feat(auth): Enhance authentication management with yq support for YAML parsing

- Fix middleware "true@docker" does not exist errors
- Integrate authentication management directly into update-setup.sh
- Add command-line support for managing service authentication
- Add backup file cleanup functionality
- Update README with new authentication management instructions
- Remove standalone manage-auth.sh script

.gitignore

@@ -1,9 +1,8 @@
 *.env
-*.bak
 .idea
 docker-compose.override.yml
 /authelia/*.yml
-!/authelia/*.example.yml
+!/authelia/configuration.example.yml
 /homepage/logs
 /homepage/*.yaml
 /homepage/*.css

README.md

@@ -25,8 +25,7 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
     - [(Optional) VPN Configuration](#optional-vpn-configuration)
     - [(Optional) Traefik DNS Challenge](#optional-traefik-dns-challenge)
   - [Service Access](#service-access)
-    - [Setup Script Commands (`update-setup.sh`)](#setup-script-commands-update-setupsh)
+    - [Managing Service Authentication](#managing-service-authentication)
-    - [Managing Service Authentication](#managing-service-authentication-authelia-policies)
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
     - [Middleware Not Found Errors](#middleware-not-found-errors)
@@ -40,64 +39,58 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
 
 This stack uses a combination of key services for routing, access, and security:
 
-- **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
+*   **[Tailscale](https://tailscale.com):** Provides a secure overlay network (WireGuard-based VPN) connecting your devices. It allows access to the NAS services from anywhere without opening firewall ports and handles HTTPS termination via its built-in `tailscale serve` or `tailscale funnel` features. All other services run within Tailscale's network namespace.
-- **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
+*   **[Traefik](https://traefik.io):** Acts as a reverse proxy *within* the Tailscale network. It discovers services via Docker labels and routes incoming requests (from Tailscale) to the appropriate container based on paths (e.g., `/sonarr`, `/radarr`).
-- **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service. You can configure which services require authentication via environment variables.
+*   **[Authelia](https://www.authelia.com):** Serves as the authentication gateway. Traefik forwards requests to Authelia for verification. If a user isn't logged in, they are redirected to the Authelia portal (`/`). Once authenticated, Authelia sets a session cookie (stored in Redis), and Traefik allows access to the requested service. You can configure which services require authentication via environment variables.
 
 ## Features
 
 This stack includes the following services, categorized for clarity:
 
 **Core Infrastructure:**
-
+*   **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
-- **Reverse Proxy:** [Traefik](https://traefik.io) - Manages internal routing and service discovery.
+*   **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
-- **Secure Remote Access:** [Tailscale](https://tailscale.com) - Provides VPN access and HTTPS.
+*   **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
-- **Authentication:** [Authelia](https://www.authelia.com) & [Redis](https://redis.io) - Single sign-on portal and session management.
+*   **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
-- **Dashboard:** [Homepage](https://gethomepage.dev) - Centralized access point (at `/home`).
 
 **Media Management (\*Arr Suite):**
-
+*   [Sonarr](https://sonarr.tv): TV show management.
-- [Sonarr](https://sonarr.tv): TV show management.
+*   [Radarr](https://radarr.video): Movie management.
-- [Radarr](https://radarr.video): Movie management.
+*   [Lidarr](https://lidarr.audio) (Optional): Music management.
-- [Lidarr](https://lidarr.audio) (Optional): Music management.
+*   [Bazarr](https://www.bazarr.media/): Subtitle management.
-- [Bazarr](https://www.bazarr.media/): Subtitle management.
+*   [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
-- [Prowlarr](https://github.com/Prowlarr/Prowlarr): Indexer management for *arr apps.
 
 **Download Clients:**
-
+*   [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
-- [qBittorrent](https://www.qbittorrent.org): Bittorrent client.
+*   [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
-- [SABnzbd](https://sabnzbd.org/) (Optional): Usenet download client.
 
 **Media Serving & Requests:**
-
+*   [Jellyfin](https://jellyfin.org): Media server for streaming.
-- [Jellyfin](https://jellyfin.org): Media server for streaming.
+*   [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
-- [Jellyseerr](https://github.com/FallenBagel/jellyseerr): Media request management.
 
 **Utilities:**
-
+*   [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
-- [Watchtower](https://containrrr.dev/watchtower/): Automatic container updates.
+*   [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
-- [Autoheal](https://github.com/willfarrell/docker-autoheal/): Automatic container restarts on failure.
+*   [Unpackerr](https://unpackerr.zip): Automated archive extraction.
-- [Unpackerr](https://unpackerr.zip): Automated archive extraction.
 
 **Optional Services (Enabled via Profiles):**
-
+*   [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
-- [AdGuard Home](https://adguard.com/en/adguard-home/overview.html): Network-wide ad blocking.
+*   [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
-- [Calibre-Web](https://github.com/janeczku/calibre-web): E-book library management.
+*   [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
-- [Decluttarr](https://github.com/manimatter/decluttarr): Automated download cleanup.
+*   [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
-- [Tandoor Recipes](https://docs.tandoor.dev/): Recipe management.
+*   [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
-- [Joplin Server](https://joplinapp.org/): Note-taking synchronization server.
+*   [Home Assistant](https://www.home-assistant.io/): Home automation platform.
-- [Home Assistant](https://www.home-assistant.io/): Home automation platform.
+*   [Immich](https://immich.app/): Self-hosted photo and video backup.
-- [Immich](https://immich.app/): Self-hosted photo and video backup.
+*   [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
-- [FlareSolverr](https://github.com/FlareSolverr/FlareSolverr): Bypasses Cloudflare challenges (e.g., for Prowlarr).
 
 ## Prerequisites
 
-- **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
+*   **Linux Host:** A system capable of running Docker (e.g., Ubuntu, Debian, Fedora).
-- **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
+*   **Docker & Docker Compose:** Latest versions installed. See [Docker Engine Install](https://docs.docker.com/engine/install/) and [Docker Compose Install](https://docs.docker.com/compose/install/).
-- **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
+*   **User Permissions:** Ability to run `docker` commands (user in `docker` group or use `sudo`).
-- **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
+*   **Basic Linux Knowledge:** Familiarity with command line, text editors, and file permissions.
-- **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
+*   **Tailscale Account:** Required for remote access. [Sign up here](https://tailscale.com/login).
-- **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions-docker).
+*   **(Optional) SELinux:** If enabled, see [Troubleshooting](#selinux-socket-permissions).
 
 ## Required Setup Steps
 
@@ -120,45 +113,40 @@ These steps are **mandatory** for a working installation. Without properly compl
 
 4. **⚠️ Required: Security Credentials**
    - Generate four strong random secrets using `openssl rand -hex 32`:
-
      ```bash
      echo "AUTHELIA_JWT_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_SESSION_SECRET=$(openssl rand -hex 32)"
      echo "AUTHELIA_STORAGE_ENCRYPTION_KEY=$(openssl rand -hex 32)"
      echo "AUTHELIA_REDIS_PASSWORD=$(openssl rand -hex 32)"
      ```
-
    - Add these to your `.env` file as shown
    
-5. **⚠️ Required: Create Authelia Account**
+5. **⚠️ Required: Create Admin Password**
-   - Create an Authelia account (only for yourself and those you trust!)
-
-     ```bash
-     docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
-     ```
-
-6. **ℹ️ Optional: Set up**
    - Generate a password hash for Authelia:
-
      ```bash
      docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
      ```
-
    - Replace the example hash in `authelia/users_database.yml` with your generated hash
 
+6. **⚠️ Optional: Authentication Configuration**
+   - Choose which services require authentication by setting the corresponding variables in your `.env` file:
+     ```
+     AUTH_JELLYFIN=false  # Example: Allow Jellyfin access without authentication
+     AUTH_SONARR=true     # Example: Require authentication for Sonarr
+     ```
+   - By default, all services require authentication if not specified otherwise
+
 ## Quick Start Guide
 
 After completing all [Required Setup Steps](#required-setup-steps) above, follow these steps to get up and running:
 
 1. **Clone Repository:**
-
    ```bash
    git clone https://github.com/AdrienPoupa/docker-compose-nas.git
    cd docker-compose-nas
    ```
 
 2. **Configure Environment:**
-
    ```bash
    # Create an .env file from the example
    cp .env.example .env
@@ -168,7 +156,6 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 3. **Configure Authelia Admin:**
-
    ```bash
    # Generate a password hash
    docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
@@ -178,29 +165,23 @@ After completing all [Required Setup Steps](#required-setup-steps) above, follow
    ```
 
 4. **Run the Setup Script:**
-
    ```bash
    # Make the script executable
    chmod +x ./update-setup.sh
    
-   # Run the setup tool (use 'all' for initial setup)
+   # Run the setup tool
-   ./update-setup.sh all
+   ./update-setup.sh
    ```
-
+   This interactive script will guide you through:
-   This script will:
+   - Updating your `.env` file while preserving existing values
-   - Update your `.env` file while preserving existing values (`update-env`).
+   - Configuring Authelia with your Tailscale domain settings
-   - Configure Authelia with your Tailscale domain settings (`update-authelia`).
+   - Setting up service configurations and retrieving API keys
-   - Set up service configurations and retrieve API keys (`update-services`).
-
-   You can also run individual commands like `./update-setup.sh update-authelia`. Run `./update-setup.sh help` for all options.
 
