feat(k8s/infrastructure/authelia): add Authelia deployment

kubernetes/dev/config/cluster-vars.sops.yaml

@@ -5,6 +5,7 @@ metadata:
     namespace: flux-system
 stringData:
     LUBELOGGER_HOST: ENC[AES256_GCM,data:OvDY/XIE/YW8lSDJmhHYI63r4eLQOojsMjjkUIge,iv:v1JafZB4cmVFjX+yA7FjjoXfx7jPpZQaq1HyXvNXvsY=,tag:+h5Gg/q3bKP3l7xCNLaBqA==,type:str]
+    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:2OL1YD3202Haab4AyQACHtDaYw==,iv:2NtGj9Y3s0CW4xtqeCUr6Kwh7QNXhNsq/y6tGfTcBi4=,tag:c5WzQpJiwuU0vWQxUtEVpg==,type:str]
 sops:
     age:
         - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
@@ -16,7 +17,7 @@ sops:
             LzhUN3Z4cExIL1IyS3ZCNWh5aWpLbDgKQ7c3MmLykA00NaLoctKVDfJvPqTqh3Ia
             cDZJUc6jYJXOJYM6YYyZOYcCL2z8V2RpIfA9sPg8PB2eiipZxjk+Cg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-10T12:00:08Z"
+    lastmodified: "2026-02-18T19:49:59Z"
-    mac: ENC[AES256_GCM,data:MeENbnkjALwbIkd833zmBx/nCfCTqO7+5i5L98lI6UJrgOhrT5gsrP33jiWgyv6qPHqbgLb1XzJ/Z+DbTl6O/sW7NDrgRr3AXPg0L6ej1fCCcdpIQDbgkWzcUSgxSfv8WyFINh3f2HP0TFaZNRaDvkR0IDkwR3KHapkM8fl5uxQ=,iv:/RNS5e0IfOLobot6f+IHuYULbXSoLBYlg6EK9j4Bqic=,tag:re0Ip1/1eX96J5HRN3r46Q==,type:str]
+    mac: ENC[AES256_GCM,data:IulhbCsswVhvtAL49xuhiZeemLqT+pm0An+md4rlVNV4BunMZ/VYX/FIKn74ku3vLFWnTsAZTv6uB6xHdg9KVX0x78igiulp+TXqVA0JpdMsHYUXsoeb88ODDbG49KbUYaL1Id+1+m0G/P7wkGJ8ppQLA8aofKTKRhGsTpcqfv0=,iv:YfZJ2iKBJmjDuBYAIg9B0U3xF67Z/Fa2YqEcZrR/Y7A=,tag:4hxcbZgU/UDcgMEMG0R3dg==,type:str]
     encrypted_regex: ^(data|stringData|email)$
     version: 3.11.0

kubernetes/dev/infrastructure/authelia/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: authelia

kubernetes/dev/infrastructure/authelia/pvc.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authelia-data
+  namespace: authelia
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nfs-synology-ssd
+  resources:
+    requests:
+      storage: 1Gi

kubernetes/dev/infrastructure/authelia/release.yaml

@@ -0,0 +1,74 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: flux-system
+spec:
+  chart:
+    spec:
+      chart: authelia
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: flux-system
+      version: 0.10.49
+  interval: 1m0s
+  targetNamespace: authelia
+  values:
+    pod:
+      kind: Deployment
+      extraVolumes:
+        - name: authelia-config
+          configMap:
+            name: authelia-config
+        - name: authelia-data
+          persistentVolumeClaim:
+            claimName: authelia-data
+        - name: authelia-custom-secrets
+          secret:
+            secretName: authelia-secrets
+            items:
+              - key: OIDC_ISSUER_PRIVATE_KEY
+                path: OIDC_ISSUER_PRIVATE_KEY
+              - key: SMTP_PASSWORD
+                path: SMTP_PASSWORD
+      extraVolumeMounts:
+        - name: authelia-config
+          mountPath: /configuration.yaml
+          subPath: configuration.yml
+        - name: authelia-config
+          mountPath: /users_database.yml
+          subPath: users_database.yml
+        - name: authelia-data
+          mountPath: /data
+        - name: authelia-custom-secrets
+          mountPath: /secrets
+          readOnly: true
+    ingress:
+      enabled: true
+      certManager: true
+      annotations:
+        cert-manager.io/cluster-issuer: letsencrypt
+      tls:
+        enabled: true
+        secret: authelia-tls
+      traefikCRD:
+        enabled: true
+        disableIngressRoute: true
+        middlewares:
+          auth:
+            authResponseHeaders:
+              - Remote-User
+              - Remote-Groups
+              - Remote-Email
+              - Remote-Name
+    configMap:
+      disabled: true
+      session:
+        cookies:
+          - subdomain: auth
+            domain: ${AUTHELIA_DOMAIN}
+    secret:
+      existingSecret: authelia-secrets

kubernetes/dev/infrastructure/authelia/repository.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authelia
+  namespace: flux-system
+spec:
+  interval: 1m0s
+  url: https://charts.authelia.com/

