feat: add Authelia SSO authentication service

- Add Authelia service to NET stack for centralized SSO
- Create configuration.yml with PostgreSQL storage
- Create users_database.yml for file-based user management
- Add authelia database to PostgreSQL init script
- Configure Traefik ForwardAuth middleware
- Add environment variables to arty.yml
- Supports TOTP and WebAuthn 2FA
- Email notifications via Mailpit SMTP relay
- Protected services: netdata, mailpit, scrapy, restic, traefik, dev, n8n, asciinema, coolify

net/compose.yaml

@@ -265,6 +265,43 @@ services:
       # Watchtower
       - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
 
+  # Authelia - SSO and authentication portal
+  authelia:
+    image: ${NET_AUTHELIA_IMAGE:-authelia/authelia:latest}
+    container_name: ${NET_COMPOSE_PROJECT_NAME}_authelia
+    restart: unless-stopped
+    environment:
+      TZ: ${TIMEZONE:-Europe/Berlin}
+      AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET}
+      AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
+      AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+    volumes:
+      - authelia_config:/config
+      - ./authelia:/etc/authelia:ro
+    networks:
+      - compose_network
+    labels:
+      - 'traefik.enable=${NET_TRAEFIK_ENABLED}'
+      # HTTP to HTTPS redirect
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure.redirectscheme.scheme=https'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.middlewares=${NET_COMPOSE_PROJECT_NAME}-authelia-redirect-web-secure'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web.entrypoints=web'
+      # HTTPS router
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.rule=Host(`${NET_AUTHELIA_TRAEFIK_HOST}`)'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.tls.certresolver=resolver'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.entrypoints=web-secure'
+      - 'traefik.http.routers.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.middlewares=security-headers@file'
+      # Service
+      - 'traefik.http.services.${NET_COMPOSE_PROJECT_NAME}-authelia-web-secure.loadbalancer.server.port=9091'
+      - 'traefik.docker.network=${NETWORK_NAME}'
+      # ForwardAuth middleware for other services
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${NET_AUTHELIA_TRAEFIK_HOST}'
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.trustForwardHeader=true'
+      - 'traefik.http.middlewares.${NET_COMPOSE_PROJECT_NAME}-authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email'
+      # Watchtower
+      - 'com.centurylinklabs.watchtower.enable=${WATCHTOWER_LABEL_ENABLE}'
+
 volumes:
   letsencrypt_data:
     name: ${NET_COMPOSE_PROJECT_NAME}_letsencrypt_data
@@ -276,6 +313,8 @@ volumes:
     name: ${NET_COMPOSE_PROJECT_NAME}_netdata_cache
   mailpit_data:
     name: ${NET_COMPOSE_PROJECT_NAME}_mailpit_data
+  authelia_config:
+    name: ${NET_COMPOSE_PROJECT_NAME}_authelia_config
 
 networks:
   compose_network: