chore: migrate from authelia -> authentik

.gitignore

@@ -4,4 +4,5 @@
 **/postgres-data/
 **/redis-data/
 **/data/
-**/komodo/
+**/komodo/
+**/authelia

master/Caddyfile

@@ -12,8 +12,6 @@
 }
 
 # --- PUBLIC PRODUCTION (.ca) ---
-# Cloudflare DNS points these to your Public IP (136.112.149.254)
-# Caddy will automatically get REAL Let's Encrypt certificates.
 
 auth.corebot.ca {
     reverse_proxy authelia:9091 {
@@ -27,17 +25,19 @@ git.corebot.ca {
     reverse_proxy 100.98.158.31:3000 {
         header_up Host {host}
         header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
     }
 }
 
 core.corebot.ca {
-    import authelia_auth
-    reverse_proxy 100.80.179.128:9120
+    reverse_proxy komodo-core:9120 {
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
 }
 
 vault.corebot.ca {
-    # Vaultwarden usually handles its own OIDC/SSO, but you can 
-    # add a layer of Authelia here for double-security.
     import authelia_auth
     reverse_proxy 100.120.171.124:8081 {
         header_up Host {host}
@@ -57,7 +57,6 @@ privacy.corebot.ca {
 }
 
 # --- INTERNAL LAB (.io) ---
-# Managed by Pi-hole, only accessible via Tailscale/Internal Network.
 
 main.bray.io {
     tls internal

master/docker-compose.yml

@@ -1,134 +1,202 @@
-services:
-  komodo-core:
-    image: ghcr.io/moghtech/komodo-core:2
-    container_name: komodo-core
-    restart: always
-    ports:
-      - "9120:9120"
-    environment:
-      - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
-      - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
-      # Path updated to include the database name and the admin auth source
-      - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
-      - KOMODO_LOCAL_AUTH=true
-      - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
-      - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
-      - KOMODO_HOST=https://core.corebot.ca
-    volumes:
-      - ./komodo:/config
-      - /var/run/docker.sock:/var/run/docker.sock
-    networks:
-      - monitor-net
+  services:
+    komodo-core:
+      image: ghcr.io/moghtech/komodo-core:2
+      container_name: komodo-core
+      restart: always
+      ports:
+        - "9120:9120"
+      environment:
+        - KOMODO_DATABASE_USERNAME=${DB_ROOT_USER}
+        - KOMODO_DATABASE_PASSWORD=${DB_ROOT_PASS}
+        - KOMODO_DATABASE_ADDRESS=${DB_VM_IP}:27017/komodo?authSource=admin
+        - KOMODO_LOCAL_AUTH=true
+        - KOMODO_INIT_ADMIN_USERNAME=${KOMODO_USER}
+        - KOMODO_INIT_ADMIN_PASSWORD=${KOMODO_PASS}
+        - KOMODO_HOST=https://core.corebot.ca
+        - KOMODO_OIDC_ENABLED=true
+        - KOMODO_OIDC_CLIENT_ID=${KOMODO_OIDC_CLIENT_ID}
+        - KOMODO_OIDC_CLIENT_SECRET=${KOMODO_OIDC_CLIENT_SECRET}
+        - KOMODO_OIDC_PROVIDER=${KOMODO_OIDC_PROVIDER}
+        - KOMODO_OIDC_INSECURE=true
+        - KOMODO_OIDC_REDIRECT_HOST=https://core.corebot.ca
+      volumes:
+        - ./komodo:/config
+        - /var/run/docker.sock:/var/run/docker.sock
+        # FIX 1: Remove the /etc/ssl/certs mount. 
+        # Mount ONLY your custom CA to the injection point.
+        - /etc/ssl/certs/ca-certificates.crt:/usr/local/share/ca-certificates/caddy.crt:ro
+      extra_hosts:
+        - "auth.corebot.ca:host-gateway"
+      networks:
+        - monitor-net
 
-  caddy:
-    image: caddy:latest
-    container_name: caddy
-    restart: unless-stopped
-    ports:
-      - "80:80"
-      - "443:443"
-    volumes:
-      - ./Caddyfile:/etc/caddy/Caddyfile
-      - ./legal:/usr/share/caddy/legal
-      - caddy_data:/data
-      - caddy_config:/config
-    networks:
-      - monitor-net
+    authentik-server:
+      image: ghcr.io/goauthentik/server:latest
+      container_name: authentik-server
+      command: server
+      environment:
+        # Database Connection to VM3
+        AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
+        AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
+        AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
+        AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
+        AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
 
