🚀 new authentication module

.gitattributes

@@ -1,2 +1,3 @@
-secret.enc.yaml diff=sopsdiffer
-cluster-secrets.yaml diff=sopsdiffer
+*.sops.yaml diff=sopsdiffer
+cluster-secrets.yaml diff=sopsdiffer
+*.sops.toml linguist-language=JSON

.sops.yaml

@@ -9,3 +9,7 @@ creation_rules:
     key_groups:
       - age:
           - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+  - path_regex: cluster/.*\.sops\.toml
+    key_groups:
+      - age:
+          - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg

cluster/apps/authentication/authelia/config/configuration.yml

@@ -0,0 +1,85 @@
+---
+session:
+  redis:
+    high_availability:
+      sentinel_name: redis-master
+      nodes:
+        - host: redis-node-0.redis-headless.default.svc.cluster.local
+          port: 26379
+        - host: redis-node-1.redis-headless.default.svc.cluster.local
+          port: 26379
+        - host: redis-node-2.redis-headless.default.svc.cluster.local
+          port: 26379
+
+access_control:
+  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
+  ## resource if there is no policy to be applied to the user.
+  default_policy: deny
+  networks:
+    - name: private
+      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
+    - name: vpn
+      networks: ["10.10.0.0/16"]
+  rules:
+    # bypass Authelia WAN + LAN
+    - domain:
+        - auth.${SECRET_CLUSTER_DOMAIN}
+      policy: bypass
+    # One factor auth for LAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      policy: one_factor
+      subject: ["group:admins", "group:users"]
+      networks:
+        - private
+    # Two factors auth for WAN
+    - domain:
+        - "*.${SECRET_CLUSTER_DOMAIN}"
+      subject: ["group:admins", "group:users"]
+      policy: two_factor
+
+identity_providers:
+  oidc:
+    cors:
+      endpoints: ["authorization", "token", "revocation", "introspection"]
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - id: gitea
+        secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          [
+            "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
+          ]
+        userinfo_signing_algorithm: none
+      - id: grafana
+        description: Grafana
+        secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris:
+          ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
+        userinfo_signing_algorithm: none
+      - id: outline
+        description: Outline
+        secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "email", "offline_access"]
+        redirect_uris:
+          ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
+        userinfo_signing_algorithm: none
+      # - id: minio
+      #   description: Minio
+      #   secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
+      #   public: false
+      #   authorization_policy: two_factor
+      #   pre_configured_consent_duration: 1y
+      #   scopes: ["openid", "profile", "groups", "email"]
+      #   redirect_uris: ["https://minio.${SECRET_PUBLIC_DOMAIN}/oauth_callback"]
+      #   userinfo_signing_algorithm: none

cluster/apps/authentication/authelia/helm-release.yaml

@@ -0,0 +1,96 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app authelia
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 0.1.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  dependsOn:
+    - name: glauth
+      namespace: default
+    - name: redis
+      namespace: default
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+    image:
+      repository: ghcr.io/authelia/authelia
+      tag: 4.36.7
+    envFrom:
+      - secretRef:
+          name: *app
+    enableServiceLinks: false
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+          metrics:
+            enabled: true
+            port: 8080
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "services.${SECRET_DOMAIN}."
+          external-dns/is-public: "true"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            add_header Cache-Control "no-store";
+            add_header Pragma "no-cache";
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+        hosts:
+          - host: &host "auth.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    podSecurityContext:
+      runAsUser: 568
+      runAsGroup: 568
+      fsGroup: 568
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: *app
+        subPath: configuration.yml
+        mountPath: /config/configuration.yml
+        readOnly: false
+    podAnnotations:
+      configmap.reloader.stakater.com/reload: *app
+      secret.reloader.stakater.com/reload: *app
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 5m
+        memory: 10Mi
+      limits:
+        memory: 100Mi

cluster/apps/authentication/authelia/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - secret.sops.yaml
+  - helm-release.yaml
+  - service-monitor.yaml
+patchesStrategicMerge:
+  - patches/env.yaml
+  #- patches/postgres.yaml
+configMapGenerator:
+  - name: authelia
+    files:
+      - config/configuration.yml
+generatorOptions:
+  disableNameSuffixHash: true

cluster/apps/authentication/authelia/patches/env.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: default
+spec:
+  values:
+    env:
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=users
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: givenName
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(memberUid={username})(objectClass=posixGroup))"
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: "ldap://glauth.default.svc.cluster.local:389"
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,dc=home,dc=arpa
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
+      AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
+      AUTHELIA_DEFAULT_REDIRECTION_URL: "https://auth.${SECRET_CLUSTER_DOMAIN}"
+      AUTHELIA_DUO_API_DISABLE: "true"
+      AUTHELIA_LOG_LEVEL: trace
+      AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
+      AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local
+      AUTHELIA_NOTIFIER_SMTP_PORT: 2525
+      AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
+      AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
+      AUTHELIA_SERVER_PORT: 80
+      AUTHELIA_SESSION_DOMAIN: "${SECRET_CLUSTER_DOMAIN}"
+      AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14
+      AUTHELIA_SESSION_REDIS_HOST: redis.default.svc.cluster.local
+      AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
+      AUTHELIA_STORAGE_POSTGRES_HOST: postgres.${SECRET_DOMAIN}
+      AUTHELIA_STORAGE_POSTGRES_SSL_MODE: verify-full
+      AUTHELIA_TELEMETRY_METRICS_ADDRESS: "tcp://0.0.0.0:8080"
+      AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
+      AUTHELIA_THEME: grey
+      AUTHELIA_TOTP_ISSUER: authelia.com
+      AUTHELIA_WEBAUTHN_DISABLE: "true"

cluster/apps/authentication/authelia/patches/postgres.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: default
+spec:
+  values:
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-initdb:14.5
+        env:
+          - name: POSTGRES_HOST
+            value: postgres.${SECRET_DOMAIN}
+          - name: POSTGRES_DB
+            value: authelia
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: authelia
+                key: AUTHELIA_STORAGE_POSTGRES_USERNAME
+          - name: POSTGRES_PASS
+            valueFrom:
+              secretKeyRef:
+                name: authelia
+                key: AUTHELIA_STORAGE_POSTGRES_PASSWORD

cluster/apps/authentication/authelia/secret.sops.yaml

@@ -0,0 +1,36 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia
+    namespace: default
+type: Opaque
+stringData:
+    AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str]
+    AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str]
+    AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str]
+    AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str]
+    AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str]
+    AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:iF/190/mZpbDwCd5Q+VOTQVyRbs=,iv:xKhvy4ufkiPqmiWUPKQjxRqUA3VH1Y/PTc8BVnLIaDA=,tag:KB3Bs71cARnYo3noOZs+Fw==,type:str]
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str]
+    AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
+            akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
+            Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
+            Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
+            DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-13T21:14:03Z"
+    mac: ENC[AES256_GCM,data:ujW5w84/5GmwWvH8RdAoMdEXDNQptKhK0Whbd3Byg0o02NDA3SkQsMJsaSNG9Sp5CZnYxSBHdL1AT/1pldFsrxU7TcIpU1mh9zs4nf9B8x/9CEH/3fKSOZuHRKF56LHkqXLFbcC1o+GQHfg1zWlNFWBQ4ToPnqFlLneKFcHT/Sc=,iv:15KsYWcwbuCnsNOvjh7iMuv9gOsLnbvldUlUOl1l2eI=,tag:spHas6eWDLhcaK4cFStnww==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

cluster/apps/authentication/authelia/service-monitor.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: &app authelia
+  namespace: default
+  labels: &labels
+    app.kubernetes.io/instance: *app
+    app.kubernetes.io/name: *app
+spec:
+  selector:
+    matchLabels:
+      <<: *labels
+  endpoints:
+    - port: metrics
+      scheme: http
+      path: /metrics
+      interval: 1m
+      scrapeTimeout: 10s

cluster/apps/authentication/glauth/config/groups.sops.toml

@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:sjxgm11rLpMMX0WY45XoNmqEvTJdHgZwD2LBYxVOYEYEK9yVU4ibmimoDHn0eZKRjAG+zWXWPItmMoOFiBHCgYGueYPPjcFgHDy8y8hfFxh+SmIZdd4elQ2+BswuwIMLgK3B+T2dX9uihuqXQggDpWAcbb47ErEM3XNlvwWwfy2onNbJJBT1hdEatvB/baRrI1lxss5Y0c9+yBhpjqw=,iv:i2R7PBKXaRsLlyvvv7nRrt0B3/DKlMFPGPUBzdDrKMk=,tag:qI48NEaaZS8E/Oj/gI0e+Q==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuK0t1cGxMclcrN1VkblJm\nazY5ME9nMXNVVG8vTTJpV0kvVk1HaWNBaGtRCkVYaElLY09VRm5LRmhmand1SWl6\nSnJXR0VWZ3NCMWlJTjY2K2ZhaE01TmMKLS0tIHUxUEtzbTV2T2w4eHhNSTJsZGdK\nalBYbVVmdWpSZVJyUXZ6S2c2Zm1qd0kK03R6jpoZSyzEbubjGidgPdLj4ur7voyX\ntCnbIuHE1XyAzUNHXRmh2neVpJZizEcvePgyBx008tUg2Bm0h7ywUQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:09:48Z",
+        "mac": "ENC[AES256_GCM,data:lhhx8KwISfglzFwxyt4DHnwwoVWkI+FZsQvHKPvHgVqdAI67gUO2cZUQVv2gRq5WRYyfehBkJO0aJKtzrTG/ocmwDomIcTsuHy9ibNrFqjTxGCBwRLmJ+Mk8yutjkRhERolscdg42w/0/kf46h09+wpRcXfGU+0CY7WTXXNrYo8=,iv:rKYJyp86NRlcTL3nDaYeFDMPFRSJ70eyfTON5tuO2z8=,tag:bhfA4BgIWvhmEUenNREkQQ==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}

