Replace traefik dashboard auth with authentik auth

.gitignore

@@ -6,4 +6,3 @@ db
 
 # Files
 .env
-users

authentik/compose.yml

@@ -45,6 +45,17 @@ services:
       - ./data/templates:/templates
       - /var/run/docker.sock:/var/run/docker.sock
   
+  authentik_proxy:
+    image: authentik/proxy:2025.10
+    container_name: authentik_proxy
+    restart: always
+    environment:
+      AUTHENTIK_HOST: https://login.eliasfink.de
+      AUTHENTIK_TOKEN: ${AUTHENTIK_OUTPOST_TOKEN}
+    networks:
+      - default
+      - traefik
+
   authentik_db:
     image: postgres:16
     container_name: authentik_db

hedgedoc/compose.yml

@@ -12,6 +12,16 @@ services:
       CMD_ALLOW_EMAIL_REGISTER: false
       CMD_DB_URL: postgres://hedgedoc:${DB_PASSWORD}@hedgedoc_db:5432/hedgedoc
       CMD_DOMAIN: pad.eliasfink.de
+      CMD_OAUTH2_PROVIDERNAME: EFlogin
+      CMD_OAUTH2_CLIENT_ID: ${OAUTH2_CLIENT_ID}
+      CMD_OAUTH2_CLIENT_SECRET: ${OAUTH2_CLIENT_SECRET} 
+      CMD_OAUTH2_SCOPE: openid email profile
+      CMD_OAUTH2_AUTHORIZATION_URL: https://login.eliasfink.de/application/o/authorize/
+      CMD_OAUTH2_TOKEN_URL: https://login.eliasfink.de/application/o/token/
+      CMD_OAUTH2_USER_PROFILE_URL: https://login.eliasfink.de/application/o/userinfo/
+      CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR: name
+      CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR: email
+      CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR: preferred_username
       CMD_PROTOCOL_USESSL: true
     networks:
       - default

home-assistant/compose.yml

@@ -1,17 +0,0 @@
-# /services/home-assistant/compose.yml
-
-services:
-  home-assistant:
-    image: homeassistant/home-assistant:2025.7
-    container_name: home-assistant
-    restart: always
-    networks:
-      - traefik
-    volumes:
-      - ./data:/config
-      - /etc/localtime:/etc/localtime:ro
-      - /run/dbus:/run/dbus:ro
-
-networks:
-  traefik:
-    external: true

traefik/config/dashboard/dashboard.yml

@@ -1,16 +0,0 @@
-# /services/traefik/config/dashboard/dashboard.yml
-
-http:
-  routers:
-    traefik:
-      entryPoints:
-        - https
-      rule: Host(`traefik.eliasfink.de`)
-      middlewares:
-        - traefik-dashboard-auth
-      service: api@internal
-
-  middlewares:
-    traefik-dashboard-auth:
-      digestAuth:
-        usersFile: /etc/traefik/config/dashboard/users

traefik/config/middlewares/dashboard.yml

@@ -0,0 +1,30 @@
+# /services/traefik/config/middlewares/dashboard.yml
+
+http:
+  routers:
+    traefik:
+      entryPoints:
+        - https
+      rule: Host(`traefik.eliasfink.de`)
+      middlewares:
+        - traefik-dashboard-auth
+      service: api@internal
+
+  middlewares:
+    traefik-dashboard-auth:
+      forwardAuth:
+        address: http://authentik_proxy:9000/outpost.goauthentik.io/auth/traefik
+        trustForwardHeader: true
+        authResponseHeaders:
+          - X-authentik-username
+          - X-authentik-groups
+          - X-authentik-entitlements
+          - X-authentik-email
+          - X-authentik-name
+          - X-authentik-uid
+          - X-authentik-jwt
+          - X-authentik-meta-jwks
+          - X-authentik-meta-outpost
+          - X-authentik-meta-provider
+          - X-authentik-meta-app
+          - X-authentik-meta-version

traefik/config/middlewares/home-redirection.yml

@@ -1,4 +1,4 @@
-# /services/traefik/config/home-redirection.yml
+# /services/traefik/config/middlewares/home-redirection.yml
 
 http:
   routers:

traefik/config/services/authentik.yml

@@ -2,10 +2,10 @@
 
 http:
   routers:
-    auth:
+    login:
       entryPoints:
         - https
-      rule: Host(`auth.eliasfink.de`)
+      rule: Host(`login.eliasfink.de`)
       service: authentik
 
   services:

traefik/config/services/home-assistant.yml

@@ -1,15 +0,0 @@
-# /services/traefik/config/services/home-assistant.yml
-
-http:
-  routers:
-    smarthome:
-      entryPoints:
-        - https
-      rule: Host(`smarthome.eliasfink.de`)
-      service: home-assistant
-
-  services:
-    home-assistant:
-      loadBalancer:
-        servers:
-          - url: http://home-assistant:8123