brettinternet
diff --git a/‎.github/linters/.ansible-lint
+1 b/‎.github/linters/.ansible-lint
+1
diff --git a/‎.github/linters/.yamllint.yaml
+2-1 b/‎.github/linters/.yamllint.yaml
+2-1
diff --git a/‎.pre-commit-config.yaml
-1 b/‎.pre-commit-config.yaml
-1
diff --git a/‎.taskfiles/talos.yaml
+12 b/‎.taskfiles/talos.yaml
+12
diff --git a/‎kubernetes/main/apps/auth/authelia/app/helmrelease.yaml
+192 b/‎kubernetes/main/apps/auth/authelia/app/helmrelease.yaml
+192
diff --git a/‎kubernetes/main/apps/auth/authelia/app/kustomization.yaml
+16 b/‎kubernetes/main/apps/auth/authelia/app/kustomization.yaml
+16
diff --git a/‎kubernetes/main/apps/auth/authelia/app/resources/configuration.yaml
+77 b/‎kubernetes/main/apps/auth/authelia/app/resources/configuration.yaml
+77
@@ -1,3 +1,4 @@
+---
 # .ansible-lint
 warn_list:
   - unnamed-task
@@ -2,7 +2,8 @@
 ignore: |
   *.sops.*
   gotk-components.yaml
-  archive/
+  clusterconfig/
+  patches/
 extends: default
 rules:
   truthy:
 
@@ -1,6 +1,5 @@
 ---
 fail_fast: false
-exclude: archive
 repos:
   - repo: https://github.com/adrienverge/yamllint
     rev: v1.35.1
 
@@ -106,6 +106,18 @@ tasks:
       - msg: Node not found
         sh: "talosctl --nodes {{.controller}} get machineconfig >/dev/null 2>&1"
 
+  run:
+    desc: Run talos command
+    dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
+    cmd: "talosctl {{.CLI_ARGS}}"
+    requires:
+      vars: ["cluster"]
+    preconditions:
+      - msg: Missing talosconfig
+        sh: test -f {{.TALOSCONFIG_FILE}}
+      - msg: Unable to retrieve Talos config
+        sh: "talosctl config info >/dev/null 2>&1"
+
   destroy:
     desc: Resets nodes back to maintenance mode
     dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
 
