Add Authelia SSO, remove authentik, restrict ultralytics port

- Add authelia/ stack: Authelia 4.38 + Redis 7-alpine on isolated
  authelia-internal bridge; Authelia also on npm-network for NPM
  forward-auth. Secrets via env vars (not committed).
- Add authelia/config/configuration.yaml: file-based users, SQLite
  storage, one_factor policy for *.kolpacksoftware.com
- Add **/users_database.yaml to .gitignore (host-only secret)
- Remove authentik/ (non-functional leftover)
- ultralytics: bind port 8501 to 127.0.0.1 only (auth enforced via NPM)

.gitignore

@@ -1,2 +1,3 @@
 .credentials
 **/.env
+**/users_database.yaml

authelia/.env.example

@@ -0,0 +1,6 @@
+# Authelia secrets — generate values with:
+#   openssl rand -hex 32   (for JWT and session secrets)
+#   openssl rand -hex 16   (for storage encryption key)
+AUTHELIA_JWT_SECRET=
+AUTHELIA_SESSION_SECRET=
+AUTHELIA_STORAGE_ENCRYPTION_KEY=

authelia/config/configuration.yaml

@@ -0,0 +1,50 @@
+server:
+  address: 0.0.0.0:9091
+
+log:
+  level: info
+
+totp:
+  issuer: kolpacksoftware.com
+
+webauthn:
+  disable: true
+
+authentication_backend:
+  file:
+    path: /config/users_database.yaml
+    password:
+      algorithm: argon2id
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: auth.kolpacksoftware.com
+      policy: bypass
+    - domain: "*.kolpacksoftware.com"
+      policy: one_factor
+
+session:
+  cookies:
+    - domain: kolpacksoftware.com
+      authelia_url: https://auth.kolpacksoftware.com
+      default_redirection_url: https://auth.kolpacksoftware.com
+      name: authelia_session
+      expiration: 1h
+      inactivity: 5m
+  redis:
+    host: authelia-redis
+    port: 6379
+
+storage:
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notifications.txt
+
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m

authelia/docker-compose.yml

@@ -0,0 +1,33 @@
+services:
+  authelia:
+    container_name: authelia
+    image: authelia/authelia:4.38
+    restart: unless-stopped
+    volumes:
+      - /srv/authelia/config:/config
+    environment:
+      - TZ=America/New_York
+      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
+      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
+      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
+    networks:
+      - npm-network
+      - authelia-internal
+    depends_on:
+      - authelia-redis
+
+  authelia-redis:
+    container_name: authelia-redis
+    image: redis:7-alpine
+    restart: unless-stopped
+    command: --save 60 1 --loglevel warning
+    volumes:
+      - /srv/authelia/redis:/data
+    networks:
+      - authelia-internal
+
+networks:
+  npm-network:
+    external: true
+  authelia-internal:
+    driver: bridge

authentik/docker-compose.yml

@@ -1,95 +0,0 @@
-networks:
-  default:
-    external:
-      name: nginx-network
-
-
-services:
-  postgresql:
-    environment:
-      POSTGRES_DB: ${PG_DB:-authentik}
-      POSTGRES_PASSWORD: ${PG_PASS:?database password required}
-      POSTGRES_USER: ${PG_USER:-authentik}
-    healthcheck:
-      interval: 30s
-      retries: 5
-      start_period: 20s
-      test:
-      - CMD-SHELL
-      - pg_isready -d $${POSTGRES_DB} -U $${POSTGRES_USER}
-      timeout: 5s
-    image: docker.io/library/postgres:16-alpine
-    restart: unless-stopped
-    volumes:
-    - database:/var/lib/postgresql/data
-  redis:
-    command: --save 60 1 --loglevel warning
-    healthcheck:
-      interval: 30s
-      retries: 5
-      start_period: 20s
-      test:
-      - CMD-SHELL
-      - redis-cli ping | grep PONG
-      timeout: 3s
-    image: docker.io/library/redis:alpine
-    restart: unless-stopped
-    volumes:
-    - redis:/data
-  server:
-    command: server
-    depends_on:
-      postgresql:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-    environment:
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
-      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
-    ports:
-    - ${COMPOSE_PORT_HTTP:-9000}:9000
-    - ${COMPOSE_PORT_HTTPS:-9443}:9443
-    restart: unless-stopped
-    volumes:
-    - ./media:/media
-    - ./custom-templates:/templates
-  worker:
-    command: worker
-    depends_on:
-      postgresql:
-        condition: service_healthy
-      redis:
-        condition: service_healthy
-    environment:
-      AUTHENTIK_POSTGRESQL__HOST: postgresql
-      AUTHENTIK_POSTGRESQL__NAME: ${PG_DB:-authentik}
-      AUTHENTIK_POSTGRESQL__PASSWORD: ${PG_PASS}
-      AUTHENTIK_POSTGRESQL__USER: ${PG_USER:-authentik}
-      AUTHENTIK_REDIS__HOST: redis
-      AUTHENTIK_SECRET_KEY: ${AUTHENTIK_SECRET_KEY:?secret key required}
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
-    restart: unless-stopped
-    user: root
-    volumes:
-    - /var/run/docker.sock:/var/run/docker.sock
-    - ./media:/media
-    - ./certs:/certs
-    - ./custom-templates:/templates
-volumes:
-  database:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/srv/authentik/database'
-  redis:
-    driver: local
-    driver_opts:
-      type: 'none'
-      o: 'bind'
-      device: '/srv/authentik/redis'

ultralytics/docker-compose.yml

@@ -13,7 +13,7 @@ services:
         --server.headless true --server.address 0.0.0.0 --server.port 8501
         -- /data/models/yolo11x_leaf.pt
     ports:
-      - "8501:8501"
+      - "127.0.0.1:8501:8501"
     volumes:
       - /srv/ultralytics/data:/data
       - /srv/ultralytics/runs:/root/runs