cluster/apps/authentication/glauth/config/server.sops.toml

@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:10:04Z",
+        "mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}

cluster/apps/authentication/glauth/config/users.sops.toml

@@ -0,0 +1,20 @@
+{
+    "data": "ENC[AES256_GCM,data:oVTmrHJKhuu11gADtjwZmE7UX05mVTsHkuC7XHkljkf21YJzSoiVStCOR6lZPdGFnOrWwwl+Yxxcs2alP/3G1SBkOtcv4zswDy/M3nr0BbMVBU9MmcFFFt9k0DfKWYyvhjea4uooPTRDH+shUKBG1wGiZyFQRLxrET5+ERwFsEEej5p35/I6HZbp3S7kT0tY0ThxbDt+/u3zwvR/2riWDscKy/75m3UIacnhS97MiOVe/Pv08b64wPg9ES62EV++VRsRFUBW7BrECeXDJfhVerBLmZBsxAxif2DqpOwxNnYqvAdMN/lSnr2mqtmSXP/i2Mg9KENe/i4ZoIFTdau3lBTyw8Fi86aOKkbyq4RqO5ZQ1kr/YtrJfL7I/i5nAXsF1UcyTWBscK1glWUq7vqr6/HOU8gPg3tSNgfTwvDxlXgXxl+bYDgRe5iHxNSvymiDH1Wf8AmlC2uFn9T+r515rMnWw64+FgVa60XCBn2t5IlXmnpNnO6k1U5Ce7jwU4EiDzljrwCKnUy7lSUtLdawaroIxuF0MTVS+kNoXpMXIgX3MBDKEQNIR9l65EK6wQm5QdzjhXOZzNeVEHK4p8dho84D3W9jyvl4VAtH3L5VeDT5PH2y33PXo4F5qHbArEwtkfz6r2aoJM+7hSLV4Er/Lu2+vaUuCRYJDxwdun/r6DoaGrEnNmrTo8OloQG1YdHDNiSN0xD+wdG0w/Iir/GGthW7QqwHjWrwTaunkgVS+g/e+jv4ILBdciWNc40ieazsPvaI+MRi+Hu4hKGRinFEKlv0ydeo53P8dEONsYk+jk5GkqHNynLDfNZ5kdT7K9yQcVJEE0X9a0JCCAIqDTP47YbhPpnmDfpf85LwWsXS/wS+Q04BvBn+09J2wQ==,iv:0S6oUJiSwAEkf5CIxA/y9Oga9vYU415gvJgnq91nXo8=,tag:RF3h6nOtjYRCOYmUYbDbZg==,type:str]",
+    "sops": {
+        "kms": null,
+        "gcp_kms": null,
+        "azure_kv": null,
+        "hc_vault": null,
+        "age": [
+            {
+                "recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
+                "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmaHV4Z0l3TjdRTTNZZ3Bi\nd1NlVW5LRjNNRWcvV3ZEdndGK3FvaHJIUzNvClBKMk9ramhuNEZaK0l2OGhQS1Rl\nUWJKM1Q2ajNXc3BWSjRvVEdhMmRHRVEKLS0tIG9jWktVeWhJZnFDYXpEcStGbFBG\nUHFZazNMYlRGRjZ3eWcvWGNRc2tDa2sKWWPURYhrSLSFllErtv4kqlbwVwFm6C4H\nWEBjUkuR4IrV4iN21St1mGvJt7BNzksPOIanHiyV/X8UzM+2MtZ33g==\n-----END AGE ENCRYPTED FILE-----\n"
+            }
+        ],
+        "lastmodified": "2022-09-13T21:59:06Z",
+        "mac": "ENC[AES256_GCM,data:KxDoqYhcWY5VsmMSLiOlfTyVwta/7nKS4rGwyyoa/Kzwl1hNp0R+oQhhqPesple1zbtIPDVJJYY+dtQT74X6uBlCLxzFrB1zRu9nOPK3LIutMkcXAab3AdD7ZP8OjdCcXsyVj+xO+DtK0EvnZxFi6wMEQK54FEWCMIGmuLLBpLg=,iv:y8wkX6/itIeLniKjxtHIhgMe/zB27ieu/HFOtt6Nlwg=,tag:JJCGe3ycl6Omg2zWl6b72A==,type:str]",
+        "pgp": null,
+        "unencrypted_suffix": "_unencrypted",
+        "version": "3.7.3"
+    }
+}

