Refactor Authelia configuration: remove unused files and update docker-compose to eliminate Authelia service

.github/workflows/deploy.yml

@@ -6,7 +6,6 @@ on:
     branches: [ "main" ]
     paths:
       - "docker-compose.yml"
-      - "authelia/**"
       - "crowdsec/**"
       - "prometheus/**"
       - "grafana/**"

authelia/.gitignore

@@ -1,4 +0,0 @@
-# Ignore Authelia runtime/state files
-# SQLite database and notification artifacts stored after switching to directory bind mount
-/db.sqlite3
-/notification.txt

authelia/configuration.yml

@@ -1,117 +0,0 @@
-# authelia/configuration.yml
-# Authelia v4 for: auth.gate.3launchpad.com
-# Behind Traefik (forward-auth), Redis sessions, SQLite storage.
-
-#########################################################
-# Server & Logging
-#########################################################
-server:
-  address: "tcp://0.0.0.0:9091"
-  buffers:
-    read: 4096
-    write: 4096
-
-log:
-  level: info
-
-theme: auto
-
-# Where to send users if they hit a protected resource without a Referer
-default_redirection_url: "https://traefik.gate.3launchpad.com/"
-
-#########################################################
-# Secrets (use env vars in production)
-#########################################################
-# Prefer env vars:
-# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
-jwt_secret: "changeme_jwt_secret"
-
-#########################################################
-# Authentication Backend (local file)
-#########################################################
-authentication_backend:
-  file:
-    path: /config/users_database.yml
-    password:
-      algorithm: argon2id
-      iterations: 3
-      memory: 64
-      parallelism: 4
-      salt_length: 16
-      key_length: 32
-
-#########################################################
-# Access Control
-#########################################################
-access_control:
-  default_policy: deny
-  rules:
-    - domain: "status.gate.3launchpad.com"
-      policy: bypass
-
-    - domain: "traefik.gate.3launchpad.com"
-      subject: ["group:admins"]
-      policy: two_factor
-
-    - domain: "portainer.gate.3launchpad.com"
-      subject: ["group:admins"]
-      policy: two_factor
-
-    - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
-      subject:
-        - "group:admins"
-        - "group:devs"
-      policy: one_factor
-
-    - domain: "*.gate.3launchpad.com"
-      subject:
-        - "group:users"
-        - "group:admins"
-        - "group:devs"
-      policy: one_factor
-
-#########################################################
-# Session (cookies + Redis)
-#########################################################
-session:
-  name: authelia_session
-  domain: "gate.3launchpad.com"
-  same_site: lax        
-  expiration: 1h
-  inactivity: 30m
-  remember_me_duration: 1M  
-  secret: "changeme_session_secret"
-  redis:
-    host: redis
-    port: 6379
-
-#########################################################
-# Regulation (anti-bruteforce)
-#########################################################
-regulation:
-  max_retries: 3
-  find_time: 2m
-  ban_time: 10m
-
-#########################################################
-# Storage (SQLite on persistent volume)
-#########################################################
-storage:
-  encryption_key: "changeme_storage_key"
-  local:
-    path: /config/db.sqlite3
-
-#########################################################
-# Notifier
-#########################################################
-notifier:
-  filesystem:
-    filename: /config/notification.txt
-
-#########################################################
-# 2FA: TOTP
-#########################################################
-totp:
-  issuer: "3launchpad.com"
-  period: 30
-  skew: 1

authelia/users_database.yml

@@ -1,23 +0,0 @@
-# authelia/users_database.yml
-# User database for Authelia authentication
-# Passwords are hashed with argon2id algorithm
-# Use: authelia crypto hash generate argon2 --password 'your_password'
-
-users:
-  # Admin user with full access
-  admin:
-    displayname: "Administrator"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: admin123
-    email: admin@3launchpad.com
-    groups:
-      - admins
-      - users
-
-  # Developer user with dev and user access
-  developer:
-    displayname: "Developer"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$BpLnfgDsc2WD8F2q$o/vzA4myCqZZ36bUGsDY//8mKUYNZZaR0t1MF//X73A"  # password: dev123
-    email: dev@3launchpad.com
-    groups:
-      - devs
-      - users

docker-compose.yml

@@ -14,7 +14,6 @@ volumes:
   traefik_logs:
   portainer_data:
   umami_db_data:
-  authelia_data:
   prometheus_data:
   grafana_data:
   uptime_kuma_data:
@@ -85,17 +84,12 @@ services:
       - traefik.http.middlewares.security-headers.headers.referrerPolicy=no-referrer-when-downgrade
       - traefik.http.middlewares.security-headers.headers.frameDeny=true
 