-  komodo-periphery:
-    image: ghcr.io/moghtech/komodo-periphery:2
-    container_name: komodo-periphery
-    restart: always
-    environment:
-      # Use the service name so Docker DNS can find the Core container
-      PERIPHERY_CORE_ADDRESS: http://komodo-core:9120
-      PERIPHERY_CONNECT_AS: Mystic-Master
-      PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY}
-    volumes:
-      # This allows Komodo to manage the containers on THIS Cloud VM
-      - /var/run/docker.sock:/var/run/docker.sock
-    networks:
-      - monitor-net
-    depends_on:
-      - komodo-core
+        AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
+        AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
+        AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
+        AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
+        AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}      
+        AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+      volumes:
+        - ./media:/media
+        - ./custom-templates:/templates
+      networks:
+        - monitor-net
+      ports:
+        - "9000:9000"
 
-  authelia:
-    image: authelia/authelia:latest
-    container_name: authelia
-    restart: always
-    volumes:
-      - ./authelia:/config
-    env_file: .env
-    environment:
-      - TZ=America/New_York
-      - JWT_SECRET=${JWT_SECRET}
-      - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
-      - SESSION_SECRET=${SECRET}
-      - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
-    networks:
-      - monitor-net
+    authentik-worker:
+      image: ghcr.io/goauthentik/server:latest
+      container_name: authentik-worker
+      command: worker
+      environment:
+        AUTHENTIK_POSTGRESQL__HOST: ${DB_VM_IP}
+        AUTHENTIK_POSTGRESQL__USER: ${AUTHENTIK_PG_USER}
+        AUTHENTIK_POSTGRESQL__NAME: ${AUTHENTIK_PG_DB}
+        AUTHENTIK_POSTGRESQL__PASSWORD: ${AUTHENTIK_PG_PASS}
 
-  mystic-home:
-    image: nginx:alpine
-    container_name: mystic-home
-    restart: always
-    volumes:
-      - ./html:/usr/share/nginx/html:ro
-    networks:
-      - monitor-net
+        AUTHENTIK_REDIS__HOST: ${AUTHENTIK_REDIS__HOST}
+        AUTHENTIK_REDIS__PORT: ${AUTHENTIK_REDIS__PORT}
+        AUTHENTIK_REDIS__PASSWORD: ${AUTHENTIK_REDIS__PASSWORD}
+        AUTHENTIK_REDIS__DB: ${AUTHENTIK_REDIS__DB}
+        AUTHENTIK_CACHE__TYPE: ${AUTHENTIK_CACHE__TYPE}      
+        AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY}
+        AUTHENTIK_BOOTSTRAP_PASSWORD: ${AUTHENTIK_BOOTSTRAP_PASSWORD}
+      user: root
+      volumes:
+        - /var/run/docker.sock:/var/run/docker.sock
+        - ./media:/media
+        - ./certs:/certs
+        - ./custom-templates:/templates
+      networks:
+        - monitor-net
 
-  prometheus:
-    image: prom/prometheus:latest
-    container_name: prometheus
-    restart: always
-    volumes:
-      - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
-      - prometheus_data:/prometheus
-    command:
-      - '--config.file=/etc/prometheus/prometheus.yml'
-      - '--storage.tsdb.path=/prometheus'
-    networks:
-      - monitor-net
+    mystic-legal:
+      image: nginx:alpine
+      container_name: mystic-legal
+      restart: always
+      volumes:
+        - ./legal/html:/usr/share/nginx/html:ro
+      networks:
+        - monitor-net
 
-  grafana:
-    image: grafana/grafana:latest
-    container_name: grafana
-    restart: always
-    environment:
-      - GF_SERVER_ROOT_URL=https://grafana.bray.io
-    ports:
-      - "3001:3000"
-    volumes:
-      - grafana_data:/var/lib/grafana
-    networks:
-      - monitor-net
+    npm:
+      image: 'jc21/nginx-proxy-manager:latest'
+      container_name: npm
+      restart: always
+      ports:
+        - '80:80'
+        - '81:81' # This is your new Admin UI
+        - '443:443'
+      volumes:
+        - ./npm/data:/data
+        - ./npm/letsencrypt:/etc/letsencrypt
+      networks:
+        - monitor-net
 