cluster/apps/authentication/glauth/helm-release.yaml

@@ -0,0 +1,64 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app glauth
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 0.1.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+    image:
+      repository: docker.io/glauth/glauth
+      tag: v2.1.0
+    command: ["/app/glauth", "-c", "/config"]
+    service:
+      main:
+        ports:
+          http:
+            port: 5555
+          ldap:
+            enabled: true
+            port: 389
+    podSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+      fsGroupChangePolicy: "OnRootMismatch"
+    persistence:
+      config:
+        enabled: true
+        type: secret
+        name: *app
+        items:
+          - key: server.toml
+            path: server.toml
+          - key: groups.toml
+            path: groups.toml
+          - key: users.toml
+            path: users.toml
+    podAnnotations:
+      secret.reloader.stakater.com/reload: *app
+    resources:
+      requests:
+        cpu: 5m
+        memory: 10Mi
+      limits:
+        memory: 50Mi

cluster/apps/authentication/glauth/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - helm-release.yaml
+secretGenerator:
+  - name: glauth
+    files:
+      - server.toml=config/server.sops.toml
+      - groups.toml=config/groups.sops.toml
+      - users.toml=config/users.sops.toml
+generatorOptions:
+  disableNameSuffixHash: true

cluster/apps/authentication/kustomization.yaml

@@ -1,5 +1,7 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+namespace: default
 resources:
-  - configmap.yaml
-  - helm-release.yaml
+  - authelia
+  - glauth

