fix(update-authelia): Use proper yq syntax since walk() does not exist like in jq

- Add detailed setup instructions
- Clarify configuration variables
- Update sections on architecture, features, prerequisites, and troubleshooting to reflect recent changes.

.gitignore

@@ -1,8 +1,9 @@
 *.env
+*.bak
 .idea
 docker-compose.override.yml
 /authelia/*.yml
-!/authelia/configuration.example.yml
+!/authelia/*.example.yml
 /homepage/logs
 /homepage/*.yaml
 /homepage/*.css

README.md

@@ -25,7 +25,8 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
     - [(Optional) VPN Configuration](#optional-vpn-configuration)
     - [(Optional) Traefik DNS Challenge](#optional-traefik-dns-challenge)
   - [Service Access](#service-access)
-    - [Managing Service Authentication](#managing-service-authentication)
+    - [Setup Script Commands (`update-setup.sh`)](#setup-script-commands-update-setupsh)
+    - [Managing Service Authentication](#managing-service-authentication-authelia-policies)
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
     - [Middleware Not Found Errors](#middleware-not-found-errors)
@@ -39,58 +40,64 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
 
 This stack uses a combination of key services for routing, access, and security:
 
-*   **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
+- **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
-*   **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
+- **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
-*   **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service. You can configure which services require authentication via environment variables.
+- **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service. You can configure which services require authentication via environment variables.
 
 ## Features
 
 This stack includes the following services, categorized for clarity:
 
 **Core Infrastructure:**
-*   **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
+
-*   **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
+- **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
-*   **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
+- **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
-*   **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
+- **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
+- **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
 
 **Media Management (\*Arr Suite):**
-*   [Sonarr](https://sonarr.tv): TV show management.
+
-*   [Radarr](https://radarr.video): Movie management.
+- [Sonarr](https://sonarr.tv): TV show management.
-*   [Lidarr](https://lidarr.audio) (Optional): Music management.
+- [Radarr](https://radarr.video): Movie management.
-*   [Bazarr](https://www.bazarr.media/): Subtitle management.
+- [Lidarr](https://lidarr.audio) (Optional): Music management.
-*   [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
+- [Bazarr](https://www.bazarr.media/): Subtitle management.
+- [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
 
 **Download Clients:**
-*   [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
+
-*   [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
+- [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
+- [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
 
 **Media Serving & Requests:**
-*   [Jellyfin](https://jellyfin.org): Media server for streaming.
+
-*   [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
+- [Jellyfin](https://jellyfin.org): Media server for streaming.
+- [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
 
 **Utilities:**
-*   [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
+
-*   [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
+- [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
-*   [Unpackerr](https://unpackerr.zip): Automated archive extraction.
+- [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
+- [Unpackerr](https://unpackerr.zip): Automated archive extraction.
 
 **Optional Services (Enabled via Profiles):**
-*   [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
+
-*   [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
+- [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
-*   [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
+- [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
-*   [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
+- [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
-*   [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
+- [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
-*   [Home Assistant](https://www.home-assistant.io/): Home automation platform.
+- [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
-*   [Immich](https://immich.app/): Self-hosted photo and video backup.
+- [Home Assistant](https://www.home-assistant.io/): Home automation platform.
-*   [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
+- [Immich](https://immich.app/): Self-hosted photo and video backup.
+- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
 
 ## Prerequisites
 
-*   **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
+- **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
-*   **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
+- **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
-*   **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
+- **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
-*   **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
+- **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
-*   **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
+- **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
-*   **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions).
+- **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions-docker).
 
 ## Required Setup Steps
 
@@ -113,40 +120,45 @@ These steps are **mandatory** for a working installation. Without properly compl
 
 4. **⚠️ Required: Security Credentials**
    - Generate four strong random secrets using `openssl rand -hex 32`:
+
      ```bash
      echo "AUTHELIA_JWT_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_SESSION_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_STORAGE_ENCRYPTION_KEY=$(openssl rand -hex 32)"
      echo "AUTHELIA_REDIS_PASSWORD=$(openssl rand -hex 32)"
      ```
+
    - Add these to your `.env` file as shown
 
-5. **⚠️ Required: Create Admin Password**
+5. **⚠️ Required: Create Authelia Account**
-   - Generate a password hash for Authelia:
+   - Create an Authelia account (only for yourself and those you trust!)
+
      ```bash
      docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
      ```
-   - Replace the example hash in `authelia/users_database.yml` with your generated hash
 
