# auth
SSO + identity for everything that supports forward_auth or OIDC. We
run:
- **Authelia** for the portal and OIDC/forward_auth broker
- **LLDAP** as the user/group backing store
- **Redis** for Authelia's session store
See also: mercemay.top/src/homelab-compose/
## Bootstrapping
On a fresh host:
```
cd stacks/auth
sudo ./bootstrap.sh
```
That script generates secrets, brings up lldap + redis, sets the
`admin` password, then starts authelia. After it finishes, sign in at
`https://auth.home.arpa` with `admin` and the password in
`/srv/homelab/secrets/auth/lldap_admin_pass`.
## Adding a new forward_auth-protected app
1. Put the host in `caddy/sites-enabled/<app>.caddy` and import
`/config/snippets/authelia-forward.snippet`.
2. Add a rule in `authelia/access_control.yml` - at minimum a
`domain:` entry with a `policy:` (bypass / one_factor / two_factor).
3. `docker compose kill -s HUP caddy authelia`.
## Adding a new OIDC client
Add a client under `identity_providers.oidc.clients` in
`authelia/configuration.yml`. Use `authelia crypto hash generate
pbkdf2` to hash the client secret before putting it in the file.
## Backups
Critical state lives in:
- `authelia/db.sqlite3` - TOTP secrets, WebAuthn credentials
- `lldap/users.db` - users, groups, password hashes
- `/run/secrets/*` - JWT/session secrets (on the host, outside git)
All three are captured by `backup/stages/sqlite-backup.sh` +
`backup/stages/docker-volumes.sh`.