Add nginx reverse proxy service for Supervisor web UI at supervisor.ai.pivoine.art with Authelia authentication. Proxies to RunPod GPU instance via Tailscale (100.121.199.88:9001).
Changes:
- Create supervisor-nginx.conf for nginx proxy configuration
- Add supervisor service to docker-compose with Traefik labels
- Add supervisor.ai.pivoine.art to Authelia protected domains
- Remove deprecated Flux-related files
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add pinchflat.media.pivoine.art to protected services requiring
one-factor authentication via Authelia SSO.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Replace HTTP Basic Auth with Authelia ForwardAuth for consistent
authentication across infrastructure:
- Asciinema Admin (admin.asciinema.dev.pivoine.art): Removed Basic Auth,
added Authelia protection
- FaceFusion (facefusion.ai.pivoine.art): Removed Basic Auth, added
Authelia protection
Updated Authelia access control to include both services with one_factor
policy.
All services now use Authelia for authentication, eliminating the need
to manage separate Basic Auth credentials.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove Authelia ForwardAuth middleware from services that have their own
authentication systems to avoid double login:
- Umami: Analytics service with built-in user authentication
- Asciinema: Terminal recording platform with email-based auth
- Gitea: Git service with user accounts
- n8n: Workflow automation with user management
- Coolify: Deployment platform with authentication
Services still protected by Authelia (single auth layer):
- Mailpit: SMTP testing (no auth)
- Traefik Dashboard: Proxy admin interface
- Netdata: System monitoring (no auth)
- Scrapy: Web scraping (protected by basic auth + Authelia)
- Restic: Backup system (no auth)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed access control rule from traefik.pivoine.art to proxy.pivoine.art
to match the actual Traefik dashboard hostname configured in arty.yml.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added back session expiration, inactivity, remember_me, and same_site
settings at both global and cookie level to ensure proper session
handling across subdomains.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed from two_factor to one_factor policy for initial testing.
Users can access with just username/password without needing
to set up TOTP or WebAuthn second factor.
Can be changed back to two_factor once 2FA is configured.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed custom server.endpoints.authz.forward-auth configuration
and simplified session setup to match the official Authelia + Traefik
blog post example.
Key changes:
- Removed server.endpoints configuration (use defaults)
- Added session.name at top level
- Simplified session.cookies to only domain and authelia_url
- Removed custom expiration/inactivity settings
This should enable proper 302 redirects for browsers instead of
401 responses with Location headers.
Reference: https://www.authelia.com/blog/authelia--traefik-setup-guide/🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Only use CookieSession strategy for forward-auth endpoint to ensure
browsers receive proper 302 redirects to the login page instead of
HTTP Basic auth prompts.
When HeaderAuthorization is in the strategies list, it sends
www-authenticate headers that trigger browser Basic auth dialogs.
For browser-based authentication, we only want CookieSession which
handles redirects properly.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.
Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.
Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Set AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in compose
- Set AUTHELIA_SESSION_SECRET in compose
- Set AUTHELIA_STORAGE_ENCRYPTION_KEY in compose
- Set AUTHELIA_STORAGE_POSTGRES_PASSWORD in compose
- Remove variable syntax from configuration.yml
- Authelia reads these directly from environment variables
- Use modern server.address syntax instead of host/port
- Add identity_validation.reset_password.jwt_secret (deprecates jwt_secret)
- Update session to use cookies array with secret
- Fix session.remember_me_duration to remember_me
- Remove envsubst complexity for password hashes
- Keep users_database.yml only on server (not in git)
- Add users_database.yml to .gitignore
- Update users_database.template.yml with multi-user examples
- Configure Authelia to watch users_database.yml for changes
- Users can now be added/removed by editing the file on server
- Supports unlimited users without code changes
- Rename users_database.yml to users_database.template.yml
- Use envsubst to substitute AUTHELIA_USER_PASSWORD_HASH from .env
- Update configuration.yml to use /config/users_database.yml
- Add AUTHELIA_USER_PASSWORD_HASH environment variable to compose
- Password hash now stored securely in .env instead of git