-6. **⚠️ Optional: Authentication Configuration**
+6. **ℹ️ Optional: Set up**
-   - Choose which services require authentication by setting the corresponding variables in your `.env` file:
+   - Generate a password hash for Authelia:
+
+     ```bash
+     docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
      ```
-     AUTH_JELLYFIN=false  # Example: Allow Jellyfin access without authentication
+
-     AUTH_SONARR=true     # Example: Require authentication for Sonarr
+   - Replace the example hash in `authelia/users_database.yml` with your generated hash
-     ```
-   - By default, all services require authentication if not specified otherwise
 
 ## Quick Start Guide
 
 After completing all [Required Setup Steps](#required-setup-steps) above, follow these steps to get up and running:
 
 1. **Clone Repository:**
+
    ```bash
    git clone https://github.com/AdrienPoupa/docker-compose-nas.git
    cd docker-compose-nas
    ```
 
 2. **Configure Environment:**
+
    ```bash
    # Create an .env file from the example
    cp .env.example .env
@@ -156,6 +168,7 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 3. **Configure Authelia Admin:**
+
    ```bash
    # Generate a password hash
    docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
@@ -165,23 +178,29 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 4. **Run the Setup Script:**
+
    ```bash
    # Make the script executable
    chmod +x ./update-setup.sh
    
-   # Run the setup tool
+   # Run the setup tool (use 'all' for initial setup)
-   ./update-setup.sh
+   ./update-setup.sh all
    ```
-   This interactive script will guide you through:
+
-   - Updating your `.env` file while preserving existing values
+   This script will:
-   - Configuring Authelia with your Tailscale domain settings
+   - Update your `.env` file while preserving existing values (`update-env`).
-   - Setting up service configurations and retrieving API keys
+   - Configure Authelia with your Tailscale domain settings (`update-authelia`).
+   - Set up service configurations and retrieve API keys (`update-services`).
+
+   You can also run individual commands like `./update-setup.sh update-authelia`. Run `./update-setup.sh help` for all options.
 
 5. **Start the Stack:**
+
    ```bash
    # Start containers
    docker compose up -d
    ```
+
    *(Wait for containers to download and start)*
 
 6. **Access Your NAS:**
@@ -226,20 +245,6 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 | **`AUTHELIA_SESSION_SECRET`**       | **Required.** Random secret for session cookies. **Generate your own!**                                                                   | *(None - Example in file)*   |
 | **`AUTHELIA_STORAGE_ENCRYPTION_KEY`** | **Required.** Random secret for encrypting data at rest (e.g., SQLite DB). **Generate your own!**                                         | *(None - Example in file)*   |
 | **`AUTHELIA_REDIS_PASSWORD`**       | **Required.** Password for the Redis database (used for session storage). **Generate your own!**                                            | *(None - Example in file)*   |
-| `AUTH_SONARR`                       | Control whether Sonarr requires authentication (`true`/`false`).                                                                          | `true`                       |
-| `AUTH_RADARR`                       | Control whether Radarr requires authentication (`true`/`false`).                                                                          | `true`                       |
-| `AUTH_BAZARR`                       | Control whether Bazarr requires authentication (`true`/`false`).                                                                          | `true`                       |
-| `AUTH_PROWLARR`                      | Control whether Prowlarr requires authentication (`true`/`false`).                                                                        | `true`                       |
-| `AUTH_JELLYSEERR`                   | Control whether Jellyseerr requires authentication (`true`/`false`).                                                                      | `true`                       |
-| `AUTH_QBITTORRENT`                  | Control whether qBittorrent requires authentication (`true`/`false`).                                                                     | `true`                       |
-| `AUTH_LIDARR`                       | Control whether Lidarr requires authentication (`true`/`false`).                                                                          | `true`                       |
-| `AUTH_JELLYFIN`                     | Control whether Jellyfin requires authentication (`true`/`false`).                                                                        | `false`                      |
-| `AUTH_HOMEPAGE`                     | Control whether Homepage requires authentication (`true`/`false`).                                                                        | `true`                       |
-| `AUTH_FLARESOLVERR`                 | Control whether FlareSolverr requires authentication (`true`/`false`).                                                                    | `true`                       |
-| `AUTH_SABNZBD`                      | Control whether SABnzbd requires authentication (`true`/`false`).                                                                         | `true`                       |
-| `AUTH_CALIBRE`                      | Control whether Calibre-Web requires authentication (`true`/`false`).                                                                     | `true`                       |
-
-> **Note:** Authentication variables were introduced to give you fine-grained control over which services require login. Set to `false` for services you want to access without authentication.
 
 #### Service Credentials
 
@@ -302,20 +307,23 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 
 Authelia uses the `authelia/users_database.yml` file to manage users.
 
-*   **Setting the Initial Admin Password:**
+- **Setting the Initial Admin Password:**
     1. As mentioned in the Quick Start, you **must** set a strong password for the default `admin` user.
     2. Generate a hash using Docker (replace `'your_secure_password'`):
+
         ```bash
         docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
         ```
+
     3. Copy the **entire output hash** (starting with `$argon2id...`).
     4. Open `authelia/users_database.yml` and replace the example `password:` value under `admin:` with your generated hash.
     5. Ensure the `admin` user belongs to the `admins` and `users` groups as shown in the example.
 
