From ffbcecc09d831f421c376459cc2c6a78ae3a524e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= <valknar@pivoine.art>
Date: Sat, 15 Nov 2025 21:54:27 +0100
Subject: [PATCH] feat: replace Basic Auth with Authelia
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Replace HTTP Basic Auth with Authelia ForwardAuth for consistent
authentication across infrastructure:

- Asciinema Admin (admin.asciinema.dev.pivoine.art): Removed Basic Auth,
  added Authelia protection
- FaceFusion (facefusion.ai.pivoine.art): Removed Basic Auth, added
  Authelia protection

Updated Authelia access control to include both services with one_factor
policy.

All services now use Authelia for authentication, eliminating the need
to manage separate Basic Auth credentials.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
---
 ai/compose.yaml                | 6 ++----
 dev/compose.yaml               | 5 ++---
 net/authelia/configuration.yml | 2 ++
 3 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/ai/compose.yaml b/ai/compose.yaml
index 0cccf62..435836b 100644
--- a/ai/compose.yaml
+++ b/ai/compose.yaml
@@ -176,19 +176,17 @@ services:
       - compose_network
     labels:
       - 'traefik.enable=${AI_FACEFUSION_TRAEFIK_ENABLED}'
-      # HTTP Basic Auth middleware
-      - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-auth.basicauth.users=${AUTH_USERS}'
       # HTTP to HTTPS redirect
       - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure.redirectscheme.scheme=https'
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-redirect-web-secure'
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web.entrypoints=web'
-      # HTTPS router with auth
+      # HTTPS router with Authelia
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.rule=Host(`${AI_FACEFUSION_TRAEFIK_HOST}`)'
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.tls.certresolver=resolver'
       - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.entrypoints=web-secure'
       - 'traefik.http.middlewares.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress.compress=true'
-      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-auth,${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress,security-headers@file'
+      - 'traefik.http.routers.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.middlewares=${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure-compress,net-authelia,security-headers@file'
       # Service
       - 'traefik.http.services.${AI_COMPOSE_PROJECT_NAME}-facefusion-web-secure.loadbalancer.server.port=7860'
       - 'traefik.docker.network=${NETWORK_NAME}'
diff --git a/dev/compose.yaml b/dev/compose.yaml
index 9195f6a..0131b8b 100644
--- a/dev/compose.yaml
+++ b/dev/compose.yaml
@@ -269,12 +269,11 @@ services:
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web.rule=Host(`admin.${DEV_ASCIINEMA_TRAEFIK_HOST}`)"
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web.entrypoints=web"
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web.service=${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin"
-      # Admin interface - HTTPS router with Basic Auth
-      - "traefik.http.middlewares.${DEV_COMPOSE_PROJECT_NAME}-asciinema-auth.basicauth.users=${AUTH_USERS}"
+      # Admin interface - HTTPS router with Authelia
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.rule=Host(`admin.${DEV_ASCIINEMA_TRAEFIK_HOST}`)"
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.tls.certresolver=resolver"
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.entrypoints=web-secure"
-      - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.middlewares=${DEV_COMPOSE_PROJECT_NAME}-asciinema-auth,${DEV_COMPOSE_PROJECT_NAME}-asciinema-compress,security-headers@file"
+      - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.middlewares=${DEV_COMPOSE_PROJECT_NAME}-asciinema-compress,net-authelia,security-headers@file"
       - "traefik.http.routers.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin-web-secure.service=${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin"
       - "traefik.http.services.${DEV_COMPOSE_PROJECT_NAME}-asciinema-admin.loadbalancer.server.port=4002"
       # Network
diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml
index cf0c25a..c4578c5 100644
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -71,6 +71,8 @@ access_control:
         - "scrapy.pivoine.art"
         - "restic.pivoine.art"
         - "proxy.pivoine.art"
+        - "admin.asciinema.dev.pivoine.art"
+        - "facefusion.ai.pivoine.art"
       policy: one_factor