Added back session expiration, inactivity, remember_me, and same_site
settings at both global and cookie level to ensure proper session
handling across subdomains.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Changed from two_factor to one_factor policy for initial testing.
Users can access with just username/password without needing
to set up TOTP or WebAuthn second factor.
Can be changed back to two_factor once 2FA is configured.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Reverting to the modern /api/authz/forward-auth endpoint as requested.
The legacy /api/verify endpoint had the same behavior.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Try using the deprecated /api/verify endpoint instead of /api/authz/forward-auth
to see if it returns HTTP 302 redirects that browsers automatically follow
instead of HTTP 401 with Location headers.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed custom server.endpoints.authz.forward-auth configuration
and simplified session setup to match the official Authelia + Traefik
blog post example.
Key changes:
- Removed server.endpoints configuration (use defaults)
- Added session.name at top level
- Simplified session.cookies to only domain and authelia_url
- Removed custom expiration/inactivity settings
This should enable proper 302 redirects for browsers instead of
401 responses with Location headers.
Reference: https://www.authelia.com/blog/authelia--traefik-setup-guide/🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Only use CookieSession strategy for forward-auth endpoint to ensure
browsers receive proper 302 redirects to the login page instead of
HTTP Basic auth prompts.
When HeaderAuthorization is in the strategies list, it sends
www-authenticate headers that trigger browser Basic auth dialogs.
For browser-based authentication, we only want CookieSession which
handles redirects properly.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Added server.endpoints.authz.forward-auth configuration to explicitly
use CookieSession authentication strategy. This ensures browsers
receive HTTP 302 redirects instead of HTTP 401 responses when
accessing protected services while unauthenticated.
Without this configuration, the forward-auth endpoint was returning
401 with Location headers, which browsers don't automatically follow.
With CookieSession strategy, GET requests from browsers will now
receive 302 redirects that automatically redirect to the Authelia
login page.
Authentication strategy order:
1. CookieSession - for browser users (returns 302 redirects)
2. HeaderAuthorization - for API clients (returns 401 with headers)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Traefik needs to forward X-Forwarded-* headers to Authelia so it can
determine the target URL. Without these headers, Authelia returns
"failed to get target URL: missing host value" error.
Added authRequestHeaders configuration to forward:
- X-Forwarded-Method (HTTP method)
- X-Forwarded-Proto (HTTPS/HTTP)
- X-Forwarded-Host (target domain)
- X-Forwarded-Uri (target path)
- X-Forwarded-For (client IP)
This fixes the issue where services returned 401 without redirecting
to the Authelia login page.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Use correct Authelia v4.38+ endpoint: /api/authz/forward-auth
- Use actual container name: net_authelia instead of authelia
- Add authResponseHeadersRegex for Remote-* headers
- Remove static redirect parameter, let Authelia handle it dynamically
- Replace BasicAuth with Authelia middleware for Traefik dashboard
- Replace BasicAuth with Authelia middleware for Netdata
- Replace BasicAuth with Authelia middleware for Mailpit
- Services now require Authelia 2FA authentication
- Set AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in compose
- Set AUTHELIA_SESSION_SECRET in compose
- Set AUTHELIA_STORAGE_ENCRYPTION_KEY in compose
- Set AUTHELIA_STORAGE_POSTGRES_PASSWORD in compose
- Remove variable syntax from configuration.yml
- Authelia reads these directly from environment variables
- Use modern server.address syntax instead of host/port
- Add identity_validation.reset_password.jwt_secret (deprecates jwt_secret)
- Update session to use cookies array with secret
- Fix session.remember_me_duration to remember_me
- Remove envsubst complexity for password hashes
- Keep users_database.yml only on server (not in git)
- Add users_database.yml to .gitignore
- Update users_database.template.yml with multi-user examples
- Configure Authelia to watch users_database.yml for changes
- Users can now be added/removed by editing the file on server
- Supports unlimited users without code changes
- Rename users_database.yml to users_database.template.yml
- Use envsubst to substitute AUTHELIA_USER_PASSWORD_HASH from .env
- Update configuration.yml to use /config/users_database.yml
- Add AUTHELIA_USER_PASSWORD_HASH environment variable to compose
- Password hash now stored securely in .env instead of git
- Change default theme from gitea-dark to edge-dark
- Enable REQUIRE_SIGNIN_VIEW to hide landing page from anonymous users
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Change from MP_SMTP_FORWARD_* to MP_SMTP_RELAY_*
- Add MP_SMTP_RELAY_ALL=true to relay all emails
- Preserves original recipients (relay vs forward)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Remove mailpit-relay.yaml file (env vars not substituted in mounts)
- Use MP_SMTP_RELAY_* environment variables directly
- Fixes crash loop due to missing relay host configuration
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add Mailpit service to NET stack with web UI at mailpit.pivoine.art
- Configure Mailpit to relay all emails through IONOS SMTP
- Migrate all 11+ services to use Mailpit instead of direct IONOS SMTP:
* SEXY: Directus API
* UTIL: Joplin, Mattermost, Vaultwarden, Tandoor, Linkwarden
* DEV: Gitea, n8n, Asciinema
* AI: Open WebUI
* NET: Netdata (via msmtp)
- Centralize SMTP credentials in mailpit-relay.yaml
- Simplify service configs (no auth/TLS for internal SMTP)
- Enable email monitoring via Mailpit web UI with Basic Auth
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Removed duplicate STASH_* and JELLY_* variables that have been replaced by MEDIA_* variables after consolidation into the media stack.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Add backrest service to core/compose.yaml with CORE_RESTIC_ prefix
- Update arty.yml with CORE_RESTIC_* environment variables
- Remove restic from compose.yaml includes
- Backrest now part of core infrastructure stack
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Create net/compose.yaml with 4 services (traefik, netdata, watchtower, umami)
- Update arty.yml with NET_* environment variables
- Update compose.yaml to include net instead of individual stacks
- Update restic volume references to net_letsencrypt_data and net_netdata_config
- Copy configuration files to net/ directory (Dockerfile, dynamic/, go.d/, etc.)
