feat: remove Authelia, protect dashboard with basic auth

Authelia was unused overhead — only traefik-dashboard and plane /god-mode/ were behind it. Dashboard now uses traefik-auth (basic auth). /god-mode/ uses rate-limit-strict only. Removes: authelia + authelia-redis containers, authelia-internal network, authelia_data volume, authelia router/service/forwardAuth middleware. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-26 22:50:41 +07:00 · 2026-03-26 22:50:41 +07:00 · d635522199
commit d635522199
parent 2770cb61ef
4 changed files with 3 additions and 71 deletions
--- a/roles/services/defaults/main.yml
+++ b/roles/services/defaults/main.yml
@ -26,7 +26,5 @@ alertmanager_image:  "prom/alertmanager:v0.28.1"                   # https://hub
 loki_image:          "grafana/loki:3.4.3"                          # https://hub.docker.com/r/grafana/loki/tags
 promtail_image:      "grafana/promtail:3.4.3"                      # https://hub.docker.com/r/grafana/promtail/tags
 crowdsec_image:      "crowdsecurity/crowdsec:v1.6.8"               # https://hub.docker.com/r/crowdsecurity/crowdsec/tags
-authelia_image:      "authelia/authelia:4.38"                      # https://hub.docker.com/r/authelia/authelia/tags
-redis_image:         "redis:7-alpine"                              # shared with plane-redis
-authelia_admin_user: "admin"
+redis_image:         "redis:7-alpine"
 uptime_kuma_image:   "louislam/uptime-kuma:1"                      # https://hub.docker.com/r/louislam/uptime-kuma/tags
--- a/roles/services/templates/docker-compose.yml.j2
+++ b/roles/services/templates/docker-compose.yml.j2
@ -26,10 +26,6 @@ networks:
  monitoring:
    driver: bridge
    internal: true
-  authelia-internal:
-    driver: bridge
-    internal: true
-
 volumes:
  forgejo_data:
  forgejo_db_data:
@ -42,7 +38,6 @@ volumes:
  grafana_data:
  loki_data:
  crowdsec_data:
-  authelia_data:
  uptime_kuma_data:

 services:
@ -527,41 +522,6 @@ services:
      - /var/log/syslog:/var/log/syslog:ro


-  # ── Authelia: 2FA SSO portal ───────────────────────────────────────────────
-  # Защищает: Traefik dashboard, Plane /god-mode/
-  # Вход: логин + пароль + TOTP (Google Authenticator)
-  authelia:
-    image: {{ authelia_image }}
-    container_name: authelia
-    restart: unless-stopped
-    depends_on:
-      - authelia-redis
-    networks:
-      - backend
-      - authelia-internal
-    volumes:
-      - authelia_data:/config
-      - {{ services_root }}/authelia/configuration.yml:/config/configuration.yml:ro
-      - {{ services_root }}/authelia/users.yml:/config/users.yml:ro
-    environment:
-      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
-      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
-      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_KEY}
-      - TZ=UTC
-    healthcheck:
-      test: ["CMD", "wget", "-qO-", "http://localhost:9091/api/health"]
-      interval: 30s
-      timeout: 5s
-      retries: 3
-
-  authelia-redis:
-    image: {{ redis_image }}
-    container_name: authelia-redis
-    restart: unless-stopped
-    networks:
-      - authelia-internal
-    command: redis-server --appendonly yes --maxmemory 64mb --maxmemory-policy allkeys-lru
-
  # ── Discord Bot ────────────────────────────────────────────────────────────
  # Infrastructure management bot: /status /logs /restart /deploy /metrics /backup
  # Image is built and pushed by the discord-bot repo CI/CD
--- a/roles/services/templates/env.j2
+++ b/roles/services/templates/env.j2
@ -9,9 +9,6 @@ DOMAIN_PLANE={{ domain_plane }}
 DOMAIN_TRAEFIK={{ domain_traefik }}
 FORGEJO_RUNNER_TOKEN={{ forgejo_runner_token }}
 GRAFANA_ADMIN_PASSWORD={{ grafana_admin_password }}
-AUTHELIA_JWT_SECRET={{ authelia_jwt_secret }}
-AUTHELIA_SESSION_SECRET={{ authelia_session_secret }}
-AUTHELIA_STORAGE_KEY={{ authelia_storage_key }}
 CROWDSEC_BOUNCER_KEY={{ crowdsec_bouncer_key }}
 # Cloudflare DNS-01 ACME challenge
 CF_DNS_API_TOKEN={{ cloudflare_dns_api_token }}
--- a/roles/services/templates/traefik/dynamic/routes.yml.j2
+++ b/roles/services/templates/traefik/dynamic/routes.yml.j2
@ -21,7 +21,7 @@ http:
      tls:
        certresolver: letsencrypt
      service: api@internal
-      middlewares: [authelia@docker, rate-limit-strict]
+      middlewares: [traefik-auth, rate-limit-strict]

    forgejo:
      rule: "Host(`{{ domain_git }}`)"
@ -53,7 +53,7 @@ http:
      tls:
        certresolver: letsencrypt
      service: plane-admin
-      middlewares: [authelia@docker, rate-limit-strict]
+      middlewares: [rate-limit-strict]
      priority: 10

    plane-spaces:
@ -73,14 +73,6 @@ http:
      service: grafana
      middlewares: [rate-limit-default]

-    authelia:
-      rule: "Host(`{{ domain_auth }}`)"
-      entrypoints: [websecure]
-      tls:
-        certresolver: letsencrypt
-      service: authelia
-      middlewares: [rate-limit-strict]
-
    uptime-kuma:
      rule: "Host(`{{ domain_status }}`)"
      entrypoints: [websecure]
@ -145,11 +137,6 @@ http:
        servers:
          - url: "http://grafana:3000"

-    authelia:
-      loadBalancer:
-        servers:
-          - url: "http://authelia:9091"
-
    uptime-kuma:
      loadBalancer:
        servers:
@ -216,13 +203,3 @@ http:
        users:
          - "{{ traefik_dashboard_htpasswd }}"

-    # ── Authelia ForwardAuth ───────────────────────────────────────────────
-    authelia:
-      forwardAuth:
-        address: "http://authelia:9091/api/verify?rd=https://{{ domain_auth }}"
-        trustForwardHeader: true
-        authResponseHeaders:
-          - Remote-User
-          - Remote-Groups
-          - Remote-Email
-          - Remote-Name