From f2d4cad56671798f8ec0235b756a974bc31ec025 Mon Sep 17 00:00:00 2001
From: Micha <michideheld@gmx.de>
Date: Sat, 6 Jun 2026 13:41:16 +0200
Subject: [PATCH] paperless: Authelia OIDC SSO additiv (allauth, extra_hosts)

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 apps/paperless/docker-compose.yml | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/apps/paperless/docker-compose.yml b/apps/paperless/docker-compose.yml
index 2bdf966..afdfa47 100644
--- a/apps/paperless/docker-compose.yml
+++ b/apps/paperless/docker-compose.yml
@@ -3,6 +3,9 @@ services:
     image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15@sha256:6c86cad803970ea782683a8e80e7403444c5bf3cf70de63b4d3c8e87500db92f
     container_name: paperless-ngx
     restart: unless-stopped
+    # OIDC: Authelia ueber Host-LAN-IP -> Traefik erreichbar (Container-DNS sonst nicht)
+    extra_hosts:
+      - "auth.kaleschke.info:192.168.178.58"
     security_opt:
       - no-new-privileges:true
     environment:
@@ -17,6 +20,11 @@ services:
       - PAPERLESS_OCR_LANGUAGE=deu+eng
       - PAPERLESS_URL=https://paperless.kaleschke.info
 
+      # --- Authelia OIDC SSO (additiv, 2026-06-06; lokaler Login bleibt) ---
+      - PAPERLESS_APPS=allauth.socialaccount.providers.openid_connect
+      - PAPERLESS_SOCIAL_AUTO_SIGNUP=true
+      - 'PAPERLESS_SOCIALACCOUNT_PROVIDERS={"openid_connect":{"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authelia","name":"Authelia","client_id":"paperless","secret":"${PAPERLESS_OIDC_SECRET}","settings":{"server_url":"https://auth.kaleschke.info"}}]}}'
+
       # Barcode / ASN
       - PAPERLESS_CONSUMER_ENABLE_BARCODES=1
       - PAPERLESS_CONSUMER_ENABLE_ASN_BARCODE=1