From ea5e34935b53fbea9e49b3a2486da09933ffa0d3 Mon Sep 17 00:00:00 2001
From: Kelin <kelin@example.com>
Date: Sat, 31 Jan 2026 23:32:42 -0500
Subject: [PATCH] Resolve merge conflicts and restore local configuration

- Keep local DuckDNS subdomain and token customizations
- Preserve user-specific Authelia configuration
- Maintain local docker-compose customizations
---
 .../core/authelia/configuration.yml           | 34 +++++++++----------
 .../core/authelia/users_database.yml          | 10 +++---
 docker-compose/core/docker-compose.yml        | 32 +++++++----------
 scripts/enhanced-setup/validate.sh            |  5 +--
 4 files changed, 35 insertions(+), 46 deletions(-)

diff --git a/docker-compose/core/authelia/configuration.yml b/docker-compose/core/authelia/configuration.yml
index 6141a83..a431805 100644
--- a/docker-compose/core/authelia/configuration.yml
+++ b/docker-compose/core/authelia/configuration.yml
@@ -1,6 +1,6 @@
-# Authelia Configuration Template
+# Authelia Configuration
 # Copy to /opt/stacks/authelia/configuration.yml
-# IMPORTANT: Replace environment variable placeholders with your actual values
+# IMPORTANT: Replace 'kelinreij.duckdns.org' with your actual DuckDNS domain
 
 server:
   host: 0.0.0.0
@@ -11,12 +11,12 @@ log:
 
 theme: dark
 
-jwt_secret: ${AUTHELIA_JWT_SECRET}
+jwt_secret: generate-with-openssl-rand-hex-64
 
-default_redirection_url: https://auth.${DOMAIN}
+default_redirection_url: https://auth.kelinreij.duckdns.org
 
 totp:
-  issuer: ${DOMAIN}
+  issuer: kelinreij.duckdns.org
   period: 30
   skew: 1
 
@@ -35,41 +35,41 @@ access_control:
   default_policy: deny
   
   rules:
-    # Bypass Authelia for media services (allow app access)
-    - domain: jellyfin.${DOMAIN}
+    # Bypass Authelia for Jellyfin (allow app access)
+    - domain: jellyfin.kelinreij.duckdns.org
       policy: bypass
     
     # Bypass for Plex (allow app access)
-    - domain: plex.${DOMAIN}
+    - domain: plex.kelinreij.duckdns.org
       policy: bypass
     
     # Bypass for Home Assistant (has its own auth)
-    - domain: ha.${DOMAIN}
+    - domain: ha.kelinreij.duckdns.org
       policy: bypass
     
     # Bypass for development services (they have their own auth or setup)
-    - domain: pgadmin.${DOMAIN}
+    - domain: pgadmin.kelinreij.duckdns.org
       policy: bypass
-    - domain: gitlab.${DOMAIN}
+    - domain: gitlab.kelinreij.duckdns.org
       policy: bypass
     
     # Protected: All other services require authentication
-    - domain: "*.${DOMAIN}"
+    - domain: "*.kelinreij.duckdns.org"
       policy: one_factor
     
     # Two-factor for admin services (optional)
     # - domain:
-    #     - "admin.${DOMAIN}"
-    #     - "portainer.${DOMAIN}"
+    #     - "admin.kelinreij.duckdns.org"
+    #     - "portainer.kelinreij.duckdns.org"
     #   policy: two_factor
 
 session:
   name: authelia_session
-  secret: ${AUTHELIA_SESSION_SECRET}
+  secret: generate-with-openssl-rand-hex-64
   expiration: 24h      # Session expires after 24 hours
   inactivity: 24h      # Session expires after 24 hours of inactivity
   remember_me_duration: 1M
-  domain: ${DOMAIN}
+  domain: kelinreij.duckdns.org
 
 regulation:
   max_retries: 3
@@ -77,7 +77,7 @@ regulation:
   ban_time: 5m
 
 storage:
-  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+  encryption_key: generate-with-openssl-rand-hex-64
   local:
     path: /data/db.sqlite3
 
diff --git a/docker-compose/core/authelia/users_database.yml b/docker-compose/core/authelia/users_database.yml
index a11aefb..e6972e1 100644
--- a/docker-compose/core/authelia/users_database.yml
+++ b/docker-compose/core/authelia/users_database.yml
@@ -1,14 +1,12 @@
 ###############################################################
 #                         Users Database                      #
 ###############################################################
-# Template - Replace with your actual user information
-# Generate password hash with: docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --password 'yourpassword'
 
 users:
-  admin:  # Change this username
-    displayname: "Administrator"
-    password: "GENERATE_NEW_PASSWORD_HASH"  # Replace with actual hash
-    email: your-email@example.com  # Replace with your email
+  kelin:
+    displayname: "Admin User"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$a+3pIrywP/li9wy9J6UkMA$+3THyJiAnS/gNYnLaYtlsRCaYfgnnxsUyGZ4D3xGnUg"
+    email: kelinshomelab@gmail.com
     groups:
       - admins
       - users
diff --git a/docker-compose/core/docker-compose.yml b/docker-compose/core/docker-compose.yml
index 04df3be..74d0a68 100644
--- a/docker-compose/core/docker-compose.yml
+++ b/docker-compose/core/docker-compose.yml
@@ -18,8 +18,8 @@ services:
       - PUID=1000
       - PGID=1000
       - TZ=America/New_York
-      - SUBDOMAINS=${DUCKDNS_SUBDOMAINS}
-      - TOKEN=${DUCKDNS_TOKEN}
+      - SUBDOMAINS=kelinreij
+      - TOKEN=41ef7faa-fc93-41d2-a32f-340fd2b75b2f
     volumes:
       - ./duckdns/config:/config
     networks:
@@ -27,14 +27,12 @@ services:
   
