From 37f1edbd01af43169baa161fee85749df6dc9f5f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 19:56:56 +0100
Subject: [PATCH] refactor: use .env for Authelia password hash

- Rename users_database.yml to users_database.template.yml
- Use envsubst to substitute AUTHELIA_USER_PASSWORD_HASH from .env
- Update configuration.yml to use /config/users_database.yml
- Add AUTHELIA_USER_PASSWORD_HASH environment variable to compose
- Password hash now stored securely in .env instead of git
---
 arty.yml                                                      | 1 +
 net/authelia/configuration.yml                                | 2 +-
 .../{users_database.yml => users_database.template.yml}       | 2 +-
 net/compose.yaml                                              | 4 ++++
 4 files changed, 7 insertions(+), 2 deletions(-)
 rename net/authelia/{users_database.yml => users_database.template.yml} (64%)

diff --git a/arty.yml b/arty.yml
index c0f1f25..7192256 100644
--- a/arty.yml
+++ b/arty.yml
@@ -128,6 +128,7 @@ envs:
     # Authelia SSO
     NET_AUTHELIA_IMAGE: authelia/authelia:latest
     NET_AUTHELIA_TRAEFIK_HOST: auth.pivoine.art
+    AUTHELIA_USER_PASSWORD_HASH: ""  # Generated via: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
     # AI Stack
     AI_TRAEFIK_ENABLED: true
     AI_COMPOSE_PROJECT_NAME: ai
diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index 13b5eeb..97c100e 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -41,7 +41,7 @@ authentication_backend:
     disable: false
   refresh_interval: 5m
   file:
-    path: /etc/authelia/users_database.yml
+    path: /config/users_database.yml
     password:
       algorithm: argon2
       argon2:
diff --git a/net/authelia/users_database.yml b/net/authelia/users_database.template.yml
similarity index 64%
rename from net/authelia/users_database.yml
rename to net/authelia/users_database.template.yml
index e85deac..f622da7 100644
--- a/net/authelia/users_database.yml
+++ b/net/authelia/users_database.template.yml
@@ -9,7 +9,7 @@
 users:
   valknar:
     displayname: "Valknar"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$c2FsdHNhbHRzYWx0$4oCb4oCh4oCd4oCi4oCl4oCm"  # CHANGE THIS - use: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
+    password: "${AUTHELIA_USER_PASSWORD_HASH}"
     email: valknar@pivoine.art
     groups:
       - admins
diff --git a/net/compose.yaml b/net/compose.yaml
index 967bee3..a398ae6 100644
--- a/net/compose.yaml
+++ b/net/compose.yaml
@@ -275,9 +275,13 @@ services:
       AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET}
       AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
       AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+      AUTHELIA_USER_PASSWORD_HASH: ${AUTHELIA_USER_PASSWORD_HASH}
     volumes:
       - authelia_config:/config
       - ./authelia:/etc/authelia:ro
+    command: >
+      sh -c "envsubst < /etc/authelia/users_database.template.yml > /config/users_database.yml &&
+             authelia --config /etc/authelia/configuration.yml"
     networks:
       - compose_network
     labels: