Persist Gitea config and skip install wizard

Add gitea_config volume for /etc/gitea so app.ini survives restarts.
Set INSTALL_LOCK=true to skip the setup wizard since all config is
provided via environment variables.

Made-with: Cursor

docker/ss-atlas/templates/pages/dashboard.html

@@ -115,6 +115,16 @@
     .btn-warning:hover { background: rgba(234,179,8,0.22); color: #eab308; }
     .btn-sm { padding: 0.45rem 0.9rem; font-size: 0.82rem; }
     .divider { border: none; border-top: 1px solid var(--border); margin: 1rem 0; }
+    .security-notice {
+      background: rgba(234, 179, 8, 0.08);
+      border: 1px solid rgba(234, 179, 8, 0.25);
+      border-radius: 8px;
+      padding: 0.85rem 1.1rem;
+      font-size: 0.88rem;
+      line-height: 1.55;
+      color: var(--muted);
+    }
+    .security-notice strong { color: #eab308; }
     .version-badge {
       position: fixed;
       bottom: 0.75rem;
@@ -222,12 +232,23 @@
           {{end}}
         </form>
         {{end}}
-        <a href="{{.AutheliaURL}}" class="btn btn-outline">Account Settings</a>
       </div>
       <p style="color: var(--muted); font-size: 0.8rem; margin-top: 1rem;">
         No refunds for the current billing period. Access continues until the end of your paid month.
       </p>
     </div>
+    <div class="card">
+      <h2>Account Security</h2>
+      <div class="security-notice">
+        <strong>We strongly recommend enabling two-factor authentication.</strong>
+        Accounts involved in system abuse will be removed. Passkeys and TOTP are the
+        best way to ensure your account is never compromised and used without your knowledge.
+      </div>
+      <div class="actions">
+        <a href="{{.AutheliaURL}}/settings/two-factor-authentication" class="btn btn-outline btn-sm">Set Up Passkey / TOTP</a>
+        <a href="{{.AutheliaURL}}/settings/security" class="btn btn-outline btn-sm">Change Password</a>
+      </div>
+    </div>
     {{else}}
     <div class="card">
       <div class="empty-state">

docker/ss-atlas/templates/stack-template.yml

@@ -35,8 +35,10 @@ services:
       GITEA__server__DOMAIN: "{{.Subdomain}}.{{.Domain}}"
       GITEA__server__ROOT_URL: "https://{{.Subdomain}}.{{.Domain}}"
       GITEA__server__HTTP_PORT: "3000"
+      GITEA__security__INSTALL_LOCK: "true"
     volumes:
       - gitea_data:/var/lib/gitea
+      - gitea_config:/etc/gitea
     networks:
       - traefik_net
       - backend
@@ -78,5 +80,7 @@ networks:
 volumes:
   gitea_data:
     driver: local
+  gitea_config:
+    driver: local
   db_data:
     driver: local

stack.yml

@@ -77,7 +77,7 @@ services:
         echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN
         echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER
         echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA
-        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: one_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
+        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: two_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
         exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml --config=/config/configuration.notifier.yml --config=/config/configuration.identity.providers.yml --config=/config/configuration.oidc.clients.yml
     environment:
       X_AUTHELIA_EMAIL: authelia@a250.ca