cluster/apps/authentication/readme.md

@@ -0,0 +1,90 @@
+# Authentication
+
+## GLAuth
+
+### Repo configuration
+
+1. Add/Update `.vscode/extensions.json`
+
+    ```json
+    {
+        "files.associations": {
+            "**/cluster/**/*.sops.toml": "plaintext"
+        }
+    }
+    ```
+
+2. Add/Update `.gitattributes`
+
+    ```text
+    *.sops.toml linguist-language=JSON
+    ```
+
+3. Add/Update `.sops.yaml`
+
+    ```yaml
+    - path_regex: cluster/.*\.sops\.toml
+        key_groups:
+        - age:
+            - age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+    ```
+
+## App Configuration
+
+Below are the decrypted versions of the sops encrypted toml files.
+
+> `passbcrypt` can be generated [on CyberChef](https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0))
+
+1. `server.sops.toml`
+
+    ```toml
+    debug = true
+    [ldap]
+        enabled = true
+        listen = "0.0.0.0:389"
+    [ldaps]
+        enabled = false
+    [api]
+        enabled = true
+        tls = false
+        listen = "0.0.0.0:5555"
+    [backend]
+        datastore = "config"
+        baseDN = "dc=home,dc=arpa"
+    ```
+
+2. `groups.sops.toml`
+
+    ```toml
+    [[groups]]
+        name = "svcaccts"
+        gidnumber = 6500
+    [[groups]]
+        name = "admins"
+        gidnumber = 6501
+    [[groups]]
+        name = "people"
+        gidnumber = 6502
+    ```
+
+3. `users.sops.toml`
+
+    ```toml
+    [[users]]
+        name = "search"
+        uidnumber = 5000
+        primarygroup = 6500
+        passbcrypt = ""
+        [[users.capabilities]]
+            action = "search"
+            object = "*"
+    [[users]]
+        name = "<name>"
+        mail = ""
+        givenname = "<Name>"
+        sn = "<sn>"
+        uidnumber = <uid>
+        primarygroup = <gid>
+        othergroups = [ <gid> ]
+        passbcrypt = ""
+    ```

cluster/apps/documentation/outline/patches/env.yaml

@@ -14,13 +14,13 @@ spec:
       AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}"
       AWS_S3_UPLOAD_MAX_SIZE: "26214400"
       ENABLE_UPDATES: "false"
-      OIDC_AUTH_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
+      OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
       OIDC_CLIENT_ID: outline
       OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
       OIDC_DISPLAY_NAME: Authelia
       OIDC_SCOPES: "openid profile email offline_access"
-      OIDC_TOKEN_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
-      OIDC_USERINFO_URI: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
+      OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
+      OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
       OIDC_USERNAME_CLAIM: email
       PGSSLMODE: require
       PORT: 80

cluster/apps/home-automation/frigate/helm-release.yaml

@@ -68,8 +68,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts:
           - host: &host "frigate.${SECRET_CLUSTER_DOMAIN}"
             paths:

cluster/apps/home-automation/home-assistant/helm-release.yaml

@@ -109,8 +109,8 @@ spec:
           enabled: true
           ingressClassName: "nginx"
           annotations:
-            nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-            nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+            nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+            nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           hosts:
             - host: "hass-config.${SECRET_CLUSTER_DOMAIN}"
               paths:

cluster/apps/home-automation/zigbee2mqtt/helm-release.yaml

@@ -75,8 +75,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts:
           - host: "zigbee.${SECRET_CLUSTER_DOMAIN}"
             paths:

cluster/apps/home-automation/zwavejs2mqtt/helm-release.yaml

@@ -39,8 +39,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts:
           - host: zwave.${SECRET_CLUSTER_DOMAIN}
             paths:

cluster/apps/kustomization.yaml

@@ -1,6 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - authentication
   - data
   - databases
   - development

cluster/apps/media/bazarr/helm-release.yaml

@@ -60,8 +60,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           # nginx.ingress.kubernetes.io/configuration-snippet: |
           #   proxy_set_header Accept-Encoding "";
           #   sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/bazarr/nord.css"></head>';

cluster/apps/media/calibre/helm-release.yaml

@@ -45,8 +45,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts:
           - host: &host "calibre.${SECRET_CLUSTER_DOMAIN}"
             paths:

cluster/apps/media/flood/helm-release.yaml

@@ -58,8 +58,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts:
           - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
             paths:

cluster/apps/media/lidarr/helm-release.yaml

@@ -68,8 +68,8 @@ spec:
         ingressClassName: "nginx"
         annotations:
           nginx.ingress.kubernetes.io/proxy-body-size: "0"
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/lidarr/nord.css"></head>';

cluster/apps/media/prowlarr/helm-release.yaml

@@ -51,8 +51,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/prowlarr/nord.css"></head>';

cluster/apps/media/pyload/helm-release.yaml

@@ -56,8 +56,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
 
         hosts:
           - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"