-*   **Adding More Users:**
+- **Adding More Users:**
     1. Generate a password hash for the new user as shown above.
     2. Edit `authelia/users_database.yml`.
     3. Add a new entry under `users:`, following the format of the `admin` user:
+
         ```yaml
         users:
           admin:
@@ -327,25 +335,26 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
             groups:
               - users # Add to 'admins' group if needed
         ```
-    4.  Save the file. Authelia should pick up the changes automatically (or restart the Authelia container: `docker compose restart authelia`).
 
-*   **Enabling User Registration (Optional):**
+    4. Save the file and restart Authelia: `docker compose restart authelia`.
+
+- **Adding/Updating Users (Recommended Method):**
+    Use the setup script's interactive tool:
+
+    ```bash
+    ./update-setup.sh manage-accounts
+    ```
+
+    This script handles password hashing and file formatting, reducing the chance of errors. It will prompt you for the username, display name, email, and groups, then generate a secure password hash.
+
+- **Enabling User Registration (Optional):**
     1. Edit `authelia/configuration.yml`.
     2. Find the commented-out `registration:` section near the bottom.
-    3.  Uncomment it and set `enable: true`:
+    3. Uncomment it and set `enable: true`.
-        ```yaml
-        # registration:
-        #   enable: false # Set to true to enable registration form
-        ```
-        becomes:
-        ```yaml
-        registration:
-          enable: true
-        ```
     4. Save the file and restart Authelia (`docker compose restart authelia`).
     5. A "Register" link will now appear on the Authelia login page.
 
-*   **Approving Registered Users:**
+- **Approving Registered Users:**
     1. When a user registers (if enabled), their details are added to `authelia/users_database.yml` but marked as `disabled: true`.
     2. To approve them, edit `authelia/users_database.yml`.
     3. Find the new user's entry.
@@ -364,104 +373,101 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
 
 With the default Tailscale setup and Authelia enabled, services are securely accessible via HTTPS using your Tailscale node's name or IP. Authentication is controlled by the included `update-setup.sh` script.
 
-*   **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here for secured services)
+- **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here for secured services)
-*   **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Requires login by default)
+- **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Requires login by default)
-*   **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login by default)
+- **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login by default)
-*   **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login by default)
+- **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login by default)
-*   **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` (Requires login by default)
+- **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` (Requires login by default)
-*   **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` (Requires login by default)
+- **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` (Requires login by default)
-*   ...and so on.
+- ...and so on.
 
 Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address.
 
 If you configure DNS for your `APP_HOSTNAME` variable to point to the Tailscale IP, you can use `https://<APP_HOSTNAME>/<service_path>`.
 
-### Managing Service Authentication
+### Setup Script Commands (`update-setup.sh`)
 
-You can control which services require authentication using the updated `update-setup.sh` script:
+The `update-setup.sh` script provides various commands to manage your configuration. Run `./update-setup.sh help` to see all options.
 
-```bash
+**Core Setup & Updates:**
-# List all services and their authentication status
-./update-setup.sh list-auth
 
-# Disable authentication for Jellyfin (no login required)
+- `./update-setup.sh update-env`: Updates `.env` from `.env.example`, preserving existing values and highlighting new/deprecated keys.
-./update-setup.sh disable-auth jellyfin
+- `./update-setup.sh update-authelia`: Updates `authelia/configuration.yml` from the example, applying domain settings from `.env` and attempting to preserve secrets (uses `yq` if available).
+- `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
+- `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.
 
-# Enable authentication for Jellyfin (login required)
+**Authelia Policy Management:**
-./update-setup.sh enable-auth jellyfin 
 
-# Disable authentication for all services
+- `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
