feat: remove Authelia, protect dashboard with basic auth

Authelia was unused overhead — only traefik-dashboard and plane /god-mode/
were behind it. Dashboard now uses traefik-auth (basic auth). /god-mode/
uses rate-limit-strict only.

Removes: authelia + authelia-redis containers, authelia-internal network,
authelia_data volume, authelia router/service/forwardAuth middleware.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

roles/services/defaults/main.yml

@@ -26,7 +26,5 @@ alertmanager_image:  "prom/alertmanager:v0.28.1"                   # https://hub
 loki_image:          "grafana/loki:3.4.3"                          # https://hub.docker.com/r/grafana/loki/tags
 promtail_image:      "grafana/promtail:3.4.3"                      # https://hub.docker.com/r/grafana/promtail/tags
 crowdsec_image:      "crowdsecurity/crowdsec:v1.6.8"               # https://hub.docker.com/r/crowdsecurity/crowdsec/tags
-authelia_image:      "authelia/authelia:4.38"                      # https://hub.docker.com/r/authelia/authelia/tags
+redis_image:         "redis:7-alpine"
-redis_image:         "redis:7-alpine"                              # shared with plane-redis
-authelia_admin_user: "admin"
 uptime_kuma_image:   "louislam/uptime-kuma:1"                      # https://hub.docker.com/r/louislam/uptime-kuma/tags

roles/services/templates/docker-compose.yml.j2

@@ -26,10 +26,6 @@ networks:
   monitoring:
     driver: bridge
     internal: true
-  authelia-internal:
-    driver: bridge
-    internal: true
-
 volumes:
   forgejo_data:
   forgejo_db_data:
@@ -42,7 +38,6 @@ volumes:
   grafana_data:
   loki_data:
   crowdsec_data:
-  authelia_data:
   uptime_kuma_data:
 
 services:
@@ -527,41 +522,6 @@ services:
       - /var/log/syslog:/var/log/syslog:ro
 
 
-  # ── Authelia: 2FA SSO portal ───────────────────────────────────────────────
-  # Защищает: Traefik dashboard, Plane /god-mode/
-  # Вход: логин + пароль + TOTP (Google Authenticator)
-  authelia:
-    image: {{ authelia_image }}
-    container_name: authelia
-    restart: unless-stopped
-    depends_on:
-      - authelia-redis
-    networks:
-      - backend
-      - authelia-internal
-    volumes:
-      - authelia_data:/config
-      - {{ services_root }}/authelia/configuration.yml:/config/configuration.yml:ro
-      - {{ services_root }}/authelia/users.yml:/config/users.yml:ro
-    environment:
-      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
-      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
-      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_KEY}
-      - TZ=UTC
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:9091/api/health"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-
-  authelia-redis:
-    image: {{ redis_image }}
-    container_name: authelia-redis
-    restart: unless-stopped
-    networks:
-      - authelia-internal
-    command: redis-server --appendonly yes --maxmemory 64mb --maxmemory-policy allkeys-lru
-
   # ── Discord Bot ────────────────────────────────────────────────────────────
   # Infrastructure management bot: /status /logs /restart /deploy /metrics /backup
   # Image is built and pushed by the discord-bot repo CI/CD

roles/services/templates/env.j2

@@ -9,9 +9,6 @@ DOMAIN_PLANE={{ domain_plane }}
 DOMAIN_TRAEFIK={{ domain_traefik }}
 FORGEJO_RUNNER_TOKEN={{ forgejo_runner_token }}
 GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }}
-AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }}
-AUTHELIA_SESSION_SECRET={{ authelia_session_secret }}
-AUTHELIA_STORAGE_KEY={{ authelia_storage_key }}
 CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }}
 # Cloudflare DNS-01 ACME challenge
 CF_DNS_API_TOKEN={{ cloudflare_dns_api_token }}

roles/services/templates/traefik/dynamic/routes.yml.j2

@@ -21,7 +21,7 @@ http:
       tls:
         certresolver: letsencrypt
       service: api@internal
-      middlewares: [authelia@docker, rate-limit-strict]
+      middlewares: [traefik-auth, rate-limit-strict]
 
     forgejo:
       rule: "Host(`{{ domain_git }}`)"
@@ -53,7 +53,7 @@ http:
       tls:
         certresolver: letsencrypt
       service: plane-admin
-      middlewares: [authelia@docker, rate-limit-strict]
+      middlewares: [rate-limit-strict]
       priority: 10
 
     plane-spaces:
@@ -73,14 +73,6 @@ http:
       service: grafana
       middlewares: [rate-limit-default]
 
-    authelia:
-      rule: "Host(`{{ domain_auth }}`)"
-      entrypoints: [websecure]
-      tls:
-        certresolver: letsencrypt
-      service: authelia
-      middlewares: [rate-limit-strict]
-
     uptime-kuma:
       rule: "Host(`{{ domain_status }}`)"
       entrypoints: [websecure]
@@ -145,11 +137,6 @@ http:
         servers:
           - url: "http://grafana:3000"
 
-    authelia:
-      loadBalancer:
-        servers:
-          - url: "http://authelia:9091"
-
     uptime-kuma:
       loadBalancer:
         servers:
@@ -216,13 +203,3 @@ http:
         users:
           - "{{ traefik_dashboard_htpasswd }}"
 
-    # ── Authelia ForwardAuth ───────────────────────────────────────────────
-    authelia:
-      forwardAuth:
-        address: "http://authelia:9091/api/verify?rd=https://{{ domain_auth }}"
-        trustForwardHeader: true
-        authResponseHeaders:
-          - Remote-User
-          - Remote-Groups
-          - Remote-Email
-          - Remote-Name