 5. **Start the Stack:**
-
    ```bash
    # Start containers
    docker compose up -d
    ```
-
    *(Wait for containers to download and start)*
 
 6. **Access Your NAS:**
@@ -245,6 +226,20 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 | **`AUTHELIA_SESSION_SECRET`**       | **Required.** Random secret for session cookies. **Generate your own!**                                                                   | *(None - Example in file)*   |
 | **`AUTHELIA_STORAGE_ENCRYPTION_KEY`** | **Required.** Random secret for encrypting data at rest (e.g., SQLite DB). **Generate your own!**                                         | *(None - Example in file)*   |
 | **`AUTHELIA_REDIS_PASSWORD`**       | **Required.** Password for the Redis database (used for session storage). **Generate your own!**                                            | *(None - Example in file)*   |
+| `AUTH_SONARR`                       | Control whether Sonarr requires authentication (`true`/`false`).                                                                          | `true`                       |
+| `AUTH_RADARR`                       | Control whether Radarr requires authentication (`true`/`false`).                                                                          | `true`                       |
+| `AUTH_BAZARR`                       | Control whether Bazarr requires authentication (`true`/`false`).                                                                          | `true`                       |
+| `AUTH_PROWLARR`                      | Control whether Prowlarr requires authentication (`true`/`false`).                                                                        | `true`                       |
+| `AUTH_JELLYSEERR`                   | Control whether Jellyseerr requires authentication (`true`/`false`).                                                                      | `true`                       |
+| `AUTH_QBITTORRENT`                  | Control whether qBittorrent requires authentication (`true`/`false`).                                                                     | `true`                       |
+| `AUTH_LIDARR`                       | Control whether Lidarr requires authentication (`true`/`false`).                                                                          | `true`                       |
+| `AUTH_JELLYFIN`                     | Control whether Jellyfin requires authentication (`true`/`false`).                                                                        | `false`                      |
+| `AUTH_HOMEPAGE`                     | Control whether Homepage requires authentication (`true`/`false`).                                                                        | `true`                       |
+| `AUTH_FLARESOLVERR`                 | Control whether FlareSolverr requires authentication (`true`/`false`).                                                                    | `true`                       |
+| `AUTH_SABNZBD`                      | Control whether SABnzbd requires authentication (`true`/`false`).                                                                         | `true`                       |
+| `AUTH_CALIBRE`                      | Control whether Calibre-Web requires authentication (`true`/`false`).                                                                     | `true`                       |
+
+> **Note:** Authentication variables were introduced to give you fine-grained control over which services require login. Set to `false` for services you want to access without authentication.
 
 #### Service Credentials
 
@@ -307,23 +302,20 @@ This file controls essential settings. Copy `.env.example` to `.env` and modify
 
 Authelia uses the `authelia/users_database.yml` file to manage users.
 
-- **Setting the Initial Admin Password:**
+*   **Setting the Initial Admin Password:**
     1.  As mentioned in the Quick Start, you **must** set a strong password for the default `admin` user.
     2.  Generate a hash using Docker (replace `'your_secure_password'`):
-
         ```bash
         docker run --rm authelia/authelia:latest authelia hash-password 'your_secure_password'
         ```
-
     3.  Copy the **entire output hash** (starting with `$argon2id...`).
     4.  Open `authelia/users_database.yml` and replace the example `password:` value under `admin:` with your generated hash.
     5.  Ensure the `admin` user belongs to the `admins` and `users` groups as shown in the example.
 
-- **Adding More Users:**
+*   **Adding More Users:**
     1.  Generate a password hash for the new user as shown above.
     2.  Edit `authelia/users_database.yml`.
     3.  Add a new entry under `users:`, following the format of the `admin` user:
-
         ```yaml
         users:
           admin:
@@ -335,26 +327,25 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
             groups:
               - users # Add to 'admins' group if needed
         ```
+    4.  Save the file. Authelia should pick up the changes automatically (or restart the Authelia container: `docker compose restart authelia`).
 
-    4. Save the file and restart Authelia: `docker compose restart authelia`.
+*   **Enabling User Registration (Optional):**
-
-- **Adding/Updating Users (Recommended Method):**
-    Use the setup script's interactive tool:
-
-    ```bash
-    ./update-setup.sh manage-accounts
-    ```
-
-    This script handles password hashing and file formatting, reducing the chance of errors. It will prompt you for the username, display name, email, and groups, then generate a secure password hash.
-
-- **Enabling User Registration (Optional):**
     1.  Edit `authelia/configuration.yml`.
     2.  Find the commented-out `registration:` section near the bottom.
-    3. Uncomment it and set `enable: true`.
+    3.  Uncomment it and set `enable: true`:
+        ```yaml
+        # registration:
+        #   enable: false # Set to true to enable registration form
+        ```
+        becomes:
+        ```yaml
+        registration:
+          enable: true
+        ```
     4.  Save the file and restart Authelia (`docker compose restart authelia`).
     5.  A "Register" link will now appear on the Authelia login page.
 
-- **Approving Registered Users:**
+*   **Approving Registered Users:**
     1.  When a user registers (if enabled), their details are added to `authelia/users_database.yml` but marked as `disabled: true`.
     2.  To approve them, edit `authelia/users_database.yml`.
     3.  Find the new user's entry.
@@ -373,101 +364,104 @@ Authelia uses the `authelia/users_database.yml` file to manage users.
 
 With the default Tailscale setup and Authelia enabled, services are securely accessible via HTTPS using your Tailscale node's name or IP. Authentication is controlled by the included `update-setup.sh` script.
 
-- **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here for secured services)
+*   **Login Portal:** `https://<TAILSCALE_NODE>/` (Redirects unauthenticated users here for secured services)
-- **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Requires login by default)
+*   **Homepage Dashboard:** `https://<TAILSCALE_NODE>/home` (Requires login by default)
-- **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login by default)
+*   **Sonarr:** `https://<TAILSCALE_NODE>/sonarr` (Requires login by default)
-- **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login by default)
+*   **Radarr:** `https://<TAILSCALE_NODE>/radarr` (Requires login by default)
-- **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` (Requires login by default)
+*   **qBittorrent:** `https://<TAILSCALE_NODE>/qbittorrent` (Requires login by default)
-- **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` (Requires login by default)
+*   **Jellyfin:** `https://<TAILSCALE_NODE>/jellyfin` (Requires login by default)
-- ...and so on.
+*   ...and so on.
 
 Replace `<TAILSCALE_NODE>` with your Tailscale device name (e.g., `tailscale-nas.your-tailnet.ts.net`) or its Tailscale IP address.
 
 If you configure DNS for your `APP_HOSTNAME` variable to point to the Tailscale IP, you can use `https://<APP_HOSTNAME>/<service_path>`.
 
-### Setup Script Commands (`update-setup.sh`)
+### Managing Service Authentication
 
-The `update-setup.sh` script provides various commands to manage your configuration. Run `./update-setup.sh help` to see all options.
+You can control which services require authentication using the updated `update-setup.sh` script:
 
-**Core Setup & Updates:**
+```bash
+# List all services and their authentication status
+./update-setup.sh list-auth
 
-- `./update-setup.sh update-env`: Updates `.env` from `.env.example`, preserving existing values and highlighting new/deprecated keys.
+# Disable authentication for Jellyfin (no login required)
-- `./update-setup.sh update-authelia`: Updates `authelia/configuration.yml` from the example, applying domain settings from `.env` and attempting to preserve secrets (uses `yq` if available).
+./update-setup.sh disable-auth jellyfin
-- `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers.
-- `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates.
 
-**Authelia Policy Management:**
+# Enable authentication for Jellyfin (login required)
+./update-setup.sh enable-auth jellyfin 
 
-- `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`.
+# Disable authentication for all services
-- `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy.
+./update-setup.sh disable-all-auth
-- `./update-setup.sh set-policy <service> <policy>`: Directly sets the Authelia access policy for the specified `<service>` to the given `<policy>` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`).
 
-> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect:
+# Enable authentication for all services
->
+./update-setup.sh enable-all-auth
-> ```bash
-> docker compose restart authelia
-> ```
 
-**User & File Management:**
+# Clean up backup files (keeps most recent by default)
+./update-setup.sh cleanup
 
-- `./update-setup.sh manage-accounts`: Starts an interactive tool to add or update users in `authelia/users_database.yml`. It generates password hashes and prompts for user details.
+# View all available commands
-- `./update-setup.sh cleanup`: Interactively finds and deletes old backup files (`.bak`) created by the script. Allows keeping the most recent backup of each type.
+./update-setup.sh help
+```
 
-**Help:**
+You can also manage authentication through the interactive menu by running `./update-setup.sh` and selecting option 5.
 
-- `./update-setup.sh help`: Displays the full list of commands and usage instructions.
+After making changes, restart your stack for the changes to take effect:
 
-### Managing Service Authentication (Authelia Policies)
+```bash
+docker compose down
+docker compose up -d
+```
 
-Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`).
+This approach gives you complete control over which services require authentication, without needing to manually edit configuration files.
-
-See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service.
 
 ## Optional Services
 
 Several services are included but disabled by default. Enable them by adding their profile name to the `COMPOSE_PROFILES` variable in your `.env` file (separate multiple profiles with commas).
 
 Example: Enable Lidarr and SABnzbd
-
 ```dotenv
 COMPOSE_PROFILES=lidarr,sabnzbd
 ```
 
 Available Profiles:
-
+*   `lidarr`: Music management.
-- `lidarr`: Music management.
+*   `sabnzbd`: Usenet download client.
-- `sabnzbd`: Usenet download client.
+*   `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
-- `flaresolverr`: Bypasses Cloudflare challenges for Prowlarr.
+*   `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
-- `adguardhome`: Network-wide ad blocking (see `adguardhome/README.md`).
+*   `calibre-web`: E-book library management.
-- `calibre-web`: E-book library management.
+*   `decluttarr`: Automated download cleanup.
-- `decluttarr`: Automated download cleanup.
+*   `tandoor`: Recipe management (see `tandoor/README.md`).
-- `tandoor`: Recipe management (see `tandoor/README.md`).
+*   `joplin`: Note-taking server (see `joplin/README.md`).
-- `joplin`: Note-taking server (see `joplin/README.md`).
+*   `homeassistant`: Home automation (see `homeassistant/README.md`).
-- `homeassistant`: Home automation (see `homeassistant/README.md`).
+*   `immich`: Photo management (see `immich/README.md`).
-- `immich`: Photo management (see `immich/README.md`).
 
 ## Troubleshooting
 
 ### Middleware Not Found Errors
 
-If you see error messages like `middleware "authelia-auth@docker" does not exist` in the Traefik logs, please check Authelia logs for any fatal errors. It is likely due to a misconfigured `configuration.yml` in `authelia/configuration.yml`
+If you see error messages like `middleware "authelia-auth@docker" does not exist` in the Traefik logs, it could be due to one of these issues:
 
-Make sure Traefik can access the Docker socket. See the [SELinux Socket Permissions](#selinux-socket-permissions-docker) section below for more details.
+1. **Docker Network Issue:** The Traefik configuration has been updated to fix network discovery issues when running in Tailscale's network namespace. If you're still seeing this error, try restarting the stack with:
+   ```bash
+   docker compose down
+   docker compose up -d
+   ```
+
+2. **Authentication Variable Missing:** Ensure you have properly configured the `AUTH_*` variables in your `.env` file for the services you want to control. If not specified, most services default to requiring authentication.
+
+3. **Docker Socket Permissions:** Make sure Traefik can access the Docker socket. See the [SELinux Socket Permissions](#selinux-socket-permissions-docker) section below for more details.
 
 ### SELinux Socket Permissions (Docker)
 
 If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, RHEL) and services like Traefik, Watchtower, or Autoheal fail with "permission denied" errors when trying to access `/var/run/docker.sock`:
 
 1.  **Check Audit Logs:** Immediately after seeing the error, check the SELinux audit log on the host:
-
     ```bash
     sudo ausearch -m avc -ts recent
     ```
-
     Look for lines containing `denied`, `docker.sock`, and the name of the failing service (e.g., `traefik`, `watchtower`).
 