-./update-setup.sh disable-all-auth
+- `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
+- `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).
 
-# Enable authentication for all services
+> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
-./update-setup.sh enable-all-auth
+>
+> ```bash
+> docker compose restart authelia
+> ```
 
-# Clean up backup files (keeps most recent by default)
+**User & File Management:**
-./update-setup.sh cleanup
 
-# View all available commands
+- `./update-setup.sh manage-accounts`: Starts an interactive tool to add or update users in `authelia/users_database.yml`. It generates password hashes and prompts for user details.
-./update-setup.sh help
+- `./update-setup.sh cleanup`: Interactively finds and deletes old backup files (`.bak`) created by the script. Allows keeping the most recent backup of each type.
-```
 
-You can also manage authentication through the interactive menu by running `./update-setup.sh` and selecting option 5.
+**Help:**
 
-After making changes, restart your stack for the changes to take effect:
+- `./update-setup.sh help`: Displays the full list of commands and usage instructions.
 
-```bash
+### Managing Service Authentication (Authelia Policies)
-docker compose down
-docker compose up -d
-```
 
-This approach gives you complete control over which services require authentication, without needing to manually edit configuration files.
+Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
+
+See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.
 
 ## Optional Services
 
 Several services are included but disabled by default. Enable them by adding their profile name to the `COMPOSE_PROFILES` variable in your `.env` file (separate multiple profiles with commas).
 
 Example: Enable Lidarr and SABnzbd
+
 ```dotenv
 COMPOSE_PROFILES=lidarr,sabnzbd
 ```
 
 Available Profiles:
-*   `lidarr`: Music management.
+
-*   `sabnzbd`: Usenet download client.
+- `lidarr`: Music management.
-*   `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
+- `sabnzbd`: Usenet download client.
-*   `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
+- `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
-*   `calibre-web`: E-book library management.
+- `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
-*   `decluttarr`: Automated download cleanup.
+- `calibre-web`: E-book library management.
-*   `tandoor`: Recipe management (see `tandoor/README.md`).
+- `decluttarr`: Automated download cleanup.
-*   `joplin`: Note-taking server (see `joplin/README.md`).
+- `tandoor`: Recipe management (see `tandoor/README.md`).
-*   `homeassistant`: Home automation (see `homeassistant/README.md`).
+- `joplin`: Note-taking server (see `joplin/README.md`).
-*   `immich`: Photo management (see `immich/README.md`).
+- `homeassistant`: Home automation (see `homeassistant/README.md`).
+- `immich`: Photo management (see `immich/README.md`).
 
 ## Troubleshooting
 
 ### Middleware Not Found Errors
 
-If you see error messages like `middleware "authelia-auth@docker" does not exist` in the Traefik logs, it could be due to one of these issues:
+If you see error messages like `middleware "authelia-auth@docker" does not exist` in the Traefik logs, please check Authelia logs for any fatal errors. It is likely due to a misconfigured `configuration.yml` in `authelia/configuration.yml`
 
-1. **Docker Network Issue:** The Traefik configuration has been updated to fix network discovery issues when running in Tailscale's network namespace. If you're still seeing this error, try restarting the stack with:
+Make sure Traefik can access the Docker socket. See the [SELinux Socket Permissions](#selinux-socket-permissions-docker) section below for more details.
-   ```bash
-   docker compose down
-   docker compose up -d
-   ```
-
-2. **Authentication Variable Missing:** Ensure you have properly configured the `AUTH_*` variables in your `.env` file for the services you want to control. If not specified, most services default to requiring authentication.
-
-3. **Docker Socket Permissions:** Make sure Traefik can access the Docker socket. See the [SELinux Socket Permissions](#selinux-socket-permissions-docker) section below for more details.
 
 ### SELinux Socket Permissions (Docker)
 
 If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, RHEL) and services like Traefik, Watchtower, or Autoheal fail with "permission denied" errors when trying to access `/var/run/docker.sock`:
 
 1. **Check Audit Logs:** Immediately after seeing the error, check the SELinux audit log on the host:
+
     ```bash
     sudo ausearch -m avc -ts recent
     ```
+
     Look for lines containing `denied`, `docker.sock`, and the name of the failing service (e.g., `traefik`, `watchtower`).
 
