Add DOCKER_API_VERSION=1.44 environment variable to Watchtower
to ensure compatibility with upgraded Docker daemon.
The Watchtower image (v1.7.1) has an older Docker client that
defaults to API version 1.25, which is incompatible with the
new Docker daemon requiring API version 1.44+.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove Authelia ForwardAuth middleware from services that have their own
authentication systems to avoid double login:
- Umami: Analytics service with built-in user authentication
- Asciinema: Terminal recording platform with email-based auth
- Gitea: Git service with user accounts
- n8n: Workflow automation with user management
- Coolify: Deployment platform with authentication
Services still protected by Authelia (single auth layer):
- Mailpit: SMTP testing (no auth)
- Traefik Dashboard: Proxy admin interface
- Netdata: System monitoring (no auth)
- Scrapy: Web scraping (protected by basic auth + Authelia)
- Restic: Backup system (no auth)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed explicit authRequestHeaders configuration. By default, Traefik
forwards all headers including Cookie to the ForwardAuth endpoint.
Explicitly setting authRequestHeaders was preventing the session
cookie from being forwarded to Authelia.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reverting to the modern /api/authz/forward-auth endpoint as requested.
The legacy /api/verify endpoint had the same behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Try using the deprecated /api/verify endpoint instead of /api/authz/forward-auth
to see if it returns HTTP 302 redirects that browsers automatically follow
instead of HTTP 401 with Location headers.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Traefik needs to forward X-Forwarded-* headers to Authelia so it can
determine the target URL. Without these headers, Authelia returns
"failed to get target URL: missing host value" error.
Added authRequestHeaders configuration to forward:
- X-Forwarded-Method (HTTP method)
- X-Forwarded-Proto (HTTPS/HTTP)
- X-Forwarded-Host (target domain)
- X-Forwarded-Uri (target path)
- X-Forwarded-For (client IP)
This fixes the issue where services returned 401 without redirecting
to the Authelia login page.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Use correct Authelia v4.38+ endpoint: /api/authz/forward-auth
- Use actual container name: net_authelia instead of authelia
- Add authResponseHeadersRegex for Remote-* headers
- Remove static redirect parameter, let Authelia handle it dynamically
- Replace BasicAuth with Authelia middleware for Traefik dashboard
- Replace BasicAuth with Authelia middleware for Netdata
- Replace BasicAuth with Authelia middleware for Mailpit
- Services now require Authelia 2FA authentication
- Set AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in compose
- Set AUTHELIA_SESSION_SECRET in compose
- Set AUTHELIA_STORAGE_ENCRYPTION_KEY in compose
- Set AUTHELIA_STORAGE_POSTGRES_PASSWORD in compose
- Remove variable syntax from configuration.yml
- Authelia reads these directly from environment variables
- Remove envsubst complexity for password hashes
- Keep users_database.yml only on server (not in git)
- Add users_database.yml to .gitignore
- Update users_database.template.yml with multi-user examples
- Configure Authelia to watch users_database.yml for changes
- Users can now be added/removed by editing the file on server
- Supports unlimited users without code changes
- Rename users_database.yml to users_database.template.yml
- Use envsubst to substitute AUTHELIA_USER_PASSWORD_HASH from .env
- Update configuration.yml to use /config/users_database.yml
- Add AUTHELIA_USER_PASSWORD_HASH environment variable to compose
- Password hash now stored securely in .env instead of git
- Change from MP_SMTP_FORWARD_* to MP_SMTP_RELAY_*
- Add MP_SMTP_RELAY_ALL=true to relay all emails
- Preserves original recipients (relay vs forward)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove mailpit-relay.yaml file (env vars not substituted in mounts)
- Use MP_SMTP_RELAY_* environment variables directly
- Fixes crash loop due to missing relay host configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Mailpit service to NET stack with web UI at mailpit.pivoine.art
- Configure Mailpit to relay all emails through IONOS SMTP
- Migrate all 11+ services to use Mailpit instead of direct IONOS SMTP:
* SEXY: Directus API
* UTIL: Joplin, Mattermost, Vaultwarden, Tandoor, Linkwarden
* DEV: Gitea, n8n, Asciinema
* AI: Open WebUI
* NET: Netdata (via msmtp)
- Centralize SMTP credentials in mailpit-relay.yaml
- Simplify service configs (no auth/TLS for internal SMTP)
- Enable email monitoring via Mailpit web UI with Basic Auth
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Create net/compose.yaml with 4 services (traefik, netdata, watchtower, umami)
- Update arty.yml with NET_* environment variables
- Update compose.yaml to include net instead of individual stacks
- Update restic volume references to net_letsencrypt_data and net_netdata_config
- Copy configuration files to net/ directory (Dockerfile, dynamic/, go.d/, etc.)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
