From d91868197c49be4a494f2be3a32e6354e72eb15d Mon Sep 17 00:00:00 2001
From: Bray <braydendelaire5@gmail.com>
Date: Thu, 2 Apr 2026 11:56:08 -0400
Subject: [PATCH] chore: update caddyfile and pass vars

---
 master/Caddyfile          | 20 ++++++++++++++++++++
 master/docker-compose.yml | 16 +++++++++++++++-
 2 files changed, 35 insertions(+), 1 deletion(-)

diff --git a/master/Caddyfile b/master/Caddyfile
index 22906d0..c576860 100644
--- a/master/Caddyfile
+++ b/master/Caddyfile
@@ -3,10 +3,26 @@
     local_certs
 }
 
+# The Authelia Protection Snippet
+(authelia_auth) {
+    forward_auth authelia:9091 {
+        uri /api/verify?rd=https://auth.corebot.ca/
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    }
+}
+
 # --- PUBLIC PRODUCTION (.ca) ---
 # Cloudflare DNS points these to your Public IP (136.112.149.254)
 # Caddy will automatically get REAL Let's Encrypt certificates.
 
+auth.corebot.ca {
+    reverse_proxy authelia:9091 {
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
+}
+
 git.corebot.ca {
     reverse_proxy 100.98.158.31:3000 {
         header_up Host {host}
@@ -15,10 +31,14 @@ git.corebot.ca {
 }
 
 core.corebot.ca {
+    import authelia_auth
     reverse_proxy 100.80.179.128:9120
 }
 
 vault.corebot.ca {
+    # Vaultwarden usually handles its own OIDC/SSO, but you can 
+    # add a layer of Authelia here for double-security.
+    import authelia_auth
     reverse_proxy 100.120.171.124:8081 {
         header_up Host {host}
         header_up X-Real-IP {remote_host}
diff --git a/master/docker-compose.yml b/master/docker-compose.yml
index 43a28f7..0df5630 100644
--- a/master/docker-compose.yml
+++ b/master/docker-compose.yml
@@ -52,7 +52,21 @@ services:
     depends_on:
       - komodo-core
 
-  # --- Restoring your "Orphaned" Monitoring Stack ---
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: always
+    volumes:
+      - ./authelia:/config
+    env_file: .env
+    environment:
+      - TZ=America/New_York
+      - JWT_SECRET=${JWT_SECRET}
+      - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
+      - SESSION_SECRET=${SECRET}
+      - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
+    networks:
+      - monitor-net
 
   mystic-home:
     image: nginx:alpine