Fix #36: Add Authelia as core IAM service for shards#86
Open
ClaydeCode wants to merge 1 commit into
Open
Conversation
Authelia is added as a permanent core service in every shard, providing
forward-auth (via Traefik middleware) and OIDC (for OAuth clients) with
a file-based user backend that hot-reloads on change.
Key changes:
- docker-compose.yml: Add authelia/authelia:4.38 service, mounting
${FREESHARD_DIR}/core/authelia as /config
- data/authelia/: Jinja2 templates for configuration.yml and the
initial users_database.yml rendered at shard startup
- shard_core/service/authelia.py: Secrets bootstrap (stored in kv_store,
generated once), config rendering, and CRUD service layer for the YAML
user database with argon2id password hashing
- shard_core/web/protected/authelia_users.py: REST endpoints at
/protected/authelia/users (list, get, create, update, delete)
- shard_core/service/traefik_dynamic_config.py: Add authelia-forwardauth
middleware (http://authelia:9091/api/authz/forward-auth), authelia
service, and auth.<shard-domain> public router; switch app routers
from the old auth middleware to authelia-forwardauth
- shard_core/app_factory.py: Call ensure_authelia_secrets and
render_authelia_config during startup lifespan
- tests/: Update traefik dyn spec test, add authelia user CRUD tests
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #36
Adds Authelia as a permanent core IAM service in every shard, providing single-sign-on across all apps via forward-auth and OIDC, with a file-based user backend that hot-reloads without container restarts.
authelia/authelia:4.38) added todocker-compose.yml, mounting${FREESHARD_DIR}/core/autheliaas/configdata/authelia/) rendered at startup:configuration.yml(session, storage, OIDC, file-backend withwatch: true) and an initial emptyusers_database.ymlshard_core/service/authelia.py: JWT secret, session secret, storage encryption key, OIDC HMAC secret, and RSA-4096 OIDC private key are generated once and persisted in the kv_store; the config is re-rendered on every startup so it stays in sync with the shard domainGET|POST /protected/authelia/usersandGET|PATCH|DELETE /protected/authelia/users/{username}— writes atomically via temp-file-then-rename, protected by a threading lockauthelia-forwardauthmiddleware added (callshttp://authelia:9091/api/authz/forward-auth), app routers switched from the old internalauthmiddleware toauthelia-forwardauth, and a public router added forauth.<shard-domain>so the Authelia login portal is reachableRecommended reading order
data/authelia/configuration.yml.j2— the Authelia config template (single source of truth for what Authelia does)shard_core/service/authelia.py— secrets management, config rendering, user CRUD, password hashingshard_core/service/traefik_dynamic_config.py— Traefik middleware/service/router additionsshard_core/app_factory.py— two new lines wiring Authelia into the startup lifespanshard_core/web/protected/authelia_users.py+shard_core/web/protected/__init__.py— the REST API layertests/test_authelia_users.py+tests/test_traefik_dyn_spec.py— testsTest plan
test_authelia_users.py): create, get, list, update, delete, duplicate-create raises 409, delete-missing raises 404app_client(no Traefik, auth bypassed at FastAPI level): all CRUD operations return correct status codestest_traefik_dyn_spec.py):authelia-forwardauthmiddleware,autheliaservice and router are present; app routers now useauthelia-forwardauthauth.<shard-domain>serves Authelia login portal; create user via API, verify Authelia accepts credentials🤖 Generated with Claude Code