Add Authentik SSO, fix Uptime Kuma duplicate, enable SSO on Jellyseerr, and improve documentation
- Add Authentik service stack to infrastructure.yml
- Includes Authentik server, worker, PostgreSQL database, and Redis
- Alternative SSO with web UI for user management
- Access at authentik.${DOMAIN}
- Protected by Authelia SSO (comment out to use standalone)
- Fix Uptime Kuma duplicate listing
- Remove from utilities.yml
- Keep only in monitoring.yml where it belongs
- Add Traefik labels and SSO protection to monitoring instance
- Enable SSO on Jellyseerr by default
- Changed from bypass to protected (security-first approach)
- Users can comment out SSO if needed for public access
- Update SSO toggling documentation
- Emphasize commenting out (not removing) middleware line
- Add docker command examples for running from outside stack folder
- Show both "cd to directory" and "full path" methods
- Add examples for starting and stopping services multiple ways
- Enhance security-first methodology
- Update copilot instructions to default SSO to enabled
- Only Plex and Jellyfin bypass SSO by default
- All other services start secured, expose gradually
- Emphasize commenting (not removing) for easier re-enable
- Update services-reference.md
- Add Authentik to infrastructure section (12 services)
- Move Uptime Kuma to monitoring section (8 services)
- Remove from utilities (now 6 services)
- Update Jellyseerr SSO status from ✗ to ✓
- Improve Authentik documentation with deployment guidance
- Add Authentik environment variables to .env.example
- AUTHENTIK_SECRET_KEY, DB credentials
- Generation instructions included
All changes align with security-first principle: start secure, expose services only when ready for deployment.
Co-authored-by: kelinfoxy <67766943+kelinfoxy@users.noreply.github.com>
This commit is contained in:
copilot-swe-agent[bot]
10
.github/copilot-instructions.md
vendored
10
.github/copilot-instructions.md
vendored
@@ -40,6 +40,13 @@ You are an AI assistant specialized in managing Docker-based homelab infrastruct
|
||||
- Enable AI to manage and update configurations automatically
|
||||
- Maintain homelab functionality through code, not manual UI clicks
|
||||
|
||||
### 6. Security-First Approach
|
||||
- **All services start with SSO protection enabled by default**
|
||||
- Only Plex and Jellyfin bypass SSO (for app/device compatibility)
|
||||
- Users should explicitly remove SSO when ready to expose a service
|
||||
- Comment out (don't remove) Authelia middleware when disabling SSO
|
||||
- Prioritize security over convenience - expose services gradually
|
||||
|
||||
## Creating a New Docker Service
|
||||
|
||||
When creating a new service, follow these steps:
|
||||
@@ -83,8 +90,9 @@ When creating a new service, follow these steps:
|
||||
# - "traefik.http.routers.service-name.rule=Host(`service.domain.com`)"
|
||||
# - "traefik.http.routers.service-name.entrypoints=websecure"
|
||||
# - "traefik.http.routers.service-name.tls.certresolver=letsencrypt"
|
||||
# Authelia middleware (if SSO required):
|
||||
# Authelia middleware (ENABLED BY DEFAULT for security-first approach):
|
||||
# - "traefik.http.routers.service-name.middlewares=authelia@docker"
|
||||
# ONLY bypass SSO for Plex, Jellyfin, or services requiring direct app access
|
||||
|
||||
volumes:
|
||||
service-data:
|
||||
|
||||
Reference in New Issue
Block a user