-      # Authelia ForwardAuth (reusable)
-      - traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.gate.${DOMAIN}
-      - traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true
-      - traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
-
       # Traefik dashboard (protected)
       - traefik.http.routers.traefik.rule=Host(`traefik.gate.${DOMAIN}`)
       - traefik.http.routers.traefik.entrypoints=websecure
       - traefik.http.routers.traefik.tls.certresolver=le
       - traefik.http.routers.traefik.service=api@internal
-      - traefik.http.routers.traefik.middlewares=authelia,security-headers
+      - traefik.http.routers.traefik.middlewares=security-headers
 
   ## ─────────────────────────────────────────────
   ## Portainer — Docker control plane
@@ -113,7 +107,7 @@ services:
       - traefik.http.routers.portainer.rule=Host(`portainer.gate.${DOMAIN}`)
       - traefik.http.routers.portainer.entrypoints=websecure
       - traefik.http.routers.portainer.tls.certresolver=le
-      - traefik.http.routers.portainer.middlewares=authelia,security-headers
+      - traefik.http.routers.portainer.middlewares=security-headers
       - traefik.http.services.portainer.loadbalancer.server.port=9000
 
   ## ─────────────────────────────────────────────
@@ -148,41 +142,9 @@ services:
       - traefik.http.routers.umami.rule=Host(`umami.gate.${DOMAIN}`)
       - traefik.http.routers.umami.entrypoints=websecure
       - traefik.http.routers.umami.tls.certresolver=le
-      - traefik.http.routers.umami.middlewares=authelia,security-headers
+      - traefik.http.routers.umami.middlewares=security-headers
       - traefik.http.services.umami.loadbalancer.server.port=3000
 
-  ## ─────────────────────────────────────────────
-  ## Authelia + Redis — SSO/MFA
-  ## ─────────────────────────────────────────────
-  authelia:
-    image: authelia/authelia:latest
-    container_name: authelia
-    restart: unless-stopped
-    depends_on: [redis]
-    environment:
-      TZ: "${TZ}"
-    volumes:
-      # Mount entire config directory so individual file binds are not hidden by a named volume.
-      # NOTE: The previous setup mounted a named volume at /config which masked the two file binds
-      # causing Traefik -> Authelia timeouts (missing configuration). Persisted runtime files (db, notifications)
-      # will live in this folder on the host; ensure db.sqlite3 is gitignored.
-      - ./authelia:/config
-    networks: [traefik_proxy, internal]
-    labels:
-      - traefik.enable=true
-      - traefik.http.routers.authelia.rule=Host(`auth.gate.${DOMAIN}`)
-      - traefik.http.routers.authelia.entrypoints=websecure
-      - traefik.http.routers.authelia.tls.certresolver=le
-      - traefik.http.routers.authelia.middlewares=security-headers
-      - traefik.http.routers.authelia.service=authelia-svc
-      - traefik.http.services.authelia-svc.loadbalancer.server.port=9091
-
-  redis:
-    image: redis:7-alpine
-    container_name: authelia-redis
-    restart: unless-stopped
-    networks: [internal]
-
   ## ─────────────────────────────────────────────
   ## Uptime Kuma — status page / checks
   ## ─────────────────────────────────────────────
@@ -198,7 +160,7 @@ services:
       - traefik.http.routers.kuma.rule=Host(`status.gate.${DOMAIN}`)
       - traefik.http.routers.kuma.entrypoints=websecure
       - traefik.http.routers.kuma.tls.certresolver=le
-      - traefik.http.routers.kuma.middlewares=authelia,security-headers
+      - traefik.http.routers.kuma.middlewares=security-headers
       - traefik.http.services.kuma.loadbalancer.server.port=3001
 
   ## ─────────────────────────────────────────────
@@ -217,7 +179,7 @@ services:
       - traefik.http.routers.prom.rule=Host(`prometheus.gate.${DOMAIN}`)
       - traefik.http.routers.prom.entrypoints=websecure
       - traefik.http.routers.prom.tls.certresolver=le
-      - traefik.http.routers.prom.middlewares=authelia,security-headers
+      - traefik.http.routers.prom.middlewares=security-headers
       - traefik.http.services.prom.loadbalancer.server.port=9090
 
   cadvisor:
@@ -262,5 +224,5 @@ services:
       - traefik.http.routers.grafana.rule=Host(`grafana.gate.${DOMAIN}`)
       - traefik.http.routers.grafana.entrypoints=websecure
       - traefik.http.routers.grafana.tls.certresolver=le
-      - traefik.http.routers.grafana.middlewares=authelia,security-headers
+      - traefik.http.routers.grafana.middlewares=security-headers
       - traefik.http.services.grafana.loadbalancer.server.port=3000