feat(update-setup): Update to support the new authelia/configuration.yml

.gitignore

@@ -1,8 +1,9 @@
 *.env
+*.bak
 .idea
 docker-compose.override.yml
 /authelia/*.yml
-!/authelia/configuration.example.yml
+!/authelia/*.example.yml
 /homepage/logs
 /homepage/*.yaml
 /homepage/*.css

README.md

@@ -25,6 +25,7 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
     - [(Optional) VPN Configuration](#optional-vpn-configuration)
     - [(Optional) Traefik DNS Challenge](#optional-traefik-dns-challenge)
   - [Service Access](#service-access)
+    - [Setup Script Commands (`update-setup.sh`)](#setup-script-commands-update-setupsh)
     - [Managing Service Authentication](#managing-service-authentication)
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
@@ -169,13 +170,15 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    # Make the script executable
    chmod +x ./update-setup.sh
    
-   # Run the setup tool
-   ./update-setup.sh
+   # Run the setup tool (use 'all' for initial setup)
+   ./update-setup.sh all
    ```
-   This interactive script will guide you through:
-   - Updating your `.env` file while preserving existing values
-   - Configuring Authelia with your Tailscale domain settings
-   - Setting up service configurations and retrieving API keys
+   This script will:
+   - Update your `.env` file while preserving existing values (`update-env`).
+   - Configure Authelia with your Tailscale domain settings (`update-authelia`).
+   - Set up service configurations and retrieve API keys (`update-services`).
+   
+   You can also run individual commands like `./update-setup.sh update-authelia`. Run `./update-setup.sh help` for all options.
 
 5. **Start the Stack:**
    ```bash
@@ -327,21 +330,19 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
             groups:
               - users # Add to 'admins' group if needed
         ```
-    4.  Save the file. Authelia should pick up the changes automatically (or restart the Authelia container: `docker compose restart authelia`).
+    4.  Save the file and restart Authelia: `docker compose restart authelia`.
+
+*   **Adding/Updating Users (Recommended Method):**
+    Use the setup script's interactive tool:
+    ```bash
+    ./update-setup.sh manage-accounts
+    ```
+    This script handles password hashing and file formatting, reducing the chance of errors. It will prompt you for the username, display name, email, and groups, then generate a secure password hash.
 
 *   **Enabling User Registration (Optional):**
     1.  Edit `authelia/configuration.yml`.
     2.  Find the commented-out `registration:` section near the bottom.
-    3.  Uncomment it and set `enable: true`:
-        ```yaml
-        # registration:
-        #   enable: false # Set to true to enable registration form
-        ```
-        becomes:
-        ```yaml
-        registration:
-          enable: true
-        ```
+    3.  Uncomment it and set `enable: true`.
     4.  Save the file and restart Authelia (`docker compose restart authelia`).
     5.  A "Register" link will now appear on the Authelia login page.
 
@@ -376,43 +377,42 @@ Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas
 
 If you configure DNS for your `APP_HOSTNAME` variable to point to the Tailscale IP, you can use `https://<APP_HOSTNAME>/<service_path>`.
 
-### Managing Service Authentication
+### Setup Script Commands (`update-setup.sh`)
 
-You can control which services require authentication using the updated `update-setup.sh` script:
+The `update-setup.sh` script provides various commands to manage your configuration. Run `./update-setup.sh help` to see all options.
 
-```bash
-# List all services and their authentication status
-./update-setup.sh list-auth
+**Core Setup & Updates:**
 
-# Disable authentication for Jellyfin (no login required)
-./update-setup.sh disable-auth jellyfin
+*   `./update-setup.sh update-env`: Updates `.env` from `.env.example`, preserving existing values and highlighting new/deprecated keys.
+*   `./update-setup.sh update-authelia`: Updates `authelia/configuration.yml` from the example, applying domain settings from `.env` and attempting to preserve secrets (uses `yq` if available).
+*   `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
+*   `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.
 
-# Enable authentication for Jellyfin (login required)
-./update-setup.sh enable-auth jellyfin 
+**Authelia Policy Management:**
 
-# Disable authentication for all services
-./update-setup.sh disable-all-auth
+*   `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
+*   `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
+*   `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).
 
-# Enable authentication for all services
-./update-setup.sh enable-all-auth
+> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
+> ```bash
+> docker compose restart authelia
+> ```
 
-# Clean up backup files (keeps most recent by default)
-./update-setup.sh cleanup
+**User & File Management:**
 
-# View all available commands
-./update-setup.sh help
-```
+*   `./update-setup.sh manage-accounts`: Starts an interactive tool to add or update users in `authelia/users_database.yml`. It generates password hashes and prompts for user details.
+*   `./update-setup.sh cleanup`: Interactively finds and deletes old backup files (`.bak`) created by the script. Allows keeping the most recent backup of each type.
 
-You can also manage authentication through the interactive menu by running `./update-setup.sh` and selecting option 5.
+**Help:**
 
-After making changes, restart your stack for the changes to take effect:
+*   `./update-setup.sh help`: Displays the full list of commands and usage instructions.
 
-```bash
-docker compose down
-docker compose up -d
-```
+### Managing Service Authentication (Authelia Policies)
 
-This approach gives you complete control over which services require authentication, without needing to manually edit configuration files.
+Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
+
+See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.
 
 ## Optional Services
 

authelia/configuration.example.yml

@@ -4,8 +4,6 @@
 # Server settings
 server:
   address: 'tcp://0.0.0.0:9091'
-  trusted_proxies:
-    - '172.16.0.0/12'  # Docker networks
 
 # Logging configuration
 log:
@@ -56,14 +54,76 @@ authentication_backend:
 
 # Access control rules
 access_control:
-  default_policy: deny
+  default_policy: deny # Deny access by default
   rules:
-    # This will match any subdomain of your specific Tailscale domain
+    # Rules are processed in order. First match wins.
+    # It's recommended to put more specific rules first.
+
+    # 1. Bypass rules (No authentication required)
+    # Allow access to Authelia's own endpoints
     - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/auth.*' # Match /auth and anything after it
+      policy: bypass
+    # Allow access to the root path (will be redirected by Traefik later)
+    - domain: '*.your-tailnet.ts.net'
+      path: '/'
+      policy: bypass
+    # Allow access to API endpoints (as requested, review security implications)
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/api.*' # Match /api and anything after it
+      policy: bypass
+
+    # 2. One-Factor Authentication Rules (Requires login)
+    # Add rules for each service you want to protect.
+    # The domain should match your Tailscale domain.
+    # The path should match the Traefik PathPrefix for the service.
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sonarr.*'
       policy: one_factor
-    # Also match the main domain without subdomain
-    - domain: 'your-tailnet.ts.net'
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/radarr.*'
       policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/lidarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/bazarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/qbittorrent.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sabnzbd.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/calibre.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/home.*' # Protect the homepage
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/jellyseerr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/prowlarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/flaresolverr.*'
+      policy: one_factor
+    # Add other services here following the pattern:
+    # - domain: '*.your-tailnet.ts.net'
+    #   path_regex: '^/<service_path>.*'
+    #   policy: one_factor
+
+    # 3. Default rule for the domain (optional, if you want a catch-all)
+    # This rule will apply if no path-specific rule above matches.
+    # You might want to deny or require one_factor for unmatched paths.
+    # Example: Deny any other path on the domain
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: deny
+    # Example: Require login for any other path
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: one_factor
 
 # Notifier configuration
 notifier:

docker-compose.yml

@@ -15,7 +15,6 @@ services:
       - --experimental.plugins.rewriteHeaders.version=v0.0.3
       - --providers.docker.network=docker-compose-nas
       - --providers.docker.endpoint=unix:///var/run/docker.sock
-      - --log.level=DEBUG
     network_mode: service:tailscale
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -23,9 +22,6 @@ services:
       test: ["CMD", "traefik", "healthcheck", "--ping"]
       interval: 30s
       retries: 10
-    labels:
-      - traefik.enable=true
-      # Remove middleware definition from traefik service
   redis:
     image: redis:alpine
     container_name: redis