cluster/apps/media/qbittorrent/helm-release.yaml

@@ -75,8 +75,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
 
         hosts:
           - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"

cluster/apps/media/radarr/helm-release.yaml

@@ -68,8 +68,8 @@ spec:
         ingressClassName: "nginx"
         annotations:
           nginx.ingress.kubernetes.io/proxy-body-size: "0"
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/radarr/nord.css"></head>';

cluster/apps/media/readarr/helm-release.yaml

@@ -62,8 +62,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/readarr/nord.css"></head>';

cluster/apps/media/sabnzbd/helm-release.yaml

@@ -70,8 +70,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/sabnzbd/nord.css"></head>';

cluster/apps/media/sonarr/helm-release.yaml

@@ -68,8 +68,8 @@ spec:
         ingressClassName: "nginx"
         annotations:
           nginx.ingress.kubernetes.io/proxy-body-size: "0"
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           nginx.ingress.kubernetes.io/configuration-snippet: |
             proxy_set_header Accept-Encoding "";
             sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/sonarr/nord.css"></head>';

cluster/apps/media/tdarr/helm-release.yaml

@@ -72,8 +72,8 @@ spec:
         enabled: true
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
           # traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
           # traefik.ingress.kubernetes.io/router.middlewares: networking-forward-auth@kubernetescrd
         hosts:

cluster/apps/media/travelstories/deployment.yaml

@@ -75,8 +75,8 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-    nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+    nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+    nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
   labels:
     app.kubernetes.io/instance: travelstories
     app.kubernetes.io/name: travelstories

cluster/apps/monitoring/blackbox-exporter/helm-release.yaml

@@ -94,8 +94,8 @@ spec:
       enabled: true
       className: nginx
       annotations:
-        nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-        nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+        nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+        nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
       hosts:
         - host: "blackbox.${SECRET_CLUSTER_DOMAIN}"
           paths:

cluster/apps/monitoring/grafana/helm-release.yaml

@@ -34,7 +34,7 @@ spec:
       existingSecret: grafana-admin-creds
     grafana.ini:
       auth:
-        signout_redirect_url: "https://login.${SECRET_CLUSTER_DOMAIN}/logout"
+        signout_redirect_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/logout"
         oauth_auto_login: false
       auth.generic_oauth:
         enabled: true
@@ -43,9 +43,9 @@ spec:
         client_secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
         scopes: "openid profile email groups"
         empty_scopes: false
-        auth_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
-        token_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
-        api_url: "https://login.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
+        auth_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
+        token_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
+        api_url: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
         login_attribute_path: preferred_username
         groups_attribute_path: groups
         name_attribute_path: name

cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml

@@ -118,8 +118,8 @@ spec:
         pathType: Prefix
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts: ["prometheus.${SECRET_CLUSTER_DOMAIN}"]
         tls:
           - hosts:
@@ -363,8 +363,8 @@ spec:
         pathType: Prefix
         ingressClassName: "nginx"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         hosts: ["alert-manager.${SECRET_CLUSTER_DOMAIN}"]
         tls:
           - hosts:

cluster/apps/monitoring/thanos/helm-release.yaml

@@ -38,8 +38,8 @@ spec:
         enabled: true
         hostname: &host "thanos-query.${SECRET_CLUSTER_DOMAIN}"
         annotations:
-          nginx.ingress.kubernetes.io/auth-url: "http://authelia.networking.svc.cluster.local/api/verify"
-          nginx.ingress.kubernetes.io/auth-signin: "https://login.${SECRET_CLUSTER_DOMAIN}"
+          nginx.ingress.kubernetes.io/auth-url: "http://authelia.default.svc.cluster.local/api/verify"
+          nginx.ingress.kubernetes.io/auth-signin: "https://auth.${SECRET_CLUSTER_DOMAIN}"
         ingressClassName: "nginx"
         tls: true
         extraTls:

cluster/apps/networking/authelia/configmap.yaml

@@ -1,27 +0,0 @@
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: authelia-config-custom
-  namespace: networking
-data:
-  users_database.yml: |
-    users:
-      Claude:
-        displayname: "Claude"
-        password: "${SECRET_AUTHELIA_USER_CLAUDE_PASSWORD}"
-        email: ${SECRET_AUTHELIA_USER_CLAUDE_EMAIL}
-        groups:
-          - admins
-      Helene:
-        displayname: "Helene"
-        password: "${SECRET_AUTHELIA_USER_HELENE_PASSWORD}"
-        email: ${SECRET_AUTHELIA_USER_HELENE_EMAIL}
-        groups:
-          - users
-      visitor:
-        displayname: "visitor"
