Enable passkey login and improve WebAuthn configuration

2025-06-06 10:15:12 -04:00 · 2025-06-06 10:15:12 -04:00 · e70fed6ad8
parent 78cea66d39
commit e70fed6ad8
9 changed files with 785 additions and 136 deletions
--- a/.gitignore
+++ b/.gitignore
@ -27,3 +27,5 @@ logs/
 # Temporary files
 *.tmp
 *.temp 
 # OAuth and other secrets - never commit!
 secrets/
--- a/README.md
+++ b/README.md
@ -55,11 +55,16 @@ Generate production secrets (⚠️ **Use with extreme caution**):
 **CRITICAL**: This script will:
 - Invalidate all existing sessions and tokens
- Require updating all 10 secrets in Woodpecker CI vault
+- Require updating all 12 secrets in Woodpecker CI vault
 - Potentially require recreating database volumes
 - Cause service downtime until deployment completes
-### Required Secrets (10 total)
+### CI/CD Vault Management
 For comprehensive CI/CD vault setup and secret management:
 **📖 [CI/CD Vault Setup Guide](docs/CI_CD_VAULT_SETUP.md)**
 ### Required Secrets (12 total)
 #### Core Secrets (5)
 - `AUTHENTICATION_BACKEND_LDAP_PASSWORD` - LDAP authentication backend password
@ -73,9 +78,11 @@ Generate production secrets (⚠️ **Use with extreme caution**):
 - `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` - OIDC token signing private key (RSA)
 - `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` - OIDC JWKS validation key (RSA)
-#### Client Secrets (2)
+#### Client Secrets (4)
 - `CLIENT_SECRET_HEADSCALE` - Headscale VPN OIDC client secret
 - `CLIENT_SECRET_HEADADMIN` - Headscale admin panel OIDC client secret
 - `CLIENT_SECRET_PORTAINER` - Portainer OAuth client secret
 - `CLIENT_SECRET_GITEA` - Gitea OAuth client secret
 ## 🧪 Testing
@ -128,8 +135,49 @@ Key environment variables for customization:
 - `X_AUTHELIA_EMAIL` - Notification email address
 - `TRAEFIK_DOMAIN` - Base domain for services
 ## 🔗 OAuth/OIDC Integration
 For advanced OAuth/OIDC setup with services like Portainer and Gitea, see the comprehensive guide:
 **📖 [OAuth Setup Guide](docs/OAUTH_SETUP.md)**
 This includes:
 - OAuth client configuration for Portainer and Gitea
 - Client secret generation and management
 - CI/CD vault setup instructions
 - Step-by-step authentication flow setup
 ### Quick OAuth Setup
 ```bash
 # Generate OAuth client secrets
 ./scripts/generate-oauth-secrets.sh
 # Follow the instructions to update your CI/CD vault
 # Then configure OAuth in your services
 ```
 ## 📱 Client Integration Examples
 ### OAuth Integration (Recommended)
 Use OAuth for better user experience and native service integration:
 ```yaml
 # Portainer with OAuth - no Traefik middleware needed
 labels:
  traefik.enable: "true"
  traefik.http.routers.portainer.rule: "Host(`portainer.nixc.us`)"
  # OAuth configured in Portainer admin panel
 ```
 ### Traefik Middleware Protection
 Use Authelia middleware for services without OAuth support:
 ```yaml
 labels:
  traefik.enable: "true"
  traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
  traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
  traefik.http.services.myapp.loadbalancer.server.port: "8080"
 ```
 ### Headscale VPN Integration
 ```yaml
 labels:
@ -140,15 +188,6 @@ labels:
  traefik.http.services.headscale.loadbalancer.server.port: "8080"
 ```
 ### Protected Web Service
 ```yaml
 labels:
  traefik.enable: "true"
  traefik.http.routers.myapp.rule: "Host(`myapp.nixc.us`)"
  traefik.http.routers.myapp.middlewares: "authelia_authelia@docker"
  traefik.http.services.myapp.loadbalancer.server.port: "8080"
 ```
 ## 🔍 Monitoring & Troubleshooting
 ### Health Checks
@ -192,6 +231,17 @@ labels:
 - **Session Security**: Secure session management with Redis
 - **OIDC Standards**: Industry-standard OpenID Connect implementation
 ## 📖 Documentation
 For comprehensive guides and setup instructions:
 **📁 [Documentation Directory](docs/README.md)**
 Available guides:
 - **OAuth/OIDC Setup**: Complete OAuth integration guide
 - **CI/CD Vault Setup**: Secret management and vault configuration  
 - **Troubleshooting**: Common issues and solutions
 ## 📞 Support & Contributing
 ### Reporting Issues
--- a/docker/authelia/config/configuration.oidc.clients.yml
+++ b/docker/authelia/config/configuration.oidc.clients.yml
@ -43,3 +43,33 @@ identity_providers:
        redirect_uris:
          - https://headadmin.{{ env "TRAEFIK_DOMAIN" }}/oidc_callback
        userinfo_signed_response_alg: none
      - client_id: portainer
        client_name: Portainer
        client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
        public: false
        authorization_policy: one_factor
        consent_mode: implicit
        scopes:
          - openid
          - email
          - profile
          - groups
        redirect_uris:
          - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
        userinfo_signed_response_alg: none
      - client_id: gitea
        client_name: Gitea
        client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }}
        public: false
        authorization_policy: one_factor
        consent_mode: implicit
        scopes:
          - openid
          - email
          - profile
          - groups
        redirect_uris:
          - https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback
        userinfo_signed_response_alg: none
--- a/docker/authelia/config/configuration.server.yml
+++ b/docker/authelia/config/configuration.server.yml
@ -19,10 +19,15 @@ totp:
 webauthn:
  disable: false
  enable_passkey_login: true
  display_name: Authelia
  attestation_conveyance_preference: indirect
  user_verification: preferred
  timeout: 60s
  selection_criteria:
    attachment: ""
    discoverability: preferred
    user_verification: preferred
 identity_validation:
  reset_password:
--- a/docs/CI_CD_VAULT_SETUP.md
+++ b/docs/CI_CD_VAULT_SETUP.md
@ -0,0 +1,187 @@
 # CI/CD Vault Setup & Secret Management
 This guide covers managing secrets in your Woodpecker CI vault for Authelia deployment.
 ## 🔑 Required Vault Secrets
 Your Woodpecker CI vault must contain **12 total secrets** for proper Authelia deployment:
 ### Core Secrets (5)
 | Variable Name | Description | Generation Method |
 |---------------|-------------|-------------------|
 | `AUTHENTICATION_BACKEND_LDAP_PASSWORD` | LDAP authentication password | `./generate-secrets.sh` |
 | `IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET` | Password reset JWT secret | `./generate-secrets.sh` |
 | `STORAGE_ENCRYPTION_KEY` | Database encryption key | `./generate-secrets.sh` |
 | `SESSION_SECRET` | Session encryption secret | `./generate-secrets.sh` |
 | `NOTIFIER_SMTP_PASSWORD` | SMTP email notifications | Manual configuration |
 ### OIDC Secrets (3)
 | Variable Name | Description | Generation Method |
 |---------------|-------------|-------------------|
 | `IDENTITY_PROVIDERS_OIDC_HMAC_SECRET` | OIDC HMAC signing secret | `./generate-secrets.sh` |
 | `IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY` | OIDC token signing private key (RSA) | `./generate-secrets.sh` |
 | `IDENTITY_PROVIDERS_OIDC_JWKS_KEY` | OIDC JWKS validation key (RSA) | `./generate-secrets.sh` |
 ### OAuth Client Secrets (4)
 | Variable Name | Description | Generation Method |
 |---------------|-------------|-------------------|
 | `CLIENT_SECRET_HEADSCALE` | Headscale VPN OIDC client | `./generate-secrets.sh` |
 | `CLIENT_SECRET_HEADADMIN` | Headscale admin OIDC client | `./generate-secrets.sh` |
 | `CLIENT_SECRET_PORTAINER` | Portainer OAuth client | `./scripts/generate-oauth-secrets.sh` |
 | `CLIENT_SECRET_GITEA` | Gitea OAuth client | `./scripts/generate-oauth-secrets.sh` |
 ## 🚀 Setup Process
 ### 1. Generate Core Secrets
 ```bash
 # Generate main Authelia secrets (10 secrets)
 ./generate-secrets.sh
 ```
 ### 2. Generate OAuth Client Secrets
 ```bash
 # Generate OAuth client secrets (2 additional secrets)
 ./scripts/generate-oauth-secrets.sh
 ```
 ### 3. Update CI/CD Vault
 #### Using Woodpecker Web Interface
 1. Go to your repository in Woodpecker CI
 2. Navigate to **Settings** → **Secrets**
 3. Add each secret with the exact variable name
 4. Copy values from generated secret files
 #### Using Woodpecker CLI
 ```bash
 # Install Woodpecker CLI if not already installed
 curl -L https://github.com/woodpecker-ci/woodpecker/releases/latest/download/woodpecker-cli_linux_amd64.tar.gz | tar zx
 sudo mv woodpecker-cli /usr/local/bin/
 # Configure CLI
 export WOODPECKER_SERVER=https://your-woodpecker-server.com
 export WOODPECKER_TOKEN=your-api-token
 # Update all secrets (example commands)
 woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)"
 woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)"
 ```
 ## 🔄 Secret Rotation
 ### Full Secret Rotation (Rare)
 ⚠️ **WARNING: This causes service downtime and invalidates all sessions**
 ```bash
 # Regenerate all secrets
 ./generate-secrets.sh
 # Update all 10 core secrets in CI vault
 # Deploy immediately to avoid extended downtime
 ```
 ### OAuth Client Secret Rotation (Safe)
 ```bash
 # Regenerate OAuth client secrets only
 ./scripts/generate-oauth-secrets.sh
 # Update CLIENT_SECRET_PORTAINER and CLIENT_SECRET_GITEA in vault
 # Deploy when convenient
 ```
 ## 🛡️ Security Best Practices
 ### Secret Storage
 - **Never commit** secrets to git (automatically gitignored)
 - **Use secure transmission** when copying to CI vault
 - **Delete local secret files** after updating vault (optional)
 - **Rotate secrets periodically** (recommended quarterly)
 ### Access Control
 - **Limit vault access** to deployment administrators only
 - **Use separate secrets** for development vs production
 - **Monitor secret access** in CI/CD logs
 - **Audit secret usage** regularly
 ### Backup and Recovery
 - **Document secret locations** in secure password manager
 - **Test recovery procedures** before emergencies
 - **Keep vault backups** according to your backup policy
 - **Plan for secret compromise** scenarios
 ## 🔍 Verification
 ### Check Secret Access
 ```bash
 # Verify secrets are accessible in deployment
 ssh macmini7 'docker service logs authelia_authelia | grep -i "secret\|error"'
 # Check for missing secrets
 ssh macmini7 'docker service logs authelia_authelia | grep -i "failed\|missing"'
 ```
 ### Test OAuth Integration
 ```bash
 # Test OAuth endpoint accessibility
 curl -s https://login.nixc.us/.well-known/openid_configuration | jq .
 # Verify client configurations
 ssh macmini7 'docker service logs authelia_authelia | grep -i "oidc\|oauth"'
 ```
 ## 🚨 Troubleshooting
 ### Common Issues
 #### Secret Not Found
 ```
 Error: secret not found: CLIENT_SECRET_PORTAINER
 ```
 **Solution**: Verify secret name exactly matches in CI vault
 #### Invalid Secret Format
 ```
 Error: failed to parse RSA private key
 ```
 **Solution**: Regenerate OIDC secrets with proper formatting
 #### Service Won't Start
 ```
 Error: configuration validation failed
 ```
 **Solution**: Check all 12 secrets are present in vault
 ### Emergency Recovery
 #### Lost Access to Vault
 1. **Contact CI/CD administrator** for vault access
 2. **Regenerate all secrets** with generation scripts  
 3. **Update vault immediately** with new values
 4. **Redeploy services** to use new secrets
 #### Compromised Secrets
 1. **Rotate affected secrets immediately**
 2. **Update CI/CD vault** with new values
 3. **Deploy new secrets** as soon as possible
 4. **Monitor for unauthorized access** in logs
 5. **Review access logs** for compromise timeline
 ## 📞 Support
 ### CI/CD Vault Issues
 - Check vault permissions and access rights
 - Verify secret names match exactly (case-sensitive)
 - Confirm vault backup and recovery procedures
 - Test secret retrieval in deployment pipeline
 ### Secret Generation Issues
 - Ensure OpenSSL is available for key generation
 - Check file permissions in secrets directory
 - Verify gitignore is properly configured
 - Confirm script execution permissions
 ### Deployment Issues
 - Monitor deployment logs for secret-related errors
 - Check Docker Swarm secret creation
 - Verify Authelia configuration template processing
 - Test service connectivity after deployment 
--- a/docs/OAUTH_SETUP.md
+++ b/docs/OAUTH_SETUP.md
@ -0,0 +1,204 @@
 # OAuth/OIDC Client Setup Guide
 This guide covers setting up OAuth/OIDC authentication for services like Portainer and Gitea using Authelia as the identity provider.
 ## 🔧 Overview
 Authelia provides OpenID Connect (OIDC) support, allowing services to authenticate users through OAuth flows instead of using Traefik middleware. This provides better integration and user experience.
 ## 🔑 Client Secrets Management
 ### Generate Client Secrets
 ```bash
 # Generate secrets for new OAuth clients
 ./scripts/generate-oauth-secrets.sh
 ```
 This script creates:
 - `secrets/oauth-secrets.env` - Environment variables for local testing
 - Individual secret files in `secrets/clients/` directory
 - All files are automatically gitignored
 ### Required CI/CD Vault Secrets
 Add these to your Woodpecker CI vault:
 #### Portainer OAuth
 - **Variable**: `CLIENT_SECRET_PORTAINER`
 - **Value**: Generated from `secrets/clients/portainer-secret.txt`
 #### Gitea OAuth  
 - **Variable**: `CLIENT_SECRET_GITEA`
 - **Value**: Generated from `secrets/clients/gitea-secret.txt`
 ## 📱 Client Configurations
 ### Portainer OAuth Setup
 #### 1. Authelia Configuration
 Already configured in `docker/authelia/config/configuration.oidc.clients.yml`:
 ```yaml
 - client_id: portainer
  client_name: Portainer
  client_secret: {{ secret "/run/secrets/CLIENT_SECRET_PORTAINER" }}
  public: false
  authorization_policy: one_factor
  consent_mode: implicit
  scopes:
    - openid
    - email
    - profile
    - groups
  redirect_uris:
    - https://portainer.{{ env "TRAEFIK_DOMAIN" }}/
  userinfo_signed_response_alg: none
 ```
 #### 2. Portainer OAuth Settings
 Configure in Portainer → Settings → Authentication:
 - **OAuth Provider**: Custom
 - **Client ID**: `portainer`
 - **Client Secret**: `<from CI vault>`
 - **Authorization URL**: `https://login.nixc.us/api/oidc/authorization`
 - **Token URL**: `https://login.nixc.us/api/oidc/token`
 - **User Info URL**: `https://login.nixc.us/api/oidc/userinfo`
 - **Scopes**: `openid email profile groups`
 - **Redirect URL**: `https://portainer.nixc.us/`
 #### 3. Remove Traefik Middleware (Optional)
 Once OAuth is working, remove middleware protection:
 ```yaml
 # Remove this line from Portainer service:
 # traefik.http.routers.portainer.middlewares: authelia_authelia
 ```
 ### Gitea OAuth Setup
 #### 1. Authelia Configuration
 Already configured in `docker/authelia/config/configuration.oidc.clients.yml`:
 ```yaml
 - client_id: gitea
  client_name: Gitea
  client_secret: {{ secret "/run/secrets/CLIENT_SECRET_GITEA" }}
  public: false
  authorization_policy: one_factor
  consent_mode: implicit
  scopes:
    - openid
    - email
    - profile
    - groups
  redirect_uris:
    - https://git.{{ env "TRAEFIK_DOMAIN" }}/user/oauth2/authelia/callback
  userinfo_signed_response_alg: none
 ```
 #### 2. Gitea OAuth Settings
 Configure in Gitea → Site Administration → Authentication Sources:
 - **Authentication Type**: OAuth2
 - **Authentication Name**: `Authelia`
 - **OAuth2 Provider**: OpenID Connect
 - **Client ID**: `gitea`
 - **Client Secret**: `<from CI vault>`
 - **OpenID Connect Auto Discovery URL**: `https://login.nixc.us/.well-known/openid_configuration`
 - **Icon URL**: `https://login.nixc.us/static/media/logo.png` (optional)
 ## 🔄 Deployment Process
 ### 1. Generate Secrets
 ```bash
 ./scripts/generate-oauth-secrets.sh
 ```
 ### 2. Update CI/CD Vault
 Add the generated secrets to your Woodpecker CI vault:
 - `CLIENT_SECRET_PORTAINER`
 - `CLIENT_SECRET_GITEA`
 ### 3. Deploy Authelia
 Push changes to trigger CI/CD deployment with new OAuth clients.
 ### 4. Configure Services
 Set up OAuth in each service's admin interface using the URLs and client IDs above.
 ## 🔍 Testing OAuth Flow
 ### Test Authentication Flow
 1. **Visit protected service** (e.g., `https://portainer.nixc.us`)
 2. **Click OAuth login** button
 3. **Redirect to Authelia** (`https://login.nixc.us`)
 4. **Authenticate** with your credentials
 5. **Redirect back** to service with authentication
 6. **Access granted** with user information
 ### Troubleshooting
 - **Check redirect URIs** match exactly (including trailing slashes)
 - **Verify client secrets** in CI vault match generated values
 - **Confirm Authelia** is accessible at `https://login.nixc.us`
 - **Check service logs** for OAuth-specific error messages
 ## 🛡️ Security Considerations
 ### Client Secrets
 - **Never commit** client secrets to git (automatically gitignored)
 - **Rotate secrets** periodically using the generation script
 - **Use secure transmission** when adding to CI vault
 ### Redirect URIs
 - **Exact matching** required - include/exclude trailing slashes consistently
 - **HTTPS only** in production
 - **Specific paths** rather than wildcards
 ### Scopes
 - **Minimal necessary** scopes for each client
 - **Groups scope** enables role-based access control
 - **Profile/email** scopes for user information
 ## 📋 Available Scopes
 - **`openid`**: Required for OIDC, provides user identifier
 - **`email`**: User's email address
 - **`profile`**: User's display name and profile information  
 - **`groups`**: User's group memberships for authorization
 ## 🔧 Advanced Configuration
 ### Custom Authorization Policies
 Create service-specific policies in `configuration.oidc.clients.yml`:
 ```yaml
 authorization_policies:
  portainer_admin:
    default_policy: deny
    rules:
      - policy: one_factor
        subject: group:portainer-admins
 ```
 ### Group-Based Access Control
 Map LDAP groups to service permissions:
 - **`portainer-admins`**: Full Portainer access
 - **`developers`**: Git repository access
 - **`users`**: Basic service access
 ## 📞 Support
 ### Common Issues
 1. **Redirect URI mismatch**: Check exact URL format
 2. **Client secret mismatch**: Regenerate and update vault
 3. **Scope errors**: Verify service supports requested scopes
 4. **Network issues**: Confirm Authelia accessibility
 ### Logs and Debugging
 ```bash
 # Check Authelia OIDC logs
 ssh macmini7 'docker service logs authelia_authelia | grep -i oidc'
 # Check service-specific OAuth logs
 ssh macmini7 'docker service logs <service_name> | grep -i oauth'
 ``` 
--- a/docs/README.md
+++ b/docs/README.md
@ -0,0 +1,89 @@
 # Documentation Index
 This directory contains comprehensive guides for Authelia deployment and configuration.
 ## 📚 Available Guides
 ### 🔧 Setup & Configuration
 - **[OAuth/OIDC Setup Guide](OAUTH_SETUP.md)** - Complete OAuth integration for Portainer, Gitea, and other services
 - **[CI/CD Vault Setup](CI_CD_VAULT_SETUP.md)** - Secret management and Woodpecker CI vault configuration
 ### 🚀 Getting Started
 1. **Initial Deployment**
   - Follow the main [README.md](../README.md) for basic setup
   - Generate core secrets with `./generate-secrets.sh`
   - Set up CI/CD vault using [CI/CD Vault Setup](CI_CD_VAULT_SETUP.md)
 2. **OAuth Integration** 
   - Generate OAuth client secrets with `./scripts/generate-oauth-secrets.sh`
   - Follow [OAuth Setup Guide](OAUTH_SETUP.md) for service configuration
   - Configure individual services (Portainer, Gitea) with OAuth
 3. **Production Deployment**
   - Commit changes to trigger CI/CD pipeline
   - Monitor deployment through Woodpecker CI
   - Verify service health and authentication flows
 ## 🔑 Quick Reference
 ### Essential Commands
 ```bash
 # Generate core Authelia secrets (10 secrets)
 ./generate-secrets.sh
 # Generate OAuth client secrets (2 additional secrets)  
 ./scripts/generate-oauth-secrets.sh
 # Run development environment
 docker compose -f docker-compose.dev.yml up -d
 # Run tests
 ./tests/precommit.sh
 ```
 ### Important URLs
 - **Authelia**: https://login.nixc.us
 - **Development**: http://localhost:9091
 - **Health Check**: https://login.nixc.us/api/health
 - **OIDC Discovery**: https://login.nixc.us/.well-known/openid_configuration
 ### Required Secrets (12 Total)
 - **Core Secrets (5)**: LDAP, JWT, encryption, session, SMTP
 - **OIDC Secrets (3)**: HMAC, private key, JWKS key  
 - **Client Secrets (4)**: Headscale (2), Portainer, Gitea
 ## 🔍 Troubleshooting
 ### Common Issues
 - **Service won't start**: Check secrets in CI vault
 - **OAuth fails**: Verify redirect URIs and client secrets
 - **Database errors**: Check MariaDB connectivity and initialization
 - **Health check fails**: Verify Authelia startup and port binding
 ### Useful Commands
 ```bash
 # Check service logs
 ssh macmini7 'docker service logs authelia_authelia --follow'
 # Verify secrets access
 ssh macmini7 'docker service logs authelia_authelia | grep -i secret'
 # Test OAuth endpoints
 curl -s https://login.nixc.us/.well-known/openid_configuration | jq .
 ```
 ## 📞 Support
 For issues not covered in these guides:
 1. Check service logs for specific error messages
 2. Verify all secrets are present in CI vault
 3. Confirm network connectivity between services
 4. Review Authelia configuration for syntax errors
 ## 🔄 Updates
 Keep documentation synchronized with code changes:
 - Update OAuth client configurations when adding new services
 - Refresh secret generation procedures when security requirements change
 - Document new troubleshooting steps as issues are resolved 
--- a/scripts/generate-oauth-secrets.sh
+++ b/scripts/generate-oauth-secrets.sh
@ -0,0 +1,205 @@
 #!/bin/sh
 # OAuth Client Secrets Generation Script
 # Generates secure client secrets for OAuth/OIDC integration
 set -e
 # Color codes for output
 RED='\033[0;31m'
 GREEN='\033[0;32m'
 YELLOW='\033[1;33m'
 BLUE='\033[0;34m'
 NC='\033[0m' # No Color
 # Script directory and workspace root
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
 WORKSPACE_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
 SECRETS_DIR="$WORKSPACE_ROOT/secrets"
 CLIENTS_DIR="$SECRETS_DIR/clients"
 print_header() {
    echo "${BLUE}================================${NC}"
    echo "${BLUE}  OAuth Client Secrets Generator${NC}"
