From 56604b77e9ad16a8073527e074ef73cfafa5ce8f Mon Sep 17 00:00:00 2001
From: kelin <kelinfoxy@gmail.com>
Date: Wed, 14 Jan 2026 00:03:34 -0500
Subject: [PATCH] fix: store Authelia credentials in persistent location

- setup-homelab.sh: Store temp files in /opt/stacks/.setup-temp instead of /tmp
- deploy-homelab.sh: Read credentials from new persistent location
- reset-test-environment.sh: Clean up new temp directory

This fixes the issue where credentials were inaccessible when deploy script
runs via 'su -' (login shell) from setup script, as /tmp files created by
root are not accessible across the su boundary.
---
 scripts/deploy-homelab.sh         | 13 ++++++++-----
 scripts/reset-test-environment.sh |  2 ++
 scripts/setup-homelab.sh          | 10 ++++++++--
 3 files changed, 18 insertions(+), 7 deletions(-)

diff --git a/scripts/deploy-homelab.sh b/scripts/deploy-homelab.sh
index 4d9207c..d36aac6 100755
--- a/scripts/deploy-homelab.sh
+++ b/scripts/deploy-homelab.sh
@@ -179,9 +179,9 @@ log_info "Configuring Authelia for domain: $DOMAIN..."
 sed -i "s/your-domain.duckdns.org/${DOMAIN}/g" /opt/stacks/core/authelia/configuration.yml
 
 # Configure Authelia admin user from setup script
-if [ -f /tmp/authelia_admin_credentials.tmp ] && [ -f /tmp/authelia_password_hash.tmp ]; then
+if [ -f /opt/stacks/.setup-temp/authelia_admin_credentials.tmp ] && [ -f /opt/stacks/.setup-temp/authelia_password_hash.tmp ]; then
     log_info "Loading Authelia admin credentials from setup script..."
-    source /tmp/authelia_admin_credentials.tmp
+    source /opt/stacks/.setup-temp/authelia_admin_credentials.tmp
     
     if [ -n "$ADMIN_USER" ] && [ -n "$ADMIN_EMAIL" ]; then
         log_success "Using credentials: $ADMIN_USER ($ADMIN_EMAIL)"
@@ -209,7 +209,7 @@ EOF
         export ADMIN_EMAIL
         python3 << 'PYTHON_EOF'
 # Read password hash from file to completely avoid bash variable expansion
-with open('/tmp/authelia_password_hash.tmp', 'r') as f:
+with open('/opt/stacks/.setup-temp/authelia_password_hash.tmp', 'r') as f:
     password_hash = f.read().strip()
 
 import os
@@ -252,8 +252,11 @@ PYTHON_EOF
         log_info "Password also saved to: /opt/stacks/core/authelia/ADMIN_PASSWORD.txt"
         echo ""
         
-        # Clean up credentials file
-        rm -f /tmp/authelia_admin_credentials.tmp
+        # Clean up credentials files from setup script
+        rm -f /opt/stacks/.setup-temp/authelia_admin_credentials.tmp
+        rm -f /opt/stacks/.setup-temp/authelia_password_hash.tmp
+        rmdir /opt/stacks/.setup-temp 2>/dev/null || true
+        log_info "Cleaned up temporary setup files"
     else
         log_warning "Incomplete credentials from setup script"
         log_info "Using template users_database.yml - please configure manually"
diff --git a/scripts/reset-test-environment.sh b/scripts/reset-test-environment.sh
index 096fdca..b30c9b1 100755
--- a/scripts/reset-test-environment.sh
+++ b/scripts/reset-test-environment.sh
@@ -122,6 +122,8 @@ echo ""
 log_info "Step 4/6: Cleaning temporary files..."
 
 rm -f /tmp/authelia_admin_credentials.tmp
+rm -f /tmp/authelia_password_hash.tmp
+rm -rf /opt/stacks/.setup-temp
 rm -f /tmp/nvidia*.log
 log_success "Temporary files cleaned"
 echo ""
diff --git a/scripts/setup-homelab.sh b/scripts/setup-homelab.sh
index 1856f59..f1ac5f8 100755
--- a/scripts/setup-homelab.sh
+++ b/scripts/setup-homelab.sh
@@ -351,12 +351,18 @@ log_success "Password hash generated and will be applied during deployment"
 # Store the admin credentials for the deployment script
 # Password hash is already in /tmp/authelia_password_hash.tmp (written directly from Docker)
 # This avoids bash variable expansion issues with $ characters in argon2 hashes
+# Store in /opt/stacks/ which is accessible across user contexts
+mkdir -p /opt/stacks/.setup-temp
 {
     echo "ADMIN_USER=$ADMIN_USER"
     echo "ADMIN_EMAIL=$ADMIN_EMAIL"
     echo "ADMIN_PASSWORD=$ADMIN_PASSWORD"
-} > /tmp/authelia_admin_credentials.tmp
-chmod 600 /tmp/authelia_admin_credentials.tmp
+} > /opt/stacks/.setup-temp/authelia_admin_credentials.tmp
+chmod 600 /opt/stacks/.setup-temp/authelia_admin_credentials.tmp
+
+# Copy password hash to persistent location
+cp /tmp/authelia_password_hash.tmp /opt/stacks/.setup-temp/authelia_password_hash.tmp
+chmod 600 /opt/stacks/.setup-temp/authelia_password_hash.tmp
 
 log_info "Credentials saved for deployment script"
 echo ""