-  node-exporter:
-    image: prom/node-exporter:latest
-    container_name: node-exporter
-    restart: always
-    networks:
-      - monitor-net
+    komodo-periphery:
+      image: ghcr.io/moghtech/komodo-periphery:2
+      container_name: komodo-periphery
+      restart: always
+      environment:
+        # Use the service name so Docker DNS can find the Core container
+        PERIPHERY_CORE_ADDRESS: http://komodo-core:9120
+        PERIPHERY_CONNECT_AS: Mystic-Master
+        PERIPHERY_ONBOARDING_KEY: ${MYSTIC_ONBOARD_KEY}
+      volumes:
+        # This allows Komodo to manage the containers on THIS Cloud VM
+        - /var/run/docker.sock:/var/run/docker.sock
+      networks:
+        - monitor-net
+      depends_on:
+        - komodo-core
 
-  cadvisor:
-    image: gcr.io/cadvisor/cadvisor:latest
-    container_name: cadvisor
-    restart: always
-    volumes:
-      - /:/rootfs:ro
-      - /var/run:/var/run:ro
-      - /sys:/sys:ro
-      - /var/lib/docker/:/var/lib/docker:ro
-      - /dev/disk/:/dev/disk:ro
-    networks:
-      - monitor-net
+    authelia:
+      image: authelia/authelia:latest
+      container_name: authelia
+      restart: always
+      volumes:
+        - ./authelia:/config
+      environment:
+        - TZ=America/New_York
+        - JWT_SECRET=${JWT_SECRET}
+        - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
+        - SESSION_SECRET=${SECRET}
+        - ENCRYPT_KEY=${ENCRYPT_KEY}
+        - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
+      networks:
+        - monitor-net
 
-networks:
-  monitor-net:
-    external: true
+    mystic-home:
+      image: nginx:alpine
+      container_name: mystic-home
+      restart: always
+      volumes:
+        - ./html:/usr/share/nginx/html:ro
+      networks:
+        - monitor-net
 
-volumes:
-  caddy_data:
-  caddy_config:
-  grafana_data:
-  prometheus_data:
+    prometheus:
+      image: prom/prometheus:latest
+      container_name: prometheus
+      restart: always
+      volumes:
+        - ./prometheus/prometheus.yml:/etc/prometheus/prometheus.yml
+        - prometheus_data:/prometheus
+      command:
+        - '--config.file=/etc/prometheus/prometheus.yml'
+        - '--storage.tsdb.path=/prometheus'
+      networks:
+        - monitor-net
+
+    grafana:
+      image: grafana/grafana:latest
+      container_name: grafana
+      restart: always
+      environment:
+        - GF_SERVER_ROOT_URL=https://grafana.bray.io
+      ports:
+        - "3001:3000"
+      volumes:
+        - grafana_data:/var/lib/grafana
+      networks:
+        - monitor-net
+
+    node-exporter:
+      image: prom/node-exporter:latest
+      container_name: node-exporter
+      restart: always
+      networks:
+        - monitor-net
+
+    cadvisor:
+      image: gcr.io/cadvisor/cadvisor:latest
+      container_name: cadvisor
+      restart: always
+      volumes:
+        - /:/rootfs:ro
+        - /var/run:/var/run:ro
+        - /sys:/sys:ro
+        - /var/lib/docker/:/var/lib/docker:ro
+        - /dev/disk/:/dev/disk:ro
+      networks:
+        - monitor-net
+
+  networks:
+    monitor-net:
+      external: true
+
+  volumes:
+    grafana_data:
+    prometheus_data:

passwords/docker-compose.yml

@@ -7,6 +7,7 @@ services:
     - "8081:80"
     environment:
       - ADMIN_TOKEN=${ADMIN_TOKEN}
+      - ENABLE_SSO=true
       - SIGNUPS_ALLOWED=false
       - DOMAIN=https://vault.corebot.ca
       - SMTP_HOST=${SMTP_HOST}