 2.  **Generate Custom Policy:** If denials are found, you may need to create a custom SELinux policy module using `audit2allow`. Pipe the denial messages into it:
-
     ```bash
     # Generate policy files (my-dockersock.te and my-dockersock.pp)
     sudo ausearch -m avc -ts recent | audit2allow -M my-dockersock
@@ -475,7 +469,6 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
     # Install the policy module
     sudo semodule -i my-dockersock.pp
     ```
-
     This allows the specific actions that were being denied. You might need to repeat this if different denials appear after applying the first policy.
 
 ### Authelia v4.38+ Configuration
@@ -500,17 +493,17 @@ Authelia v4.38+ introduces significant changes to its configuration structure, p
    - Configures cookie domains properly to avoid Public Suffix List issues
    - Sets up proper access control rules for both your domain and its subdomains
 
-If you encounter any of these common errors:
+4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools.
 
-```log
+If you encounter any of these common errors, running the setup script should resolve them:
+```
 error: option 'domain' is not a valid cookie domain: the domain is part of the special public suffix list
 error: option 'authelia_url' does not share a cookie scope with domain
 error: can't be specified at the same time: option 'domain' and option 'cookies'
 configuration key 'jwt_secret' is deprecated in 4.38.0
 ```
 
-Running the setup script should resolve them. After making changes to the configuration, restart Authelia with:
+After making changes to the configuration, restart Authelia with:
-
 ```bash
 docker compose restart authelia
 ```
@@ -519,17 +512,16 @@ See the [Authelia documentation](https://www.authelia.com/configuration/session/
 
 ### Tailscale Issues
 
-- **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
+*   **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.
-- **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
+*   **Connectivity:** Verify the `tailscale` container is running and connected to your Tailnet (`docker compose exec tailscale tailscale status`).
-- **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
+*   **Funnel/Serve Command:** If you modified the Tailscale command, ensure the syntax for `tailscale funnel` or `tailscale serve` is correct.
 
 ### File Permissions
 
 If services report permission errors when accessing `/config` or `/data` directories, double-check that:
-
+*   The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
-- The `USER_ID` and `GROUP_ID` in your `.env` file match the owner/group of the corresponding `CONFIG_ROOT` and `DATA_ROOT` directories on your host.
+*   The host directories have appropriate read/write permissions for that user/group.
-- The host directories have appropriate read/write permissions for that user/group.
+*   If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
-- If using SELinux, the `:Z` flag on the volume mounts in `docker-compose.yml` is correctly applied to allow the container to write to the host paths.
 
 ## Advanced Topics
 

authelia/configuration.example.yml

@@ -54,76 +54,14 @@ authentication_backend:
 
 # Access control rules
 access_control:
-  default_policy: deny # Deny access by default
+  default_policy: deny
   rules:
-    # Rules are processed in order. First match wins.
+    # This will match any subdomain of your specific Tailscale domain
-    # It's recommended to put more specific rules first.
-
-    # 1. Bypass rules (No authentication required)
-    # Allow access to Authelia's own endpoints
     - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/auth.*' # Match /auth and anything after it
-      policy: bypass
-    # Allow access to the root path (will be redirected by Traefik later)
-    - domain: '*.your-tailnet.ts.net'
-      path: '/'
-      policy: bypass
-    # Allow access to API endpoints (as requested, review security implications)
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/api.*' # Match /api and anything after it
-      policy: bypass
-
-    # 2. One-Factor Authentication Rules (Requires login)
-    # Add rules for each service you want to protect.
-    # The domain should match your Tailscale domain.
-    # The path should match the Traefik PathPrefix for the service.
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/sonarr.*'
       policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
+    # Also match the main domain without subdomain
-      path_regex: '^/radarr.*'
+    - domain: 'your-tailnet.ts.net'
       policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/lidarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/bazarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/qbittorrent.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/sabnzbd.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/calibre.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/home.*' # Protect the homepage
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/jellyseerr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/prowlarr.*'
-      policy: one_factor
-    - domain: '*.your-tailnet.ts.net'
-      path_regex: '^/flaresolverr.*'
-      policy: one_factor
-    # Add other services here following the pattern:
-    # - domain: '*.your-tailnet.ts.net'
-    #   path_regex: '^/<service_path>.*'
-    #   policy: one_factor
-
-    # 3. Default rule for the domain (optional, if you want a catch-all)
-    # This rule will apply if no path-specific rule above matches.
-    # You might want to deny or require one_factor for unmatched paths.
-    # Example: Deny any other path on the domain
-    # - domain: '*.your-tailnet.ts.net'
-    #   policy: deny
-    # Example: Require login for any other path
-    # - domain: '*.your-tailnet.ts.net'
-    #   policy: one_factor
 