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Consolidates 6 utility services into a single util stack:
- drop (PairDrop) - P2P file sharing
- joplin (Joplin Server) - Note-taking and sync
- links (Linkwarden) - Bookmark manager with Meilisearch
- mattermost (Mattermost) - Team collaboration
- vault (Vaultwarden) - Password manager
- tandoor (Tandoor) - Recipe manager
Changes:
- Created util/compose.yaml with all 6 services
- Moved rtc_config.json to util directory
- Updated environment variables to use UTIL_ prefix
- Updated restic volume references to util_* names
- Container names changed from {service}_app to util_{service}
- Volume names changed from {service}_* to util_{service}_*
- Removed individual stack directories (drop, joplin, links, mattermost, vault, tandoor)
- Updated compose.yaml to include util/compose.yaml instead of individual stacks
All services maintain their original hostnames and functionality.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Moved asciinema service from standalone stack to dev/compose.yaml
- Updated hostname from asciinema.pivoine.art to asciinema.dev.pivoine.art
- Updated environment variables to use DEV_ASCIINEMA_ prefix
- Updated restic backup volume reference (asciinema_data -> dev_asciinema_data)
- Moved custom.exs to dev/asciinema-custom.exs
- Removed standalone asciinema/compose.yaml directory
- Container name changes from asciinema_app to dev_asciinema
- Volume name changes from asciinema_data to dev_asciinema_data
- Preserved admin interface at admin.asciinema.dev.pivoine.art with Basic Auth
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Moved n8n service from standalone stack to dev/compose.yaml
- Updated hostname from n8n.pivoine.art to n8n.dev.pivoine.art
- Updated environment variables to use DEV_N8N_ prefix
- Updated restic backup volume reference (n8n_n8n_data -> dev_n8n_data)
- Removed standalone n8n/compose.yaml
- Container name changes from n8n_app to dev_n8n
- Volume name changes from n8n_n8n_data to dev_n8n_data
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove three unused stacks and related configuration:
- Removed sablier, scrapy, vpn from compose includes
- Deleted sablier/compose.yaml, scrapy/compose.yaml, vpn/compose.yaml
- Removed scrapy-backup from restic config
- Removed scrapy volume mounts from restic compose
- Removed SABLIER, SCRAPY, VPN env vars from arty.yml
- Cleaned up sexy/uploads directory
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove kit service and related configuration:
- Removed kit from compose includes
- Deleted kit/compose.yaml (landing, vert, pastel, stirling, units, draw, figlet)
- Removed KIT env vars from arty.yml
Kit services were stateless and don't require data migration.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Remove awsm service and related configuration:
- Removed awsm from compose includes
- Deleted awsm/compose.yaml
- Removed awesome-backup from restic config
- Removed awsm volume mount from restic
- Removed AWSM env vars from arty.yml
- Removed awsm/import script
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
- Change PUSHER_HOST to public URL (coolify-realtime.coolify.dev.pivoine.art)
- Update PUSHER_PORT from 6001 to 443 (HTTPS)
- Add PUSHER_SCHEME=https
- Remove VITE_PUSHER_* variables (redundant)
- Change label quotes from single to double
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Configure browser to connect to Soketi via HTTPS through Traefik:
- VITE_PUSHER_HOST: coolify-realtime.coolify.dev.pivoine.art
- VITE_PUSHER_PORT: 443
- VITE_PUSHER_SCHEME: https
This fixes the 'Cannot connect to real-time service' warning.
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
Add Traefik labels to Soketi to make it accessible at
coolify-realtime.coolify.dev.pivoine.art for browser WebSocket connections
🤖 Generated with [Claude Code](https://claude.com/claude-code)
Co-Authored-By: Claude <noreply@anthropic.com>
