chore: update caddyfile and pass vars

master/Caddyfile

@@ -3,10 +3,26 @@
     local_certs
 }
 
+# The Authelia Protection Snippet
+(authelia_auth) {
+    forward_auth authelia:9091 {
+        uri /api/verify?rd=https://auth.corebot.ca/
+        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+    }
+}
+
 # --- PUBLIC PRODUCTION (.ca) ---
 # Cloudflare DNS points these to your Public IP (136.112.149.254)
 # Caddy will automatically get REAL Let's Encrypt certificates.
 
+auth.corebot.ca {
+    reverse_proxy authelia:9091 {
+        header_up Host {host}
+        header_up X-Real-IP {remote_host}
+        header_up X-Forwarded-Proto {scheme}
+    }
+}
+
 git.corebot.ca {
     reverse_proxy 100.98.158.31:3000 {
         header_up Host {host}
@@ -15,10 +31,14 @@ git.corebot.ca {
 }
 
 core.corebot.ca {
+    import authelia_auth
     reverse_proxy 100.80.179.128:9120
 }
 
 vault.corebot.ca {
+    # Vaultwarden usually handles its own OIDC/SSO, but you can 
+    # add a layer of Authelia here for double-security.
+    import authelia_auth
     reverse_proxy 100.120.171.124:8081 {
         header_up Host {host}
         header_up X-Real-IP {remote_host}

master/docker-compose.yml

@@ -52,7 +52,21 @@ services:
     depends_on:
       - komodo-core
 
-  # --- Restoring your "Orphaned" Monitoring Stack ---
+  authelia:
+    image: authelia/authelia:latest
+    container_name: authelia
+    restart: always
+    volumes:
+      - ./authelia:/config
+    env_file: .env
+    environment:
+      - TZ=America/New_York
+      - JWT_SECRET=${JWT_SECRET}
+      - STORAGE_ENCRYPTION_KEY=${ENCRYPT_KEY}
+      - SESSION_SECRET=${SECRET}
+      - FORGEJO_DB_PASS=${FORGEJO_DB_PASS}
+    networks:
+      - monitor-net
 
   mystic-home:
     image: nginx:alpine