   traefik:
     # Reverse proxy and SSL termination - core routing service, must always run
-    # CONFIGURATION REQUIREMENT: traefik.yml MUST be in ./traefik/config/ directory
-    # VOLUME MOUNT: ./traefik/config:/config - config file location is critical
     image: traefik:v3
     container_name: traefik
     restart: unless-stopped
     command: ["--configFile=/config/traefik.yml"]
     environment:
-      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
+      - DUCKDNS_TOKEN=41ef7faa-fc93-41d2-a32f-340fd2b75b2f
     ports:
       - 80:80
       - 443:443
@@ -56,7 +54,7 @@ services:
       # If Traefik is on a remote server: these labels are NOT USED; 
       #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
-      - "traefik.http.routers.traefik.rule=Host(`traefik.${DOMAIN}`)"
+      - "traefik.http.routers.traefik.rule=Host(`traefik.kelinreij.duckdns.org`)"
       - "traefik.http.routers.traefik.entrypoints=websecure"
       - "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
       - "traefik.http.routers.traefik.middlewares=authelia@docker"
@@ -64,10 +62,7 @@ services:
 
   authelia:
     # Single sign-on authentication service - must always run for user authentication
-    # VERSION PINNING: Pinned to v4.37.5 due to breaking changes in v4.39.15+
-    # BREAKING CHANGES: v4.39.15+ has incompatible configuration and database changes
-    # UPGRADE NOTES: Test in separate environment before upgrading. Backup config and DB.
-    image: authelia/authelia:4.37.5
+    image: authelia/authelia:latest
     container_name: authelia
     restart: unless-stopped
     environment:
@@ -91,13 +86,13 @@ services:
       # If Traefik is on a remote server: these labels are NOT USED; 
       #   configure external yml files in /traefik/dynamic folder instead.
       - "traefik.enable=true"
-      - "traefik.http.routers.authelia.rule=Host(`auth.${DOMAIN}`)"
+      - "traefik.http.routers.authelia.rule=Host(`auth.kelinreij.duckdns.org`)"
       - "traefik.http.routers.authelia.entrypoints=websecure"
       - "traefik.http.routers.authelia.tls.certresolver=letsencrypt"
       - "traefik.http.routers.authelia.service=authelia"
       - "traefik.http.services.authelia.loadbalancer.server.port=9091"
       # Authelia forward auth middleware configuration
-      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.${DOMAIN}/"
+      - "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=https://auth.kelinreij.duckdns.org/"
       - "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=X-Secret"
       - "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
 
@@ -120,12 +115,11 @@ services:
       - SABLIER_DOCKER_API_VERSION=1.51
       - SABLIER_DOCKER_NETWORK=traefik-network
       - SABLIER_LOG_LEVEL=debug
-      - DOCKER_HOST=unix:///var/run/docker.sock
-      - DOCKER_TLS_VERIFY=0
+      - DOCKER_HOST=tcp://192.168.4.11:2376
+      - DOCKER_TLS_VERIFY=1
       - DOCKER_CERT_PATH=/certs
     volumes:
       - ./shared-ca:/certs:ro
-      - /var/run/docker.sock:/var/run/docker.sock:ro
     ports:
       - 10000:10000
     labels:
@@ -139,7 +133,7 @@ networks:
 
 x-dockge:
   urls:
-    - https://auth.${DOMAIN}
-    - http://${SERVER_IP}:9091
-    - https://traefik.${DOMAIN}
-    - http://${SERVER_IP}:8080
\ No newline at end of file
+    - https://auth.kelinreij.duckdns.org
+    - http://192.168.4.11:9091
+    - https://traefik.kelinreij.duckdns.org
+    - http://192.168.4.11:8080
\ No newline at end of file
diff --git a/scripts/enhanced-setup/validate.sh b/scripts/enhanced-setup/validate.sh
index 813c095..91530d0 100755
--- a/scripts/enhanced-setup/validate.sh
+++ b/scripts/enhanced-setup/validate.sh
@@ -15,16 +15,13 @@ source "$(dirname "${BASH_SOURCE[0]}")/lib/ui.sh"
 
 # Validate .env file
 validate_env_file() {
-    echo "DEBUG: Starting validate_env_file"
     local env_file="$EZ_HOME/.env"
-    echo "DEBUG: env_file = $env_file"
 
     if [[ ! -f "$env_file" ]]; then
-        echo "DEBUG: .env file not found"
+        print_error ".env file not found at $env_file"
         return 1
     fi
 
-    echo "DEBUG: .env file exists"
     return 0
 }