kubernetes/dev/infrastructure/authelia/secret.sops.yaml

@@ -0,0 +1,27 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia-secrets
+    namespace: authelia
+stringData:
+    OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:PDGGuupGLm3L44/aIuaWSK9122fqKWbXEMyDu8Q0H+kRrJYZMyWHW348Gt7423MS0gfEt0EcCmi78me9UGZgI1Xv3EmYvLQwetaOQ5/IKvD6AjbxK1V4+v+vsE/Se8jur2GrKzQBHQ+NSXrAQ/txpXD1ptczKPX5HTiZPsYjm/AFCtV+NKLIAHeHsl8vMjib56S9USXwVkra09GhrGJ74JWB46zFQC9ClJQgM2jpGMgZpa9LVwVIBrp2njrcWGxyJsZ75F3uKFIikXuRRQatezT4tXkdom4TLwI7V8E4mcTjelIRpMVmIDcLtuDRmi/6sv7Tq2I8uzRB2KugS5bvB1t3t0VPczCgoGol3Dm/NYYqCRkhyYyqWjNLIMzrhWQhLOu3wmjyShU6KDecLW7pwtdw0esgRT3ed2F0fvhe5YWRL7kB035RA/rCsi2qjEgU/a4nYtuV6LDTZBvsqZe0tca62GawexqwVyeGdebW6w4CMgYD3ZaUNV9CpVTidnKweID9nYSoHUEKsEAIVI6SuCiYYhm0CXl9rHdRGA9YmDXcJLjgvbMjkcBqOVzWzZW6Q70KwLdlpA1rtrM30tNW4Sw4NMqHM+g1xpXTJf3gTroBTukWnSlpef43n16Lq07j59Z3A8O0omYacFKm7smMBpppQ6zaSi1813EMcvo98qqGvZQtuSt76ZsiZRlddmcrEx5j0JijQ8xIAwf1+en7f6Tqaf72wDypIzOrFGPfJo+aYk8sGF716fbOrl6ERpMTVjqxCf2gW9SgFT276I5V6J7zLAggltmCiykt88Wfzwrhav18NOw1FPzumI4qg+0wFfpg/4BmCo3fUY0LRyA+zuZB3r3MYvlYolGhunZiSiESXoz9wEJM+l3VE+Mdha3ONaUrF/iEm2LnFgb0nEzM/pk8SuzXofBrE44CvxW46jy5fG6+6koFTBaifLmZGWiFSLUeQ5XMpYtqICAUTSWigz9RhKBeFNVIj091Knqkznpa9f1N6INODz4hduoJH7jViERdYIz1IfE8XWLJ1RXMHm1zE/cqX7CAIuj9GBSzP23XjpZDzpQ93Au+RkLBcamDRwCHKc0nGk0Rru6Jea48PYKF3DUq62SAcc46suKHA4+zho0EWEqI96CUhK4ll6jsfOUUQxjrt/h2ic80Eqic+R655dS2rOs5OsKXRILmGkPEFvKWrXmfT0o9TgKLNANBjCZxo+3zZ4Jjr7n7t0+zgKxgpq5wDj+fEANmU7jJ1VUNqvJfRdVmuj/brjhp86DgNJKq0IonImN9PKbY7KblhEyhRAjdA1jM+mqSaezSLiZ8ombDvd1XUYVs6aZD5VIiu4Q+f+SW/f170jdoz2icG/FPZz08pAYTEAuXM43/cVbiD1bW1qqgMCPvreUJPsag5j7+/RvO0Mey3QL3xc1XbnxE7SaOwCKl0ejyh6anzOYd/Ohk+/YHVybSDpG0NUghoj13poShvNwk3UtAeDLp+2qn2spA6jJlsx3XrRj7+/HUM+3bsWB7F87mySgcVEUZ+SIBscf/ZJ4GaMZg5sswLcu49hCzIUTfZzXWEFcLNAYs8VMFoWwlwh584AkMnXe8mfGL0GqYtyuWLlAkLk5VDqAJ6gaNQgBR7+K34o5oQ35/1wR0FHlv0nJ1w0kyhGNbVX6ANZzxQCgU+lXzUmlrGmAuQRwoffLAfW+wr6vXlve6XqdOj0ch/8QKxggngK9Acc79rBulcwbm85b4rkDLUqs3gcMNOjsDgXSPtchQ3F7+UBBu30jgv1D+1hAhc+xaGiRYhmtgWi3Nl6mpk1Q2sJvDCpEjKEac8mSS6vOAe2n4fgwICaOxfIuZbWL6OxBnKm+q65DIBM7mLoFMnrs58cBHxFwB2wlLtQvomqeZeNduwWtqW50TnDp7jxX+HE6PnX23F3ZfhNQYYKSpetbxoZBUIgxbJSvIj1nHNGEakJOkSelmPoQ8yZepU8tejs8iZ1SxyvOeATbAslJ7a5lpMO7riAN+X6xnp3JcgqRd9aMVvfTTh8XwzBmf9SFuV68ZOvD3hmCPoBvroExkYoKOoaiEBoLiA706bdH22bEC4UPaqmlnHPWTi7yiRAi3794jCDb+Nh3Ebd+XbXqMvACacdMQW7FTK/ytn14ypFWFwjX4WiJRsrpEgMdMTrsfYmcg2BwaJnWlaZsYMknwOJlE0bg5GU7ASL5g7+Ma+dknmN0nKKW8mK0c2CiI/AAhjK40EeJA5J8hqZaSZHay1gZYxT+TRb0vMvsu,iv:U1smwRB2mQSJHPeGSD8HFaon6ugk0JFPWtz41QdoGTs=,tag:TvetAkJqhGMIxm6+NcHCzg==,type:str]
+    SMTP_PASSWORD: ENC[AES256_GCM,data:zcQbkOhsrrsof84ZvRXHVS4=,iv:cchXKmCPH8wBi9kDHY0Dr47QfOohQa7rPbjMsnYLNdI=,tag:O+gDLjkGe5V8St+kYGc6pQ==,type:str]
+    identity_validation.reset_password.jwt.hmac.key: ENC[AES256_GCM,data:+eLVPSg8VIclVrT1trWdmHj1llhQVKHBYmQbrY3TnH8JAsssINoBPXoFOoT3m/YAktmvIFotrpi8k+cu0gkt9v1xf9FT3ppSPAspCujjvH5GNWWD+aVGxp0xHSwkQ3GDwG80ERezEYFcD/0FdhxPmeD52sh3heJnYdFluOAu95bD,iv:kIXe80T+Uh+NiqqH0n35XHZtoJ7lU3ifST/t34D6iKM=,tag:Bzs50EU0dUBieBOxtyvQ1Q==,type:str]
+    session.encryption.key: ENC[AES256_GCM,data:4M0piJnmrpWnzqFEzCWEIWZ3E88l78HZriEBJDvRr1JwNXz2evbHlg1kBf0dw7M9u/c0z68C91BMf3i+Ym5PNJezCv6otcUqFOvdn43uWOh7qvEBnxyyblDobxSMWkfei9V9z3qsCq46t7LDrrpSjD/ugATzaBrnG5b4YFyCFPI2,iv:S0sUiqeAipJstGmsUZNy4HW+v/Voy9atAAmaevvLHoo=,tag:BbuPrFN7ElV5qxWa5wmEfQ==,type:str]
+    storage.encryption.key: ENC[AES256_GCM,data:vUvA3FAT//CSu1fO0GSxYY8lDwbNQDB5RaSuLXboujUIN9wWKAJt+WH0pQ5fU4K3i2cZjJT/LouP6uDhdEPs7NFDRYHUs59CimB2tqBGzOLHbUMVNgUZRM61l+O8eSurx4TkiC4q5JSmQUrlg4+/58dLNNWBte6Niz8nfDaeDnUY,iv:xBUvaXHBC5ipIxP8XBshzHc8mCrWnqjPlPinN5E/Eh8=,tag:6I4+lqUD2HwYY8NsqfBMFQ==,type:str]
+    identity_providers.oidc.hmac.key: ENC[AES256_GCM,data:W4yp/fk6F/p90YuPH3GaQ5fBq19nDvdEbv6lUQcBbTajAnxMBqSph5JufGKG6gW1XU9ZpUAUiKr1r8nLPN5wvpM1Gu9VUG4ciLkcwmLpgl6lsnLPDHxxQ5xpdQ4YoZqFnffga14NxnVv4ALAOvUDbZFAB8kSbKGKfez2m+W7uQLC,iv:TBiQJhd9hgqVvQyO/gaZH4Vzg0+bKd6jc10dgHKwobY=,tag:2wZhbZo0/st2NBEbrN8zUg==,type:str]
+sops:
+    age:
+        - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMDVSbERpdkRLSy9TcnVG
+            VWdVRitPTGRhUzM3QXp2WTl2STVYU2lRa1I4CjVRcitJbzQxTFJ5c0pmcEJScDVo
+            Vk9FQ0Q5a20xT1RjcWM4T1A3enVpckEKLS0tIFkzbTMzOTFVaVR3T1daNTNLdzVk
+            ZzFsaDBkN1RKdG4yTlVUendQWFY1OFEKZZWj+gvQZ+578nqrYmpFivZeqPGV6Fu0
+            QnAHACCjYI/3D0sLWqM54XMYe98DfX0dFnqZTNZ85hohLNCnq1w5Uw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-02-18T20:09:04Z"
+    mac: ENC[AES256_GCM,data:NCIM5lGLDmIbl+R+rC0wA6Lp/irgWnhSqBhwnHtp1T8NUSK5GSJ162Cc8W3TOLMsVbKPzLfCOPi3ZNT9YKrutUj4h7VCLOlPIhXev81qx9J8iJImJyOM1Xry8gvRQ+XyZfi/ZbYxyR1X1fr8H8xQ+Rfc47bmgnIjhNR7F3vKRTY=,iv:OpmsIZb6gcOc5iJ6Q34RspBKE337cArfqeo48AfNTfY=,tag:3bDIp6rrIfXdTm87RcCekA==,type:str]
+    encrypted_regex: ^(data|stringData|email)$
+    version: 3.11.0

kubernetes/dev/infrastructure/ks.yaml

@@ -11,7 +11,13 @@ spec:
   sourceRef:
     kind: GitRepository
     name: flux-system
+  dependsOn:
+    - name: config
   decryption:
     provider: sops
     secretRef:
       name: sops-age
+  postBuild:
+    substituteFrom:
+    - kind: Secret
+      name: cluster-vars