Persist Gitea config and skip install wizard

Add gitea_config volume for /etc/gitea so app.ini survives restarts. Set INSTALL_LOCK=true to skip the setup wizard since all config is provided via environment variables. Made-with: Cursor
Fix security settings links and enable 2FA for customer stacks
2026-03-03 18:32:29 -05:00 · 2026-03-03 18:26:20 -05:00 · 2026-03-03 18:21:50 -05:00
3 changed files with 27 additions and 2 deletions
--- a/docker/ss-atlas/templates/pages/dashboard.html
+++ b/docker/ss-atlas/templates/pages/dashboard.html
@ -115,6 +115,16 @@
    .btn-warning:hover { background: rgba(234,179,8,0.22); color: #eab308; }
    .btn-sm { padding: 0.45rem 0.9rem; font-size: 0.82rem; }
    .divider { border: none; border-top: 1px solid var(--border); margin: 1rem 0; }
+    .security-notice {
+      background: rgba(234, 179, 8, 0.08);
+      border: 1px solid rgba(234, 179, 8, 0.25);
+      border-radius: 8px;
+      padding: 0.85rem 1.1rem;
+      font-size: 0.88rem;
+      line-height: 1.55;
+      color: var(--muted);
+    }
+    .security-notice strong { color: #eab308; }
    .version-badge {
      position: fixed;
      bottom: 0.75rem;
@ -222,12 +232,23 @@
          {{end}}
        </form>
        {{end}}
-        <a href="{{.AutheliaURL}}" class="btn btn-outline">Account Settings</a>
      </div>
      <p style="color: var(--muted); font-size: 0.8rem; margin-top: 1rem;">
        No refunds for the current billing period. Access continues until the end of your paid month.
      </p>
    </div>
+    <div class="card">
+      <h2>Account Security</h2>
+      <div class="security-notice">
+        <strong>We strongly recommend enabling two-factor authentication.</strong>
+        Accounts involved in system abuse will be removed. Passkeys and TOTP are the
+        best way to ensure your account is never compromised and used without your knowledge.
+      </div>
+      <div class="actions">
+        <a href="{{.AutheliaURL}}/settings/two-factor-authentication" class="btn btn-outline btn-sm">Set Up Passkey / TOTP</a>
+        <a href="{{.AutheliaURL}}/settings/security" class="btn btn-outline btn-sm">Change Password</a>
+      </div>
+    </div>
    {{else}}
    <div class="card">
      <div class="empty-state">
--- a/docker/ss-atlas/templates/stack-template.yml
+++ b/docker/ss-atlas/templates/stack-template.yml
@ -35,8 +35,10 @@ services:
      GITEA__server__DOMAIN: "{{.Subdomain}}.{{.Domain}}"
      GITEA__server__ROOT_URL: "https://{{.Subdomain}}.{{.Domain}}"
      GITEA__server__HTTP_PORT: "3000"
+      GITEA__security__INSTALL_LOCK: "true"
    volumes:
      - gitea_data:/var/lib/gitea
+      - gitea_config:/etc/gitea
    networks:
      - traefik_net
      - backend
@ -78,5 +80,7 @@ networks:
 volumes:
  gitea_data:
    driver: local
+  gitea_config:
+    driver: local
  db_data:
    driver: local
--- a/stack.yml
+++ b/stack.yml
@ -77,7 +77,7 @@ services:
        echo "$${CLIENT_SECRET_HEADADMIN}" > /run/secrets/CLIENT_SECRET_HEADADMIN
        echo "$${CLIENT_SECRET_PORTAINER}" > /run/secrets/CLIENT_SECRET_PORTAINER
        echo "$${CLIENT_SECRET_GITEA}" > /run/secrets/CLIENT_SECRET_GITEA
-        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: one_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
+        { echo 'access_control:'; echo '  default_policy: deny'; echo '  rules:'; echo '    - domain: login.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: app.bc.a250.ca'; echo '      policy: bypass'; echo '      resources:'; echo "        - '^/$$'"; echo "        - '^/subscribe$$'"; echo "        - '^/success(\\?.*)?$$'"; echo "        - '^/webhook/stripe$$'"; echo "        - '^/resend-reset$$'"; echo "        - '^/health$$'"; echo "        - '^/version$$'"; echo '    - domain: app.bc.a250.ca'; echo '      policy: one_factor'; echo '      resources:'; echo "        - '^/dashboard$$'"; echo "        - '^/activate$$'"; echo "        - '^/portal$$'"; echo "        - '^/resubscribe$$'"; echo "        - '^/stack-manage$$'"; echo '    - domain:'; echo '        - lldap.bc.a250.ca'; echo '        - whoami.bc.a250.ca'; echo '      policy: bypass'; echo '    - domain: "{user}.bc.a250.ca"'; echo '      policy: two_factor'; echo '    - domain: "*.bc.a250.ca"'; echo '      policy: deny'; } > /config/configuration.acl.yml
        exec authelia --config=/config/configuration.server.yml --config=/config/configuration.ldap.yml --config=/config/configuration.acl.yml --config=/config/configuration.notifier.yml --config=/config/configuration.identity.providers.yml --config=/config/configuration.oidc.clients.yml
    environment:
      X_AUTHELIA_EMAIL: authelia@a250.ca