    echo "${BLUE}================================${NC}"
    echo
 }
 print_warning() {
    echo "${YELLOW}⚠️  WARNING: This will generate new OAuth client secrets!${NC}"
    echo "${YELLOW}   - Any existing client secrets will be replaced${NC}"
    echo "${YELLOW}   - You must update your CI/CD vault with new secrets${NC}"
    echo "${YELLOW}   - Services using old secrets will fail authentication${NC}"
    echo
 }
 ensure_directories() {
    echo "${BLUE}Creating directories...${NC}"
    mkdir -p "$SECRETS_DIR"
    mkdir -p "$CLIENTS_DIR"
 }
 ensure_gitignore() {
    echo "${BLUE}Ensuring secrets are gitignored...${NC}"
    # Create .gitignore if it doesn't exist
    touch "$WORKSPACE_ROOT/.gitignore"
    # Check and add secrets directory to gitignore
    if ! grep -q "^secrets/" "$WORKSPACE_ROOT/.gitignore" 2>/dev/null; then
        echo "" >> "$WORKSPACE_ROOT/.gitignore"
        echo "# OAuth and other secrets - never commit!" >> "$WORKSPACE_ROOT/.gitignore"
        echo "secrets/" >> "$WORKSPACE_ROOT/.gitignore"
        echo "${GREEN}✅ Added secrets/ to .gitignore${NC}"
    else
        echo "${GREEN}✅ secrets/ already in .gitignore${NC}"
    fi
 }
 generate_secret() {
    # Generate a 64-character random string using available tools
    if command -v openssl >/dev/null 2>&1; then
        openssl rand -base64 48 | tr -d '\n'
    elif [ -r /dev/urandom ]; then
        dd if=/dev/urandom bs=48 count=1 2>/dev/null | base64 | tr -d '\n'
    else
        # Fallback for systems without openssl or /dev/urandom
        date +%s%N | sha256sum | head -c 64
    fi
 }
 generate_client_secret() {
    local client_name="$1"
    local file_name="$2"
    echo "${BLUE}Generating secret for $client_name...${NC}"
    local secret
    secret=$(generate_secret)
    # Write to individual file
    echo "$secret" > "$CLIENTS_DIR/$file_name"
    # Add to environment file
    local env_var_name
    env_var_name=$(echo "CLIENT_SECRET_$(echo "$client_name" | tr '[:lower:]' '[:upper:]')" | tr '-' '_')
    echo "${env_var_name}=$secret" >> "$SECRETS_DIR/oauth-secrets.env"
    echo "${GREEN}✅ Generated secret for $client_name${NC}"
    echo "   File: secrets/clients/$file_name"
    echo "   Env: $env_var_name"
    echo
 }
 create_vault_instructions() {
    echo "${BLUE}Creating CI/CD vault instructions...${NC}"
    cat > "$SECRETS_DIR/VAULT_SECRETS.md" << 'EOF'
 # CI/CD Vault Secrets
 Add these secrets to your Woodpecker CI vault:
 ## OAuth Client Secrets
 ### Portainer OAuth
 - **Variable Name**: `CLIENT_SECRET_PORTAINER`
 - **Secret File**: `secrets/clients/portainer-secret.txt`
 - **Value**: (copy content from the file above)
 ### Gitea OAuth
 - **Variable Name**: `CLIENT_SECRET_GITEA`
 - **Secret File**: `secrets/clients/gitea-secret.txt`
 - **Value**: (copy content from the file above)
 ## Important Notes
 1. **Never commit these files** - they are automatically gitignored
 2. **Copy the exact content** from each secret file to the CI vault
 3. **Update vault immediately** after generating new secrets
 4. **Services will fail** until vault is updated with new secrets
 ## Vault Update Commands
 If using Woodpecker CLI:
 ```bash
 # Update Portainer secret
 woodpecker secret update --repository your-repo --name CLIENT_SECRET_PORTAINER --value "$(cat secrets/clients/portainer-secret.txt)"
 # Update Gitea secret
 woodpecker secret update --repository your-repo --name CLIENT_SECRET_GITEA --value "$(cat secrets/clients/gitea-secret.txt)"
 ```
 ## Verification
 After updating the vault, check that services can access secrets:
 ```bash
 # Check deployment logs for secret access
 ssh macmini7 'docker service logs authelia_authelia | grep -i "secret"'
 ```
 EOF
    echo "${GREEN}✅ Created vault instructions: secrets/VAULT_SECRETS.md${NC}"
 }
 print_summary() {
    echo "${GREEN}================================${NC}"
    echo "${GREEN}  🎉 OAuth Secrets Generated!   ${NC}"
    echo "${GREEN}================================${NC}"
    echo
    echo "${YELLOW}📁 Generated Files:${NC}"
    echo "   • secrets/oauth-secrets.env"
    echo "   • secrets/clients/portainer-secret.txt"
    echo "   • secrets/clients/gitea-secret.txt"
    echo "   • secrets/VAULT_SECRETS.md"
    echo
    echo "${YELLOW}🔑 Required CI/CD Vault Updates:${NC}"
    echo "   • CLIENT_SECRET_PORTAINER"
    echo "   • CLIENT_SECRET_GITEA"
    echo
    echo "${RED}⚠️  NEXT STEPS:${NC}"
    echo "   1. Update your CI/CD vault with new secrets"
    echo "   2. Deploy Authelia to use new client configurations"
    echo "   3. Configure OAuth in Portainer and Gitea admin panels"
    echo "   4. Test authentication flows"
    echo
    echo "${BLUE}📖 Full setup guide: docs/OAUTH_SETUP.md${NC}"
 }
 # Main execution
 main() {
    print_header
    print_warning
    # Prompt for confirmation
    printf "${YELLOW}Continue? (y/N): ${NC}"
    read -r confirm
    case "$confirm" in
        [yY]|[yY][eE][sS])
            echo "${GREEN}Proceeding with secret generation...${NC}"
            echo
            ;;
        *)
            echo "${YELLOW}Cancelled by user.${NC}"
            exit 0
            ;;
    esac
    ensure_directories
    ensure_gitignore
    # Clear previous oauth-secrets.env
    > "$SECRETS_DIR/oauth-secrets.env"
    echo "# OAuth Client Secrets - Generated $(date)" >> "$SECRETS_DIR/oauth-secrets.env"
    echo "# NEVER COMMIT THIS FILE" >> "$SECRETS_DIR/oauth-secrets.env"
    echo "" >> "$SECRETS_DIR/oauth-secrets.env"
    # Generate client secrets
    generate_client_secret "portainer" "portainer-secret.txt"
    generate_client_secret "gitea" "gitea-secret.txt"
    create_vault_instructions
    print_summary
 }
 # Run main function
 main "$@" 
--- a/secrets.md.backup
+++ b/secrets.md.backup
@ -1,123 +0,0 @@
 # Authelia Production Secrets
 **DO NOT COMMIT THIS FILE TO VERSION CONTROL**
 ## Core Secrets
 ### AUTHENTICATION_BACKEND_LDAP_PASSWORD
 LDAP authentication backend password
 ```
 M3OPMiRaWrL2RKfbf89AkdGPXtvu0HO54JkjgHfS4aKX7uZFunoRRJe6QoizcZdl
 ```
 ### IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
 JWT secret for password reset tokens
 ```
 zvVa7SFCU4QsBYyV/ofERdhqX3S072knmWHc+vIYVR0Jf/iWLfogpVnsCO0fe84d
 ```
 ### STORAGE_ENCRYPTION_KEY
 Database encryption key
 ```
 aghKiwANaIIiDu4hsn34gok273Jn/xLjfFEm2OLoqqnVs1EnriYI7igJXc6LdYZ+
 ```
 ### SESSION_SECRET
 Session encryption secret
 ```
 hYtbSIYvh/gH3jLlmk+qrokQehytAeLQrUIwVuyEXstA2FFXDizaZF2vbdlrHCc8
 ```
 ### NOTIFIER_SMTP_PASSWORD
 SMTP email notifications password
 ```
 8P7ah6U5ZjbQ2Faaw1fJoehxJrMOslCu
 ```
 ## OIDC Secrets
 ### IDENTITY_PROVIDERS_OIDC_HMAC_SECRET
 OIDC HMAC signing secret
 ```
 zrnMWj61QvLebBFWphAjOMwb8TIStT+FWZaP83Zn8oVP24s1t5UnJD0syL4kREQk
 ```
 ### IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY
 OIDC token signing private key
 ```
 -----BEGIN PRIVATE KEY-----
 MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCEhL7zgYaHoO28
 0ZRWcqNrvhQMkN+ikCeo3Gf/XQX1BYsduvMc8EghVcB1uIdMKw7qZ4+uuBzE1kGi
 qRYhsOyn5ARuKLO2SA0HuFJE3O4CK+P5jHBTP4XX64NLcGIu8HFW6a57M/R7CyZp
 +hMB1TVBH1qkogw0ON188dwGqz7feAdwZLAV4yoB3DCbYNwNOx0VAmwXljpcHGqx