@@ -0,0 +1,192 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app authelia
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.2.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: glauth
+      namespace: auth
+  values:
+    controllers:
+      authelia:
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            env:
+              INIT_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local
+              INIT_POSTGRES_DBNAME: &dbName authelia
+              INIT_POSTGRES_USER:
+                valueFrom:
+                  secretKeyRef:
+                    name: authelia-secret
+                    key: AUTHELIA_STORAGE_POSTGRES_USERNAME
+              INIT_POSTGRES_PASS:
+                valueFrom:
+                  secretKeyRef:
+                    name: authelia-secret
+                    key: AUTHELIA_STORAGE_POSTGRES_PASSWORD
+              INIT_POSTGRES_SUPER_PASS:
+                valueFrom:
+                  secretKeyRef:
+                    name: cloudnative-pg-secret
+                    key: password
+        containers:
+          app:
+            image:
+              repository: ghcr.io/authelia/authelia
+              tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
+            env:
+              AUTHELIA_THEME: light
+              AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:80
+              AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
+              AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
+              AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
+              AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local
+              AUTHELIA_SESSION_REDIS_PORT: 6379
+              AUTHELIA_SESSION_REDIS_PASSWORD:
+                valueFrom:
+                  secretKeyRef:
+                    name: dragonfly-secret
+                    key: password
+              AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 2
+              AUTHELIA_STORAGE_POSTGRES_DATABASE: *dbName
+              AUTHELIA_STORAGE_POSTGRES_ADDRESS: *dbHost
+              AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true"
+              AUTHELIA_NOTIFIER_SMTP_ADDRESS: maddy.default.svc.cluster.local:25
+              AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <${SMTP_FROM}>"
+              AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
+              AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
+              AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS: ldap://glauth.auth.svc.cluster.local:389
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false"
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people,ou=users
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=users
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(uniqueMember={dn})(objectClass=posixGroup))"
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,ou=users,dc=home,dc=arpa
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_USERNAME: uid
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISPLAY_NAME: givenName
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_GROUP_NAME: ou
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MAIL: mail
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MEMBER_OF: memberOf
+              AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: one_factor
+              AUTHELIA_TOTP_DISABLE: false
+              AUTHELIA_TOTP_ISSUER: authelia.com
+              X_AUTHELIA_CONFIG: /config/configuration.yaml
+              X_AUTHELIA_CONFIG_FILTERS: template
+              SECRET_EXTERNAL_DOMAIN: "${SECRET_EXTERNAL_DOMAIN}"
+              SECRET_INTERNAL_DOMAIN: "${SECRET_INTERNAL_DOMAIN}"
+              CLUSTER_CIDR: "${CLUSTER_CIDR}"
+              NODE_CIDR: "${NODE_CIDR}"
+              HOME_CIDR: "${HOME_CIDR}"
+            envFrom:
+              - secretRef:
+                  name: authelia-secret
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /api/health
+                    port: &port 80
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 128Mi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    service:
+      app:
+        controller: authelia
+        ports:
+          http:
+            port: *port
+          metrics:
+            port: 8080
+    serviceMonitor:
+      app:
+        serviceName: authelia
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      app:
+        className: external
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            add_header Cache-Control "no-store";
+            add_header Pragma "no-cache";
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/group: Services
+          gethomepage.dev/name: Authelia
+          gethomepage.dev/icon: mdi-two-factor-authentication
+        hosts:
+          - host: "auth.${SECRET_EXTERNAL_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      config:
+        type: configMap
+        name: authelia-config
+        globalMounts:
+          - path: /config/configuration.yaml
+            subPath: configuration.yaml
+            readOnly: true
@@ -0,0 +1,16 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/external
+  - ../../../database/cloudnative-pg/app/secret.sops.yaml
+  - ../../../database/dragonfly/app/secret.sops.yaml
+configMapGenerator:
+  - name: authelia-config
+    files:
+      - configuration.yaml=./resources/configuration.yaml
+generatorOptions:
+  disableNameSuffixHash: true
@@ -0,0 +1,77 @@
+---
+session:
+  same_site: lax
+  inactivity: 5m
+  expiration: 1h
+  remember_me: 1M
+  cookies:
+    - name: '{{ env "SECRET_EXTERNAL_DOMAIN" }}_session'
+      domain: '{{ env "SECRET_EXTERNAL_DOMAIN" }}'
+      authelia_url: 'https://auth.{{ env "SECRET_EXTERNAL_DOMAIN" }}'
+      default_redirection_url: 'https://{{ env "SECRET_EXTERNAL_DOMAIN" }}'
+
+access_control:
+  default_policy: &policy two_factor
+  networks:
+    - name: internal
+      networks: ['{{ env "CLUSTER_CIDR" }}', '{{ env "NODE_CIDR" }}', '{{ env "HOME_CIDR" }}']
+  rules: []
+
+identity_providers:
+  oidc:
+    jwks:
+      - algorithm: RS256
+        key: |-
+          {{- env "OIDC_JWKS_KEY" | nindent 10 }}
+    cors:
+      endpoints: [authorization, token, revocation, introspection]
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - client_name: Grafana
+        client_id: grafana
+        # docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
+        client_secret: '{{ env "GRAFANA_OAUTH_CLIENT_HASHED_SECRET" }}'
+        public: false
+        authorization_policy: *policy
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, groups, email]
+        redirect_uris: ['https://grafana.{{ env "SECRET_INTERNAL_DOMAIN" }}/login/generic_oauth']
+        userinfo_signed_response_alg: none
+      - client_name: pgAdmin
+        client_id: pgadmin
+        client_secret: '{{ env "PGADMIN_OAUTH_CLIENT_HASHED_SECRET" }}'
+        public: false
+        authorization_policy: *policy
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, email]
+        redirect_uris: ['https://pgadmin.{{ env "SECRET_INTERNAL_DOMAIN" }}/oauth2/authorize']
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
+      - client_id: minio
+        client_name: MinIO
+        client_secret: '{{ env "MINIO_OAUTH_CLIENT_HASHED_SECRET" }}'
+        public: false
+        authorization_policy: *policy
+        pre_configured_consent_duration: 1y
+        redirect_uris: ['https://minio.{{ env "SECRET_INTERNAL_DOMAIN" }}/oauth_callback']
+        scopes: [openid, profile, email, groups]
+        userinfo_signed_response_alg: none
+      - client_name: Miniflux
+        client_id: miniflux
+        client_secret: '{{ env "MINIFLUX_OAUTH_CLIENT_HASHED_SECRET" }}'
+        public: false
+        authorization_policy: *policy
+        pre_configured_consent_duration: 1y
+        scopes: [openid, profile, groups, email]
+        redirect_uris: ['https://rss.{{ env "SECRET_EXTERNAL_DOMAIN" }}/oauth2/oidc/callback']
+        userinfo_signed_response_alg: none
+      - client_id: mealie
+        client_name: Mealie
+        public: true
+        authorization_policy: *policy
+        require_pkce: true
+        pkce_challenge_method: 'S256'
+        redirect_uris: ['https://recipes.{{ env "SECRET_EXTERNAL_DOMAIN" }}/login']
+        scopes: [openid, email, profile, groups]
+        userinfo_signed_response_alg: 'none'
+        token_endpoint_auth_method: 'none'