 # Notifier configuration
 notifier:

docker-compose.yml

@@ -44,6 +44,7 @@ services:
     volumes:
       - ${CONFIG_ROOT:-.}/authelia:/config:Z
     environment:
+      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
       - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
@@ -51,18 +52,17 @@ services:
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true
-      - traefik.http.routers.authelia.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/auth`) # Changed rule
+      - traefik.http.routers.authelia.rule=PathPrefix(`/`)
       - traefik.http.routers.authelia.entrypoints=web
-      # - traefik.http.routers.authelia.priority=100 # Removed priority
+      - traefik.http.routers.authelia.priority=100
       - traefik.http.services.authelia.loadbalancer.server.port=9091
-      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify # Simplified forwardAuth address
+      - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
-      - traefik.http.routers.authelia.middlewares=https-proto@docker
       - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
       - homepage.group=Security
       - homepage.name=Authelia
       - homepage.icon=authelia.png
-      - homepage.href=/auth # Updated href
+      - homepage.href=https://${APP_HOSTNAME}/
       - homepage.description=Authentication Portal
   sonarr:
     image: lscr.io/linuxserver/sonarr
@@ -81,9 +81,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.sonarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sonarr`) # Added Host check
+      - traefik.http.routers.sonarr.rule=PathPrefix(`/sonarr`)
       - traefik.http.routers.sonarr.entrypoints=web
-      - traefik.http.routers.sonarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.sonarr.middlewares=authelia-auth@docker
       - traefik.http.services.sonarr.loadbalancer.server.port=8989
       - homepage.group=Media
       - homepage.name=Sonarr
@@ -111,9 +111,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.radarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/radarr`) # Added Host check
+      - traefik.http.routers.radarr.rule=PathPrefix(`/radarr`)
       - traefik.http.routers.radarr.entrypoints=web
-      - traefik.http.routers.radarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.radarr.middlewares=authelia-auth@docker
       - traefik.http.services.radarr.loadbalancer.server.port=7878
       - homepage.group=Media
       - homepage.name=Radarr
@@ -141,9 +141,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.lidarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/lidarr`) # Added Host check
+      - traefik.http.routers.lidarr.rule=PathPrefix(`/lidarr`)
       - traefik.http.routers.lidarr.entrypoints=web
-      - traefik.http.routers.lidarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.lidarr.middlewares=authelia-auth@docker
       - traefik.http.services.lidarr.loadbalancer.server.port=8686
       - homepage.group=Media
       - homepage.name=Lidarr
@@ -173,9 +173,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.bazarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/bazarr`) # Added Host check
+      - traefik.http.routers.bazarr.rule=PathPrefix(`/bazarr`)
       - traefik.http.routers.bazarr.entrypoints=web
-      - traefik.http.routers.bazarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.bazarr.middlewares=authelia-auth@docker
       - traefik.http.services.bazarr.loadbalancer.server.port=6767
       - homepage.group=Download
       - homepage.name=Bazarr
@@ -208,10 +208,10 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.jellyseerr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyseerr`) # Added Host check
+      - traefik.http.routers.jellyseerr.rule=PathPrefix(`/jellyseerr`)
       - traefik.http.routers.jellyseerr.entrypoints=web
       - traefik.http.services.jellyseerr.loadbalancer.server.port=5055
-      - traefik.http.routers.jellyseerr.middlewares=https-proto@docker,jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
+      - traefik.http.routers.jellyseerr.middlewares=jellyseerr-stripprefix,jellyseerr-rewrite,jellyseerr-rewriteHeaders,authelia-auth@docker
       - traefik.http.middlewares.jellyseerr-stripprefix.stripPrefix.prefixes=/jellyseerr
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].header=location
       - traefik.http.middlewares.jellyseerr-rewriteHeaders.plugin.rewriteHeaders.rewrites[0].regex=^/(.+)$
@@ -282,9 +282,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.prowlarr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/prowlarr`) # Added Host check
+      - traefik.http.routers.prowlarr.rule=PathPrefix(`/prowlarr`)
       - traefik.http.routers.prowlarr.entrypoints=web
-      - traefik.http.routers.prowlarr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.prowlarr.middlewares=authelia-auth@docker
       - traefik.http.services.prowlarr.loadbalancer.server.port=9696
       - homepage.group=Download
       - homepage.name=Prowlarr
@@ -306,9 +306,9 @@ services:
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true
