fix(restore): harden restore checks and add authelia smoke scaffold

2026-06-03 07:39:05 +02:00
parent e2624796f0
commit b1ae9f3c26
24 changed files with 821 additions and 81 deletions
@@ -0,0 +1,56 @@
+services:
+  restoretest-authelia-postgres:
+    # Gleiche Major-Version wie shared PostgreSQL 18 in Produktion.
+    image: postgres:18.4@sha256:8ff36f3c66371cba71d20ceedccfc3de9669a68737607888c4ef0af93abe8e39
+    container_name: restoretest-authelia-postgres
+    restart: "no"
+    environment:
+      TZ: Europe/Berlin
+      POSTGRES_USER: authelia
+      POSTGRES_DB: authelia
+      POSTGRES_PASSWORD: restoretest-authelia-db
+      PGDATA: /var/lib/postgresql/18/docker
+    volumes:
+      - /mnt/user/backups/restore-lab/authelia/postgres:/var/lib/postgresql
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U authelia -d authelia"]
+      interval: 10s
+      timeout: 5s
+      retries: 10
+    security_opt:
+      - no-new-privileges:true
+
+  restoretest-authelia:
+    # Gleicher Image-Digest wie security/authelia/docker-compose.yml in Produktion.
+    image: authelia/authelia:4.39.20@sha256:1b363e9279e742397966333f364e0876ae02bf5c876de73e83af6d48c57ff51b
+    container_name: restoretest-authelia
+    restart: "no"
+    depends_on:
+      restoretest-authelia-postgres:
+        condition: service_healthy
+    command:
+      - authelia
+      - --config=/config/configuration.yml
+      - --config=/config/configuration.test-overlay.yml
+    environment:
+      TZ: Europe/Berlin
+      # Wegwerf-Secrets nur fuer den isolierten Smoke. Niemals produktive
+      # Authelia-Secrets in diesem Compose verwenden. Die produktiven
+      # authelia_*_FILE-Mounts werden bewusst NICHT eingebunden.
+      AUTHELIA_JWT_SECRET: restoretest-authelia-jwt-secret-placeholder-32bytes
+      AUTHELIA_SESSION_SECRET: restoretest-authelia-session-secret-placeholder-32
+      AUTHELIA_STORAGE_ENCRYPTION_KEY: restoretest-authelia-storage-enc-key-placeholder-32
+      AUTHELIA_STORAGE_POSTGRES_PASSWORD: restoretest-authelia-db
+      AUTHELIA_NOTIFIER_SMTP_PASSWORD: restoretest-authelia-smtp-placeholder
+      # Die command:-Config laedt configuration.yml + Test-Overlay (zweite
+      # Datei gewinnt bei Konflikt). Das Overlay zwingt storage/notifier/
+      # session auf isolierte Test-Backends, damit kein produktives Postgres
+      # erreicht und kein echter SMTP-Versand ausgeloest wird.
+      AUTHELIA__SERVER__ADDRESS: tcp://0.0.0.0:9091
+    volumes:
+      - /mnt/user/backups/restore-lab/authelia/config:/config
+    ports:
+      # nur 127.0.0.1, keine Public-Route, keine Traefik-Labels
+      - "127.0.0.1:19091:9091"
+    security_opt:
+      - no-new-privileges:true