 2. **Generate Custom Policy:** If denials are found, you may need to create a custom SELinux policy module using `audit2allow`. Pipe the denial messages into it:
+
     ```bash
     # Generate policy files (my-dockersock.te and my-dockersock.pp)
     sudo ausearch -m avc -ts recent | audit2allow -M my-dockersock
@@ -469,6 +475,7 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
     # Install the policy module
     sudo semodule -i my-dockersock.pp
     ```
+
     This allows the specific actions that were being denied. You might need to repeat this if different denials appear after applying the first policy.
 
 ### Authelia v4.38+ Configuration
@@ -493,17 +500,17 @@ Authelia v4.38+ introduces significant changes to its configuration structure, p
    - Configures cookie domains properly to avoid Public Suffix List issues
    - Sets up proper access control rules for both your domain and its subdomains
 
-4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools.
+If you encounter any of these common errors:
 
-If you encounter any of these common errors, running the setup script should resolve them:
+```log
-```
 error: option 'domain' is not a valid cookie domain: the domain is part of the special public suffix list
 error: option 'authelia_url' does not share a cookie scope with domain
 error: can't be specified at the same time: option 'domain' and option 'cookies'
 configuration key 'jwt_secret' is deprecated in 4.38.0
 ```
 
-After making changes to the configuration, restart Authelia with:
+Running the setup script should resolve them. After making changes to the configuration, restart Authelia with:
+
 ```bash
 docker compose restart authelia
 ```
@@ -512,16 +519,17 @@ See the [Authelia documentation](https://www.authelia.com/configuration/session/
 
 ### Tailscale Issues
 
-*   **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
+- **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
-*   **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
+- **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
-*   **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
+- **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
 
 ### File Permissions
 
 If services report permission errors when accessing `/config` or `/data` directories, double-check that:
-*   The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
+
-*   The host directories have appropriate read/write permissions for that user/group.
+- The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
-*   If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
+- The host directories have appropriate read/write permissions for that user/group.
+- If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
 
 ## Advanced Topics
 

authelia/configuration.example.yml

@@ -4,8 +4,6 @@
 # Server settings
 server:
   address: 'tcp://0.0.0.0:9091'
-  trusted_proxies:
-    - '172.16.0.0/12'  # Docker networks
 
 # Logging configuration
 log:
@@ -56,14 +54,76 @@ authentication_backend:
 
 # Access control rules
 access_control:
-  default_policy: deny
+  default_policy: deny # Deny access by default
   rules:
-    # This will match any subdomain of your specific Tailscale domain
+    # Rules are processed in order. First match wins.
+    # It's recommended to put more specific rules first.
+
+    # 1. Bypass rules (No authentication required)
+    # Allow access to Authelia's own endpoints
     - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/auth.*' # Match /auth and anything after it
+      policy: bypass
+    # Allow access to the root path (will be redirected by Traefik later)
+    - domain: '*.your-tailnet.ts.net'
+      path: '/'
+      policy: bypass
+    # Allow access to API endpoints (as requested, review security implications)
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/api.*' # Match /api and anything after it
+      policy: bypass
+
+    # 2. One-Factor Authentication Rules (Requires login)
+    # Add rules for each service you want to protect.
+    # The domain should match your Tailscale domain.
+    # The path should match the Traefik PathPrefix for the service.
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sonarr.*'
       policy: one_factor
-    # Also match the main domain without subdomain
+    - domain: '*.your-tailnet.ts.net'
-    - domain: 'your-tailnet.ts.net'
+      path_regex: '^/radarr.*'
       policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/lidarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/bazarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/qbittorrent.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/sabnzbd.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/calibre.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/home.*' # Protect the homepage
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/jellyseerr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/prowlarr.*'
+      policy: one_factor
+    - domain: '*.your-tailnet.ts.net'
+      path_regex: '^/flaresolverr.*'
+      policy: one_factor
+    # Add other services here following the pattern:
+    # - domain: '*.your-tailnet.ts.net'
+    #   path_regex: '^/<service_path>.*'
+    #   policy: one_factor
+
+    # 3. Default rule for the domain (optional, if you want a catch-all)
+    # This rule will apply if no path-specific rule above matches.
+    # You might want to deny or require one_factor for unmatched paths.
+    # Example: Deny any other path on the domain
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: deny
+    # Example: Require login for any other path
+    # - domain: '*.your-tailnet.ts.net'
+    #   policy: one_factor
 
 # Notifier configuration
 notifier:

docker-compose.yml

@@ -15,7 +15,6 @@ services:
       - --experimental.plugins.rewriteHeaders.version=v0.0.3
       - --providers.docker.network=docker-compose-nas
       - --providers.docker.endpoint=unix:///var/run/docker.sock
-      - --log.level=DEBUG
     network_mode: service:tailscale
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock:ro
@@ -23,9 +22,6 @@ services:
       test: ["CMD", "traefik", "healthcheck", "--ping"]
       interval: 30s
       retries: 10
-    labels:
-      - traefik.enable=true
-      # Remove middleware definition from traefik service
   redis:
     image: redis:alpine
     container_name: redis
@@ -523,7 +519,7 @@ services:
       [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
     labels:
       - traefik.enable=true
-      - traefik.http.routers.homepage.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/`) # Changed rule to root
+      - traefik.http.routers.homepage.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/home`) # Changed rule to root
       - traefik.http.routers.homepage.entrypoints=web
       # - traefik.http.routers.homepage.priority=10 # Removed priority
       # Global middleware for setting HTTPS header