
         - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
       networks:
         - monitor-net
@@ -128,7 +198,5 @@ networks:
       external: true
 
   volumes:
-  caddy_data:
-  caddy_config:
     grafana_data:
     prometheus_data:

passwords/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     - "8081:80"
     environment:
       - ADMIN_TOKEN=${ADMIN_TOKEN}
+      - ENABLE_SSO=true
       - SIGNUPS_ALLOWED=false
       - DOMAIN=https://vault.corebot.ca
       - SMTP_HOST=${SMTP_HOST}