- Add Traefik labels to expose terminal server publicly
- Configure terminal server on terminal.coolify.dev.pivoine.art
- Update Coolify app to use public terminal hostname
- Change TERMINAL_HOST to terminal.coolify.dev.pivoine.art
- Change TERMINAL_PORT to 443 for HTTPS WebSocket connections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add TERMINAL_HOST and TERMINAL_PORT environment variables to Coolify app
- Configure Coolify to use dev_coolify_terminal container on port 6002
- Add dependency on coolify_terminal service with health check
- Keep terminal server internal-only without direct Traefik routing
- Coolify app will proxy /terminal/ws to internal terminal server
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add stripprefix middleware to remove /terminal prefix
- Route /terminal/ws to /ws on terminal server (port 6002)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Switch from standard soketi to coolify-realtime:1.0.10 image
- Add SSH volume mount for terminal functionality
- Update health check to verify both ports 6001 and 6002
- Add explicit service link for realtime HTTPS router
This fixes both realtime WebSocket and terminal/ws functionality.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Move /terminal/ws routing from main Coolify container to Soketi
- Configure Traefik to route terminal WebSocket traffic to port 6002
- Add high priority (100) to ensure path matching
- Based on official Coolify docker-compose.prod.yml configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The terminal WebSocket is served by main Coolify on port 8080.
Create separate router with priority 100 for /terminal/ws path
without compression middleware which blocks WebSocket upgrades.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Route to dev_coolify_soketi container via URL instead of port-only,
which allows Traefik to reach the correct container.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Terminal WebSocket should connect through the Soketi/realtime
container which handles Pusher protocol on port 6001.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Route /terminal/ws to port 6002 on Coolify container
Set priority 100 to take precedence over main router
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
The /terminal/ws endpoint is part of the main Coolify application
on port 8080, not a separate service. WebSocket requests should go
through the main router automatically.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Route /terminal/ws path to port 6002 on Coolify container
- Enable WebSocket terminal functionality in Coolify UI
- Path-based routing on main domain
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Port 6002 is not active in default Coolify deployment.
Terminal functionality appears to work through main port 8080
or requires additional configuration not documented.
Need to investigate Coolify terminal enablement further.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Traefik routing for terminal service on port 6002
- Accessible at terminal.coolify.dev.pivoine.art
- Enable web-based terminal access for deployments
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Change from coolify-realtime.coolify.dev.pivoine.art
to realtime.coolify.dev.pivoine.art for cleaner URLs
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add MAIL_MAILER=smtp to use SMTP transport
- Configure MAIL_HOST and MAIL_PORT to use Mailpit relay
- Set MAIL_FROM_ADDRESS and MAIL_FROM_NAME for sender info
- No encryption/auth needed for internal Mailpit relay
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add ENABLE_NOTIFY_MAIL: true to enable email notifications
- Set DEFAULT_EMAIL_NOTIFICATIONS: enabled as default for users
- Uses existing Mailpit mail relay configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed supports_prompt_caching parameter that was causing 400 errors.
Prompt caching is automatically enabled by Anthropic when the client
sends cache_control blocks in messages - no config needed.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added supports_prompt_caching: true to all Claude models:
- claude-sonnet-4
- claude-sonnet-4.5
- claude-3-5-sonnet
- claude-3-opus
- claude-3-haiku
This enables Anthropic's prompt caching feature across all models,
significantly reducing latency and costs for repeated requests
with the same system prompts.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Configure LiteLLM to use existing Redis from core stack for caching:
- Enabled cache with Redis backend
- Set TTL to 1 hour for cached responses
- Uses core_redis container on default port
This will improve performance by caching API responses.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Disabled cache setting that requires Redis configuration.
Prompt caching at the Anthropic API level is still enabled
via supports_prompt_caching setting.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reduce database logging overhead and enable prompt caching:
- Disabled verbose logging (set_verbose: false)
- Disabled spend tracking logs to reduce DB writes
- Disabled tag tracking and daily spend logs
- Removed success/failure callbacks
- Enabled prompt caching for claude-sonnet-4.5
- Set log level to ERROR only
- Removed --detailed_debug flag from command
This should significantly improve response times by eliminating
unnecessary database writes for every request.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace HTTP Basic Auth with Authelia ForwardAuth for consistent
authentication across infrastructure:
- Asciinema Admin (admin.asciinema.dev.pivoine.art): Removed Basic Auth,
added Authelia protection
- FaceFusion (facefusion.ai.pivoine.art): Removed Basic Auth, added
Authelia protection
Updated Authelia access control to include both services with one_factor
policy.
All services now use Authelia for authentication, eliminating the need
to manage separate Basic Auth credentials.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove Authelia ForwardAuth middleware from services that have their own
authentication systems to avoid double login:
- Umami: Analytics service with built-in user authentication
- Asciinema: Terminal recording platform with email-based auth
- Gitea: Git service with user accounts
- n8n: Workflow automation with user management
- Coolify: Deployment platform with authentication
Services still protected by Authelia (single auth layer):
- Mailpit: SMTP testing (no auth)
- Traefik Dashboard: Proxy admin interface
- Netdata: System monitoring (no auth)
- Scrapy: Web scraping (protected by basic auth + Authelia)
- Restic: Backup system (no auth)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed access control rule from traefik.pivoine.art to proxy.pivoine.art
to match the actual Traefik dashboard hostname configured in arty.yml.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed explicit authRequestHeaders configuration. By default, Traefik
forwards all headers including Cookie to the ForwardAuth endpoint.
Explicitly setting authRequestHeaders was preventing the session
cookie from being forwarded to Authelia.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added back session expiration, inactivity, remember_me, and same_site
settings at both global and cookie level to ensure proper session
handling across subdomains.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed from two_factor to one_factor policy for initial testing.
Users can access with just username/password without needing
to set up TOTP or WebAuthn second factor.
Can be changed back to two_factor once 2FA is configured.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reverting to the modern /api/authz/forward-auth endpoint as requested.
The legacy /api/verify endpoint had the same behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Try using the deprecated /api/verify endpoint instead of /api/authz/forward-auth
to see if it returns HTTP 302 redirects that browsers automatically follow
instead of HTTP 401 with Location headers.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed custom server.endpoints.authz.forward-auth configuration
and simplified session setup to match the official Authelia + Traefik
blog post example.
Key changes:
- Removed server.endpoints configuration (use defaults)
- Added session.name at top level
- Simplified session.cookies to only domain and authelia_url
- Removed custom expiration/inactivity settings
This should enable proper 302 redirects for browsers instead of
401 responses with Location headers.
Reference: https://www.authelia.com/blog/authelia--traefik-setup-guide/🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Only use CookieSession strategy for forward-auth endpoint to ensure
browsers receive proper 302 redirects to the login page instead of
HTTP Basic auth prompts.
When HeaderAuthorization is in the strategies list, it sends
www-authenticate headers that trigger browser Basic auth dialogs.
For browser-based authentication, we only want CookieSession which
handles redirects properly.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.
Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.
Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