-        password: "${SECRET_AUTHELIA_USER_VISITOR_PASSWORD}"
-        email: ${SECRET_AUTHELIA_USER_VISITOR_EMAIL}
-        groups:
-          - users

cluster/apps/networking/authelia/helm-release.yaml

@@ -1,203 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
-  name: authelia
-  namespace: networking
-spec:
-  interval: 5m
-  chart:
-    spec:
-      chart: authelia
-      version: 0.8.38
-      sourceRef:
-        kind: HelmRepository
-        name: authelia-charts
-        namespace: flux-system
-      interval: 5m
-
-  values:
-    domain: ${SECRET_CLUSTER_DOMAIN}
-
-    service:
-      annotations:
-        prometheus.io/probe: "true"
-        prometheus.io/protocol: "http"
-
-    ingress:
-      enabled: true
-      className: nginx
-      annotations:
-        external-dns.alpha.kubernetes.io/target: "services.${SECRET_DOMAIN}."
-        external-dns/is-public: "true"
-      subdomain: login
-
-      tls:
-        enabled: true
-        secret: "${SECRET_CLUSTER_CERTIFICATE_DEFAULT}"
-
-    pod:
-      # Must be Deployment, DaemonSet, or StatefulSet.
-      kind: Deployment
-
-      env:
-        - name: TZ
-          value: ${TIMEZONE}
-
-      extraVolumeMounts:
-        - name: config-custom
-          mountPath: /config
-      extraVolumes:
-        - name: config-custom
-          configMap:
-            name: authelia-config-custom
-            items:
-              - key: users_database.yml
-                path: users_database.yml
-
-      resources:
-        requests:
-          cpu: 500m
-          memory: 1500Mi
-        limits: {}
-
-    ##
-    ## Authelia Config Map Generator
-    ##
-    configMap:
-      enabled: true
-      server:
-        read_buffer_size: 8192
-        write_buffer_size: 8192
-      theme: light
-      authentication_backend:
-        disable_reset_password: true
-        ldap:
-          enabled: false
-        file:
-          enabled: true
-          password:
-            algorithm: argon2id
-
-      access_control:
-        ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
-        ## resource if there is no policy to be applied to the user.
-        default_policy: deny
-
-        networks:
-          - name: private
-            networks:
-              - 10.0.0.0/8
-              - 172.16.0.0/12
-              - 192.168.0.0/16
-          - name: vpn
-            networks:
-              - 10.10.0.0/16
-
-        rules:
-          # bypass Authelia WAN + LAN
-          - domain:
-              - login.${SECRET_CLUSTER_DOMAIN}
-            policy: bypass
-
-          # Deny admin services to users
-          - domain:
-              - alert-manager.${SECRET_CLUSTER_DOMAIN}
-              - prometheus.${SECRET_CLUSTER_DOMAIN}
-              - thanos.${SECRET_CLUSTER_DOMAIN}
-            subject: ["group:users"]
-            policy: deny
-
-          # One factor auth for LAN
-          - domain:
-              - "*.${SECRET_CLUSTER_DOMAIN}"
-            policy: one_factor
-            subject: ["group:admins", "group:users"]
-            networks:
-              - private
-
-          # Two factors auth for WAN
-          - domain:
-              - "*.${SECRET_CLUSTER_DOMAIN}"
-            subject: ["group:admins", "group:users"]
-            policy: two_factor
-
-      session:
-        redis:
-          enabled: false
-          high_availability:
-            enabled: true
-            sentinel_name: redis-master
-            nodes:
-              - host: redis-node-0.redis-headless.default.svc.cluster.local
-                port: 26379
-              - host: redis-node-1.redis-headless.default.svc.cluster.local
-                port: 26379
-              - host: redis-node-2.redis-headless.default.svc.cluster.local
-                port: 26379
-      storage:
-        postgres:
-          enabled: true
-          host: postgres.${SECRET_DOMAIN}
-          ssl:
-            mode: verify-full
-
-      notifier:
-        smtp:
-          enabled: true
-          host: smtp-relay.default.svc.cluster.local
-          port: 2525
-          sender: authelia@${SECRET_DOMAIN}
-          identifier: ${SECRET_DOMAIN}
-
-      identity_providers:
-        oidc:
-          enabled: true
-          cors:
-            endpoints: ["authorization", "token", "revocation", "introspection"]
-            allowed_origins_from_client_redirect_uris: true
-          clients:
-            - id: gitea
-              secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
-              public: false
-              authorization_policy: one_factor
-              scopes: ["openid", "profile", "groups", "email"]
-              redirect_uris:
-                [
-                  "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
-                ]
-              userinfo_signing_algorithm: none
-            - id: grafana
-              description: Grafana
-              secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
-              public: false
-              authorization_policy: one_factor
-              pre_configured_consent_duration: 1y
-              scopes: ["openid", "profile", "groups", "email"]
-              redirect_uris:
-                ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
-              userinfo_signing_algorithm: none
-            - id: outline
-              description: Outline
