Micha/homelab-infra
1
0
Fork 0
Code Issues 1 Pull Requests 5 Actions Packages Projects Releases Wiki Activity

fix: protect ha onboarding with authelia

Browse Source
This commit is contained in:
Micha
2026-06-12 21:52:45 +02:00
parent c24b792808
commit 4ab6dcefd2
2 changed files with 3 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/MASTER_TODO.md
+1 -1
View File
@@ -25,7 +25,7 @@ Host-Reports (`/mnt/user/backups/restore-reports/`) und in der Git-Historie.
| Restore-Test Tailscale | Operator | State-Validierung + Reconnect nur auf Wegwerf-Host/VM, danach Geraet in Tailscale-Admin entfernen | `ops/restore-tests/tailscale-runbook.md` | | Restore-Test Tailscale | Operator | State-Validierung + Reconnect nur auf Wegwerf-Host/VM, danach Geraet in Tailscale-Admin entfernen | `ops/restore-tests/tailscale-runbook.md` |
| Authelia OIDC fuer Apps | Operator/Claude | Live: Grafana + Mealie (verifiziert), Paperless deployed (Login-Test offen). Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` | | Authelia OIDC fuer Apps | Operator/Claude | Live: Grafana + Mealie (verifiziert), Paperless deployed (Login-Test offen). Immich + Nextcloud bewusst geparkt bis Family-Onboarding (siehe `docs/DECISIONS.md` 2026-06-06) | `docs/AUTHELIA_OIDC_PLAN.md` |
| Glance-v2-Widgets: Tokens setzen | Operator | In Komodo Stack-ENV fuer `ops-glance` setzen: `GLANCE_KOMODO_API_KEY`/`_SECRET` (Komodo read-only API-Key), `GLANCE_GITEA_TOKEN` (read-only, scope `read:repository`), `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`; bis dahin zeigen die neuen Widgets Fehler/leer. Speedtest-Widget: falls weiter 0.0, API-Response pruefen | `ops/glance/config/` | | Glance-v2-Widgets: Tokens setzen | Operator | In Komodo Stack-ENV fuer `ops-glance` setzen: `GLANCE_KOMODO_API_KEY`/`_SECRET` (Komodo read-only API-Key), `GLANCE_GITEA_TOKEN` (read-only, scope `read:repository`), `GLANCE_PAPERLESS_TOKEN`, `GLANCE_MEALIE_TOKEN`; bis dahin zeigen die neuen Widgets Fehler/leer. Speedtest-Widget: falls weiter 0.0, API-Response pruefen | `ops/glance/config/` |
| Home Assistant Foundation-Abnahme | Operator/Codex | Sofort: Owner-Onboarding abschliessen. Danach Komodo-Stack-Eintrag + Webhook sauber anlegen/verifizieren, HA-MQTT-Smoke-Test und HA-native `backup.create` testen, Restore-Probe fuer HA/Mosquitto dokumentieren. Bis Owner existiert, bleibt Traefik per `homeassistant-lan-only` auf LAN/Tailscale begrenzt | `docs/runbooks/smart-home-bootstrap.md`, `docs/RESTORE_MATRIX.md` | | Home Assistant Foundation-Abnahme | Operator/Codex | Sofort: Owner-Onboarding abschliessen. Danach temporaere Authelia-Middleware von der HA-Route entfernen, Komodo-Stack-Eintrag + Webhook sauber anlegen/verifizieren, HA-MQTT-Smoke-Test und HA-native `backup.create` testen, Restore-Probe fuer HA/Mosquitto dokumentieren | `docs/runbooks/smart-home-bootstrap.md`, `docs/RESTORE_MATRIX.md` |
| Audit-PDF aus `docs/` entfernen | Operator | `docs/KalliLab_CORE_Audit_2026-06-06.pdf` (untracked) extern ablegen (H:/ oder Documents-Share) und lokal loeschen; Binaerdateien gehoeren nicht ins GitOps-Repo | Doku-Regeln `docs/REPO_MAP.md` | | Audit-PDF aus `docs/` entfernen | Operator | `docs/KalliLab_CORE_Audit_2026-06-06.pdf` (untracked) extern ablegen (H:/ oder Documents-Share) und lokal loeschen; Binaerdateien gehoeren nicht ins GitOps-Repo | Doku-Regeln `docs/REPO_MAP.md` |
--- ---
smart-home/docker-compose.yml
+2 -4
View File
@@ -28,10 +28,8 @@ services:
- traefik.http.routers.homeassistant.entrypoints=websecure - traefik.http.routers.homeassistant.entrypoints=websecure
- traefik.http.routers.homeassistant.tls=true - traefik.http.routers.homeassistant.tls=true
- traefik.http.routers.homeassistant.tls.certresolver=le - traefik.http.routers.homeassistant.tls.certresolver=le
# Temporary onboarding guard: keep HA reachable only from LAN/Tailscale # Temporary onboarding guard: remove after the HA owner account exists.
# until the owner account exists. - traefik.http.routers.homeassistant.middlewares=authelia@file,secure-headers@file
- traefik.http.routers.homeassistant.middlewares=homeassistant-lan-only
- traefik.http.middlewares.homeassistant-lan-only.ipallowlist.sourcerange=192.168.178.0/24,100.64.0.0/10,217.249.114.123/32
- traefik.http.services.homeassistant.loadbalancer.server.port=8123 - traefik.http.services.homeassistant.loadbalancer.server.port=8123
mosquitto: mosquitto: