From 39c28d49a4c4e3bcc663ba9c4172ad64286a0c74 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 21:32:55 +0100
Subject: [PATCH] feat: remove Authelia from services with own auth
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Remove Authelia ForwardAuth middleware from services that have their own
authentication systems to avoid double login:

- Umami: Analytics service with built-in user authentication
- Asciinema: Terminal recording platform with email-based auth
- Gitea: Git service with user accounts
- n8n: Workflow automation with user management
- Coolify: Deployment platform with authentication

Services still protected by Authelia (single auth layer):
- Mailpit: SMTP testing (no auth)
- Traefik Dashboard: Proxy admin interface
- Netdata: System monitoring (no auth)
- Scrapy: Web scraping (protected by basic auth + Authelia)
- Restic: Backup system (no auth)

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 net/authelia/configuration.yml | 7 -------
 net/compose.yaml               | 1 +
 2 files changed, 1 insertion(+), 7 deletions(-)

diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index 9c4e2b3..cf0c25a 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -73,13 +73,6 @@ access_control:
         - "proxy.pivoine.art"
       policy: one_factor
 
-    # Development services
-    - domain:
-        - "dev.pivoine.art"
-        - "n8n.pivoine.art"
-        - "asciinema.pivoine.art"
-        - "coolify.pivoine.art"
-      policy: two_factor
 
 # session secret set via environment variable: AUTHELIA_SESSION_SECRET
 session:
diff --git a/net/compose.yaml b/net/compose.yaml
index a86b72a..255e4a1 100644
--- a/net/compose.yaml
+++ b/net/compose.yaml
@@ -218,6 +218,7 @@ services:
       - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.rule=Host(`${NET_TRACK_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.entrypoints=web-secure'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.middlewares=security-headers@file'
       - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-umami-web-secure.loadbalancer.server.port=3000'
       - 'traefik.docker.network=${NETWORK_NAME}'