-              secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
-              public: false
-              authorization_policy: one_factor
-              pre_configured_consent_duration: 1y
-              scopes: ["openid", "profile", "email", "offline_access"]
-              redirect_uris:
-                ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
-              userinfo_signing_algorithm: none
-
-    secret:
-      storage:
-        key: STORAGE_PASSWORD
-        value: "${SECRET_AUTHELIA_POSTGRES_PASSWORD}"
-        filename: STORAGE_PASSWORD
-      jwt:
-        key: JWT_TOKEN
-        value: "${SECRET_AUTHELIA_JWT_SECRET}"
-        filename: JWT_TOKEN
-      storageEncryptionKey:
-        key: STORAGE_ENCRYPTION_KEY
-        value: "${SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY}"
-        filename: STORAGE_ENCRYPTION_KEY

cluster/apps/networking/kustomization.yaml

@@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - authelia
   - certificate
   - external-dns
   - ingress-nginx

cluster/charts/authelia-charts.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
-metadata:
-  name: authelia-charts
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://charts.authelia.com
-  timeout: 3m

cluster/charts/authentik-charts.yaml

@@ -1,10 +0,0 @@
----
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
-metadata:
-  name: authentik-charts
-  namespace: flux-system
-spec:
-  interval: 1h
-  url: https://charts.goauthentik.io
-  timeout: 3m

cluster/charts/kustomization.yaml

@@ -2,8 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - authelia-charts.yaml
-  - authentik-charts.yaml
   - bitnami-charts.yaml
   - bjw-s-charts.yaml
   - cert-manager-webhook-ovh.yaml

cluster/configuration/cluster-secrets.sops.yaml

@@ -5,16 +5,6 @@ metadata:
     name: cluster-secrets
     namespace: flux-system
 stringData:
-    SECRET_AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:B3+umypR5/b1Emnk5C4iPOKV0guv6kHPm24SOA==,iv:cGSElgFacEEfrYXNYMbfLnJzeILcrfA/hehyJc2pwiM=,tag:Z0VOJic0pnzEicU1tOwDxg==,type:str]
-    SECRET_AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:Mtm1pKD/EKy0iCp+MZu13FsNWRm1A87831gp5g==,iv:Rgz11SVbvgNEmG2DDEvD7OFtUjr9uc2s6Ba7eAw2VWU=,tag:3DvjMDhZR/Id0+lvaNuQQg==,type:str]
-    SECRET_AUTHELIA_POSTGRES_PASSWORD: ENC[AES256_GCM,data:s7FKzSB4j/loBw+kGio=,iv:AaDnVGqR/AnkTtwaWc2MdZMTEzS9oqD69Yx7ERCMLw4=,tag:oxqPv3/ScxDmau5D1jRHgg==,type:str]
-    SECRET_AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:YBU5F2QjInHEVg6zg6QFVqTLCsztq9VDfvAWeg==,iv:SAD1P95b5SUxPsq9+KGEaJr5+/NcC7nFkIZ23SuMe6g=,tag:HTdrjhqmAzoa8Me7YF+9rg==,type:str]
-    SECRET_AUTHELIA_USER_CLAUDE_EMAIL: ENC[AES256_GCM,data:zFcLu4r4WFMVU1T1EPgiJKi8CxAyvuE=,iv:pv6ea/TcPEI9jIntJrjo14iBqj9GjgVhWHWrPn6mnQs=,tag:yMbeHtwIkjXt7aNGJU/UWA==,type:str]
-    SECRET_AUTHELIA_USER_CLAUDE_PASSWORD: ENC[AES256_GCM,data:LMO3QfNvpse/BEjyOG6cfsllHcJ28OE8LLqlPGZdVOHkqG9C/naZ2Ri4k1x/1fyzL6YUOODZYExj6g3Zdl3zTsbjdVEryTrZ810183Zcb7RjBrXSZB81tk1CW+EARFq5Jc2N,iv:OGlGQQAPrrF9YP+tux39MeZWnrr+F7IsLfklv5xKfkE=,tag:sPewO2VQNR+8aq7S4JiXLg==,type:str]
-    SECRET_AUTHELIA_USER_HELENE_EMAIL: ENC[AES256_GCM,data:OHljFRDSlX7MG0qOhPodseC1Xqa815tl,iv:NmuPZt3KkJPV28i26eU84Z+aPE55DHkkAz+llmSnloU=,tag:aUMYpZp+ObeYZ9GmrAbJ4g==,type:str]
-    SECRET_AUTHELIA_USER_HELENE_PASSWORD: ENC[AES256_GCM,data:DyRpTyVyey4lhjDijfB/2Cf4Weg8virytgtsirtIUuBesq9QAuUffgLScA6TF4FYY79vbZNupfICuUwaHvZM1eyhzfwilWhlNp6dIxPTuEqC6TWP7dHEIGKF8yFB659veOis,iv:NJ7ENJU5Gr1VGdivBS4JCAbvsig1g92cx62kC6EKPu0=,tag:bjr90OBDYyE6c1kwXam1wg==,type:str]
-    SECRET_AUTHELIA_USER_VISITOR_EMAIL: ENC[AES256_GCM,data:9k/iAk6pG/nNpn2wedTz20s+IsZ3ww==,iv:ZgNGCEeLkdymzq+xVfur9T/24+v2mzrjwwsr7VKdNe4=,tag:H2o6blNKxgMRFhE/QtVSNg==,type:str]
-    SECRET_AUTHELIA_USER_VISITOR_PASSWORD: ENC[AES256_GCM,data:VlKk9ZOpKCHy1AW4usy9o0G5f5iSLRlSM0Lo265UC4EP6XO6HLR0415Ro2FFdHm8NkJZqjguFgqd0bC7G4HDjVqS4Y+kwd1wO5TzVQGtI3aE9npJdo+zlISM0aX6eID8Vp+s,iv:Bz7Bow0Gb4VRFRLB8eNXq2kyPveX+t6H0BEdLxh2Igk=,tag:JGkgQIWoCZGM3Fcj+l6i4g==,type:str]
     SECRET_BOOKSTACK_DB_PASSWORD: ENC[AES256_GCM,data:cq8X8QDvbi3IO/g2bEj1tQ==,iv:6YtfNCxqeq7iifIeSrA26DrEBKTjUNB4nrtM72hKpbY=,tag:DxX88KMJXYWM3FsYbK58+Q==,type:str]
     SECRET_BOOKSTACK_TOKEN_ID: ENC[AES256_GCM,data:wR2K8DEdDiDBL1Q1QFLHPbbtPwCucXns3r0pt38kNmQ=,iv:yVWYuPMrxImLJQyw7yvqCESBLcMIMxUMbY9RVYH54JQ=,tag:mL1TDd2A+EsN0p5SPH6jKw==,type:str]
     SECRET_BOOKSTACK_TOKEN_SECRET: ENC[AES256_GCM,data:zRNzXpum9u/6VEIIhoYdIyh9zrLq5gxYXTX5WHrb+fQ=,iv:oIU2pm6PO7tGHbuvVe1XC7VcmeAeewSV+PbU3Pj9b7s=,tag:Lcej5PL+aNgY3GLHrs6VwQ==,type:str]
@@ -92,8 +82,8 @@ sops:
             WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
             pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2022-09-13T20:27:31Z"
-    mac: ENC[AES256_GCM,data:ybA9+ZtgN6rhindjNIZfm0iCWSWuwACt1vOFxLfnNH71AAS6AMl+AYiLpOKq9+jwAoi4T9B+kvdtL8Kmhzc6Q30oqhwKO8SpeLkpkPOE2woqapiZvjk467VVYpUCKEKarXE3bZY+9w0gvms02Jrg421+vnDTEF/HZKamLf4pizo=,iv:iZfsRxkYg//LshAFX2063BT4wcrVe5lErO16DcEgGN0=,tag:s0J1+0Cr6DaFMMN1q645YA==,type:str]
+    lastmodified: "2022-09-13T21:06:40Z"
+    mac: ENC[AES256_GCM,data:fi8v5TVbw/Ki4z2l53CJJ1h+XNtX6YczzHD71UKJEWgHIyp6R9mY5UHTCdGJYNurcOA6IzP24XRjx2Z3s43jArIy0ojyVYYudyVLzrUYTf712CvgBF1YVeWu9sluM+7xutEvpG7byJ7gEml+B6FlN2duf902KFiiZIMhh4fvVmI=,iv:KnVclXvl3qgLlrQXG6FtXjmW5TFyvWoJMoJk3O9kwVs=,tag:moe3SNsZF+a5cPpW0XfMvg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.7.3