c27584cd9c
Add `*_authentik_forward_auth` + `*_authentik_forward_auth_url` knobs to both roles. When enabled: * drawio: traefik attaches a ForwardAuth middleware pointing at the authentik embedded outpost; unauthenticated requests get redirected to log in and downstream sees X-Authentik-* identity headers. * garage WebUI: same ForwardAuth wiring, and `AUTH_USER_PASS` is dropped from the container env so authentik is the only gate. Tasks now key the htpasswd hash workflow off `_garage_webui_htpasswd_active` (`webui_enabled AND NOT authentik_forward_auth`); when authentik fronts the UI we skip hashing entirely. htpasswd hash is also now cached on disk and re-verified via `htpasswd -vbB` so unchanged passwords stop showing as `changed=true` on every run. Both knobs default to `false`, preserving existing htpasswd/plain behaviour. |
||
|---|---|---|
| .. | ||
| 389ds | ||
| authentik | ||
| authentik_outpost_ldap | ||
| base | ||
| collabora | ||
| drawio | ||
| garage | ||
| homarr | ||
| httpbin | ||
| keycloak | ||
| nextcloud | ||
| opencloud | ||
| traefik | ||