Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.
Only $ -safe values (hex strings) remain as env vars.
expand-env double-processes substituted values so $ in bcrypt hashes
get re-expanded. Switch back to template filter with {{ env "VAR" }}
syntax which returns values as-is.
- Switch X_AUTHELIA_CONFIG_FILTERS from template to expand-env so ${VAR}
syntax in config files is actually substituted
- Add missing env var pass-throughs for OIDC HMAC secret and client secrets
- Update git config client_secret fields to use ${VAR} syntax (matching host)
- Update .env.example to document all required Portainer env vars
Model weights (~193MB each, darknet + onnx) are stored at
/srv/obico/config/model_cache/ and mounted at /model_cache in the
container since they are not baked into the imagegenius image.
imagegenius monolithic image with NVIDIA GPU (GTX 1660 SUPER) via cuda tag.
Includes internal Redis, npm-network for reverse proxy, DJANGO_SECRET_KEY
as env var placeholder for Portainer.
- Switch from unsupported \${VAR} substitution to {{ secret "..." }} template syntax
- Enable X_AUTHELIA_CONFIG_FILTERS=template in compose
- Client secrets now loaded from /config/secrets/oidc_* files on host
- Use PBKDF2-SHA512 hashes (not bcrypt, not plaintext)
- Add open-webui OIDC client to Authelia config
- Configure open-webui with OIDC env vars pointing to Authelia
- Secret managed via AUTHELIA_OIDC_CLIENT_SECRET_OPEN_WEBUI env var in Portainer
- openclaw: expose BRAVE_API_KEY env var for web search tool
- uptime-kuma: prefer username/password auth (API key token auth unreliable)
- uptime-kuma: add TCP monitor type support to manage_monitors.py
- linkding: add OIDC env vars pointing to Authelia as identity provider
- authelia/config: fix issuer_private_keys → jwks (correct key for 4.38.x)
and replace non-functional template function with host-managed note
streamlit-predict was removed in newer ultralytics; yolo solutions inference
is the current equivalent. Installs streamlit on startup via pip cache volume.
- Add Dockerfile using node:22-bookworm-slim + npm install -g openclaw@latest
- Update docker-compose.yml: use local build, add OLLAMA_API_KEY=ollama-local,
remove legacy OPENCLAW_AGENT_PROVIDER/MODEL/OLLAMA_BASE_URL env vars
- Add setup.sh to create openclaw.json with explicit Ollama provider config
Key fixes vs previous attempt:
- Config file is openclaw.json (not config.json or auth-profiles.json)
- models.providers.ollama needs baseUrl with /v1 suffix + explicit model list
- OLLAMA_API_KEY env var is required to opt in to Ollama support
- reasoning:false on models prevents 400 errors from Ollama
Replace Docker CIFS named volumes with bind mounts to /mnt/nas_backup,
which is managed by a systemd automount unit. This handles drive spin-down
reconnection independently of Docker container lifecycle.
poprhythm