-      - traefik.http.routers.flaresolverr.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/flaresolverr`) # Added Host check
+      - traefik.http.routers.flaresolverr.rule=PathPrefix(`/flaresolverr`)
       - traefik.http.routers.flaresolverr.entrypoints=web
-      - traefik.http.routers.flaresolverr.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.flaresolverr.middlewares=authelia-auth@docker
       - traefik.http.services.flaresolverr.loadbalancer.server.port=8191
     profiles:
       - flaresolverr
@@ -332,10 +332,10 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.qbittorrent.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/qbittorrent`) # Added Host check
+      - traefik.http.routers.qbittorrent.rule=PathPrefix(`/qbittorrent`)
       - traefik.http.routers.qbittorrent.entrypoints=web
       - traefik.http.services.qbittorrent.loadbalancer.server.port=8080
-      - traefik.http.routers.qbittorrent.middlewares=https-proto@docker,qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
+      - traefik.http.routers.qbittorrent.middlewares=qbittorrent-strip-slash,qbittorrent-stripprefix,authelia-auth@docker
       - traefik.http.middlewares.qbittorrent-stripprefix.stripPrefix.prefixes=/qbittorrent
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.regex=(^.*\/qbittorrent$$)
       - traefik.http.middlewares.qbittorrent-strip-slash.redirectregex.replacement=$$1/
@@ -378,9 +378,9 @@ services:
     restart: always
     labels:
       - traefik.enable=true
-      - traefik.http.routers.sabnzbd.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/sabnzbd`) # Added Host check
+      - traefik.http.routers.sabnzbd.rule=PathPrefix(`/sabnzbd`)
       - traefik.http.routers.sabnzbd.entrypoints=web
-      - traefik.http.routers.sabnzbd.middlewares=https-proto@docker,authelia-auth@docker
+      - traefik.http.routers.sabnzbd.middlewares=authelia-auth@docker
       - traefik.http.services.sabnzbd.loadbalancer.server.port=8080
       - homepage.group=Download
       - homepage.name=Sabnzbd
@@ -400,7 +400,7 @@ services:
       - PUID=${USER_ID}
       - PGID=${GROUP_ID}
       - TZ=${TIMEZONE}
-      - JELLYFIN_PublishedServerUrl=https://${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin
+      - JELLYFIN_PublishedServerUrl=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}/jellyfin
     volumes:
       - ${CONFIG_ROOT:-.}/jellyfin:/config:Z
       - ${DATA_ROOT}:/data:Z
@@ -414,9 +414,9 @@ services:
       retries: 10
     labels:
       - traefik.enable=true
-      - traefik.http.routers.jellyfin.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/jellyfin`) # Added Host check
+      - traefik.http.routers.jellyfin.rule=PathPrefix(`/jellyfin`)
       - traefik.http.routers.jellyfin.entrypoints=web
-      - traefik.http.routers.jellyfin.middlewares=https-proto@docker # Only HTTPS, no auth
+      - traefik.http.routers.jellyfin.middlewares=authelia-auth@docker
       - traefik.http.services.jellyfin.loadbalancer.server.port=8096
       - homepage.group=Media
       - homepage.name=Jellyfin
@@ -445,8 +445,8 @@ services:
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Scheme=https
       - traefik.http.middlewares.calibre-headers.headers.customRequestHeaders.X-Script-Name=/calibre
       - traefik.http.middlewares.calibre-stripprefixregex.stripPrefixRegex.regex=/calibre
-      - traefik.http.routers.calibre.middlewares=https-proto@docker,calibre-headers,calibre-stripprefixregex,authelia-auth@docker
+      - traefik.http.routers.calibre.middlewares=calibre-headers,calibre-stripprefixregex,authelia-auth@docker
-      - traefik.http.routers.calibre.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/calibre`) # Added Host check
+      - traefik.http.routers.calibre.rule=PathPrefix(`/calibre`)
       - traefik.http.routers.calibre.entrypoints=web
       - traefik.http.services.calibre.loadbalancer.server.port=8083
       - homepage.group=Media
@@ -519,16 +519,15 @@ services:
       [sh, -c, "cp -n /app/config/tpl/*.yaml /app/config && node server.js"]
     labels:
       - traefik.enable=true
-      - traefik.http.routers.homepage.rule=Host(`${APP_HOSTNAME}`) && PathPrefix(`/home`) # Changed rule to root
+      - traefik.http.routers.homepage.rule=PathPrefix(`/home`)
       - traefik.http.routers.homepage.entrypoints=web
-      # - traefik.http.routers.homepage.priority=10 # Removed priority
+      - traefik.http.routers.homepage.priority=10
-      # Global middleware for setting HTTPS header
+      - traefik.http.middlewares.homepage-stripprefix.stripPrefix.prefixes=/home
-      - traefik.http.middlewares.https-proto.headers.customrequestheaders.X-Forwarded-Proto=https
+      - traefik.http.routers.homepage.middlewares=homepage-stripprefix,authelia-auth@docker
-      - traefik.http.routers.homepage.middlewares=https-proto@docker,authelia-auth@docker
       - homepage.group=Dashboard
       - homepage.name=Homepage
       - homepage.icon=homepage.png
-      - homepage.href=/ # Updated href
+      - homepage.href=/home
       - homepage.description=Service Dashboard
   watchtower:
     image: ghcr.io/containrrr/watchtower:latest