 t4OTokHxUFqqzvAFOWAfPQ53pW/H9TV889XYME+/nf4/mfdU7mtrLBAtl1AEcuud
 HAcAyggyLGmOeOqeHjPZUs/aMDlngpLG7+KMubsSSh9AyIc3HKec696Gs7J0YyLB
 tJjq4vJJAgMBAAECggEADYRw6evTajBLL9B8/hhxfQMFjoaUmUN1GC9rWEwH2Id5
 Ok4gkFoeMXBK0ndBLc7Slax8pojXPmjQhyQSQtuGOFX08burITPWSGxP0ABtMsGB
 XqoppwQ6xdybJu3OxhT2qrPpfV2+WXK4t2Sv3ab+6KanG1YAQq9uQFl3ZSLAphC1
 temZektnU5KgcNlTJ9b3gQgyX4YaTsl4rNglN/gCtxleIOWhLyE5qHAedrKJW3lF
 cxtpm3+0ObKzZmPR6t8PgDwytYrcLUcVQAdE8RlPvyArES5y5cHHXtsIUEC2I7PH
 IY8nglYhJ9HtnW7XWQLJCWsIlZj4qEqrkLpR/Fm0xQKBgQC5XgyJ5UZCeq/hMMiv
 Q+pTNJj/k3j5gCa9f9wKCJmumtS+RFbucNQsnpmOhFEC1P4SyyPH/YrBeLtgWWKM
 gxIK1VpJSPpNSL50FnyfzjJxAy6eHqNNupBPR29dxwaY3lehFVRvb+0FZ753+ATl
 vc5BTf4xj//z7Ozd3jXlJ/Yk/wKBgQC3A3lfwDj4Q4IW/XaquzfsEuVKrJygwNsB
 eCKMHJU0q01rOEGf5i1WXRJKRLS8EMXaawLYA+DO5ya9QlhWw+JWRcuJenBLEQ3J
 x1IgJZm9sPeByGPpsz0f3TLcwMBg1f101xY4RedYCaDGhNTBww6Fs8Fx9zeLeOXA
 GxCdrZGAtwKBgCxepbOwLKQnB8hoS/Ef2Yv3EBRE8XUPRrafT0Ubj+Wqa/frFb/X
 RAI2KF1jsJxz7SkEdNkfCEKNKpTCcINfsEblkMnv7PHo0qWo6EW8Lni8oUD55m7p
 lDdVywNwa1TWC7WkDGTsLpjXn1DKDioLx7379Dda15JEiOIGmXHzochzAoGAQJi9
 UoqqkRZi6HJ2XDTQvEa/H+hlMGhh5Nbees3r7Dc6kEm/AA1im0Umm4g8stTIwRtc
 WZqk0uLLzamJPLbPQNxJxzCsShKu5zWvSyF6bnX0Jp7whSB6xrBwr3JpdMSTPZZd
 hWdHDM/5K5je77VFfvO/p9Y2iMgXcAMdjkohPWkCgYAl7IOXO8nFpR0Nn9nWtFca
 llWXYHT16aFtWWjVNQg0LcsouaLL0/yywjIfda9fYlCcqaTF5XCCDZacn7CYTvZx
 ty4l37GfJNcF7RvMpr8tUybnMk23u7jQ9xiWWuDSmKasNjdgNJmV8S4PfPK0NlLI
 9bnk3nH2w/bIQdtbh7cApQ==
 -----END PRIVATE KEY-----
 ```
 ### IDENTITY_PROVIDERS_OIDC_JWKS_KEY
 OIDC JWKS validation key
 ```
 -----BEGIN PRIVATE KEY-----
 MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCyyQ0Rjs59GkJ+
 flL1PoJfdFIeNvLZ8RNees300f5cT2KFmO/K5viuEpCp+JA/cO93EjqEUECblb41
 nXzCG89anwH+ifXqWcZMDZ24A3MCLBNFVgTGJwGw1adRgJ+xDNB1uslOJ/62L8d3
 Op1nm1/OXCrzVj/GJqyJDj6w5FpW6lGB5DzSQNKwUr9ngve7XQhwKI8OVHm8KjW9
 tG2DZEdt4Jjj/sxycNrJFt0+jk443IehIuGstGrPYFL+JRfmDB6cvrRVF3j54L2j
 qj6mk7ZMTh1AMN2AmSvIH100YqM1hj75prM/fYT+2hTse5CxzKY+SOSV2ekD5A0n
 J8o5maS9AgMBAAECggEAK7gSZArB38G+JOSLMMF6bBEry4uwUy8qh14MYyO+yZ/3
 /adqa/mTMi4EBixsSbc6N6nTeWuOgP1bKA085tKaIBTmDfJ6mjYd0Zc6zDa7tvpE
 NB5WyIXdWfrFEZ8cbdUuXLuyYlRRawfABR3mQ+Gwyeur7RlYOwJWCqXbGrKcjMgS
 lGnBT7U5BaJwvX+Hd9HaI/zWUBK8ZZ8rkcvTCE/bz/gutwWq1QCKyosgYMr9eaQQ
 8FeEaoAz7OikIwviXjIIcZZH8CrAQQDqMhG55+LRkacbdI6p9blpNNm2ORUPhFuN
 JEgTv5kDfldy3S3kvullNrxwNBD7I6oyMmO+Kk/XGQKBgQDwQDB3arxhDka3hTgl
 yvcBYaC0NUJK/uwHHt/QkTZyqgu7wTfHaEQnwnk4tqoB2zHjEhoc+EVntSdMbvyE
 pugPbr5rdDHpP9/crp8fFdmYTYxiXnlDiWWRg/2hI6kIMymuFg9xt0dwcnnbjLpE
 Hki1bvAsXOGBAqrbpooB2cuRrwKBgQC+gV6R6aIk2RolV1BU55d73Ixa0UJJ9Apw
 awU5jaf3dpzxmGd3HZvp9Y6MaUutkuY/qQAxth3z+SW+hXIpNa2FjayObB2PSIFS
 pQv0UFcOC6cp179bRvxp1COaODlrk1tcJTmFE1U+gaiA3SOi83QHTJ7c07U7bUhO
 mQaQRcRnUwKBgCDuO3Zy2+VVxp2rFfogKuE2l4d78V1EOefz9GurK9Jlunv+zP15
 LjZg8qqyZvUgLWNZfNjRsvm3G+7fG5+3HQHYhSNHZvv4tF+UU9036n50yrRFDMwU
 Dib295HZyHaGRMVG4tEMdS9VkZxlWraxi/fKgAMkrAg57F91IV+FkeCjAoGADFD2
 2T4ekn1KuHFNqz+Rxps6o8B1paxWZHA21UK4QkJz4Ra2UbgjVVvfzGoeT2l441K8
 xXn9s8E+1HNyLwHeZw0Cw+5vdsz8N2iePjxXdHwCYa0mHPOY7AqgBp9t7uuG840g
 i971GuZtC2/Alw9gR/yHJMW3KNFm5FX2W6t3CCsCgYEAigFe+tPNlzk6cZcLTPB+
 sX6eO2pkPlQgG1SQf4ymYs9FG1ATGtMm9u1oSZ52rgQVo74rGooZWKqtOHpcZ9no
 KpEIgjO+GoWjJ8ZA/qy33OzOCkRblGy7pUEoQxaIMG9snJcBQuEiQWU+gn0EvrRx
 jQ6d0U5snWDdVPexoihst/M=
 -----END PRIVATE KEY-----
 ```
 ## Client Secrets
 ### CLIENT_SECRET_HEADSCALE
 Headscale VPN OIDC client secret
 ```
 I7tiomn7akKaKF+xOj2W8JDudQQTd5CAj88nfngQbhgn4wRf9iwEinDSQnghCmCq
 ```
 ### CLIENT_SECRET_HEADADMIN
 Headscale admin panel OIDC client secret
 ```
 fEXUwuVB7JJL3sg7fasiNoPGA4XGWYUxbyuonX6CK7ABZw5H24HMfYmpAb3VR5J0
 ```