From 08eb8255a8d8c38eda8ef31e04da55e71d8f73bf Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Thu, 19 Feb 2026 23:24:26 +0000
Subject: [PATCH] sec: new Authelia password + enforce 2FA for all services

- Generate new unique password for Authelia (not shared with Gitea)
- Change access_control default_policy to two_factor
- Re-encrypt authelia-users secret with SOPS
---
 clusters/lab/secrets/authelia-users.enc.yaml | 18 +++++++++---------
 clusters/lab/security/authelia.yaml          |  2 +-
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/clusters/lab/secrets/authelia-users.enc.yaml b/clusters/lab/secrets/authelia-users.enc.yaml
index 6b02fca..94c6932 100644
--- a/clusters/lab/secrets/authelia-users.enc.yaml
+++ b/clusters/lab/secrets/authelia-users.enc.yaml
@@ -1,6 +1,6 @@
 apiVersion: v1
 data:
-    users_database.yml: ENC[AES256_GCM,data:gS+TAE7aIpygr0A4z9TPBsXpACqxBw6uBbmv91UBn2+tsX5xINnCyNo56Cy0gHC66u1zZIqiOalLBwnwDOphc1SnEXX+RuYjzNLhpre0+i4F5GCCfz9I+pdjsPlojfYUpYw4jRX7haR09XCEtJBXwFUiJ3MXYkqSshSkFNIn+Ax6G5R34Q8h8lSuvrGf/f4yXtmBKI/6bS1wf241xemBXlFqIU0Ddt2nv8Milpz863Bn7h6j9pE8d4nnb9qJmrVXPS4TUrcmYO8zu0IvGZPq7xS01nl7573b1ZqU+SFqUFiFoWwjJzZUcqfbhoORQm7px1pGy2WPJIbkUtIgoSpggxOzVU6V4UVQ3sfpg68Q9bv9q+PJvTa7HTyawJuYumZMY9oBJIFo4fN7WzZvstlDURN8Uaw=,iv:F7Bl2WU0FDLYHQ2iMyRKnkUPFMy9yx9PcBhEpPgqO8I=,tag:w5WBC1EktgpuNVjt7oe9NA==,type:str]
+    users_database.yml: ENC[AES256_GCM,data:YqAEnHxRZog7Ok5GeF32rCG57LrHwdlDDfI4mcdXL4W9nq0QQY+lfRv2weXh3vpCzi2c0Ibtp0Rj1QdOhZiD4hESDoJ+oeC+jpkU3OeyPlaPDYxs6pyGofbwAU9wakFg+gIx5hpfOSB+aaKS8T2JF7Br3s3bsp3S9ta6tJ4gieDJ1L6HYpeDOphfENd9FIabANWYCnB/s1v0Qh561RIQmXKUROMu8EkxyDtZ8iI4uzuNlpcaAhN8SHMUu03XJ5qPKv1x1CCh16OrjrUh3/rzD1ckC/ruRrK841NxsS2oJU8Z346emMl20PzFD/N3QdTGsD7OgiRLIv4FtkNFkAjWiEkT77WuEYSTdqrZX3fydXULyyX3tk8Xt8yJZYENI8B/hM34mak2hHdL97XZ240zPB6T5ho=,iv:KUyzBpaCO30zf49xtPK2DEhEdVXXaTAjQv4UBlI6MnM=,tag:XSO+uEprozm/7oz82MSlcA==,type:str]
 kind: Secret
 metadata:
     annotations:
@@ -11,7 +11,7 @@ metadata:
             name: authelia-users
             namespace: authelia
         stringData:
-            users_database.yml: ENC[AES256_GCM,data:JQD2vou4gwHEWuRtavX+H6EnCc7U4lzZImHGAG3PclGi81pIrZ0RdLV86s3WPGVt6XAtyPpdma0EBc0j53me1IIBxfyx74GXQPObTPcEuP+GIlaJzFBaZTzJbPeNCzPdfE8qNEslF9ot3ir6EI6fYLCZgPYHGiNCxRJUVDThVtwh1TBglGxviKzfW6CpEzx8ZykamN2pyvyHZN+pV3+5LCALNK9OlS1Fqt0gAyXEX+dTgXLPl3QYc4LSSDgfkTsifvbXlZ/b+zSiRP+vxhWnqnXm+T1FNb5DCHoHaM9GuDDJf5AsJQ==,iv:cOtPHG1JyiQuFjd7Hb4G3Fu/ltbKND/gJZ5PmUIzarQ=,tag:SaW3gwB8wwfsZcGGTfeHKA==,type:str]
+            users_database.yml: ENC[AES256_GCM,data:7mwHzcM7jJVRAyMbfAtCsVeVqovyukhzfNym/7vlPfRNWbzYeUHujEh24YGtshZCwpNYr30EtPv6+O97ze5FYaPYJtHazcriNHk9mSq6iH4UQxZz98CNxbNU5zm4soQ8PyA//2ZKLR6ihSgJdopB4H+tpz5e2cat3rsjXEvj9So9QyL8CEnvnPL/5UrNxpAH/frf/uqpikdpenyffQ+FNQB7QRfA2dl3ss2127UoO563SKHAFkN5MyaDe3Ihwn7kH3OwuKBUcck15Br62KQ0GPOXKJ5wjO7NQsZFBvWbK+bvRGDcxg==,iv:T5CVa1JWS5R7vaE6Ukm42hbhnVu1dWGtHpHssfeYf3s=,tag:PEZt2+2NMKCq3WqFgZCh2g==,type:str]
     name: authelia-users
     namespace: authelia
 type: Opaque
@@ -24,14 +24,14 @@ sops:
         - recipient: age1aq4d879wuczrqj48nnw7ktsddrxfr8y8xaf0j0aqteswmsxnfs7sfs9phj
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzVkkrWktMemtGdlo5cnl4
-            WURBcFZ6a1dUM3ZkVCs2bGhNb3gxVHBDWEU0Cml1K0FRTCtsaHRJNmMveHd0dEc4
-            MlRqYlo0aUFzRlF3OVRKV1loSmo0TTgKLS0tICtpZUdrbDJwY3c1WDhwaDlVdW5r
-            V1pXY1o4WmpkeWJxd3d1amVwTTBJN28K3y/ygmRFtrRd6I0ETVWoVAbBDJSGiITU
-            ADecKPFymgJ5Mf/HnH7FJFfnz3n54RQ2KIIe2S2JqsBT3XoQJVo/Bw==
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1TXplbFVuRldFd2dNdllm
+            cXhPbDAzOEd5Q0wxNEk0SXNQMGtjZEFWMW1jCjh2OGVXem4yRzEzSHFwZFV6SStY
+            RkhaSEFNMllnd3VwQk55MzR0d3JHS0kKLS0tIHZGWExrV2pjbStKVWFJdzRuQXpo
+            bEIwUGZmR1JwVjF2eVMrU3FpTTBBZVkKV020ISvrp6bNuYvW/I4MPuqyMpPcnYD+
+            EdPhaJGaLZMiK/HrTw7v7MuAYic9ooan58OcSOzG/Y3DXqI8YGV3tg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-19T23:20:44Z"
-    mac: ENC[AES256_GCM,data:JutOjo3m2IMxAKFXKJu5FScH3cZV7Yk0ehQdW6pYI08bfSFoixtbzotkufeFmwWxFFFGdBo2XOhVF8hPrcAJHECGFRJzTpN/mV5t6cTXnjg/ow1mmFf2hOhXUFz4WRfa+qO5l6X+gSnSm+ZEzIhK0odQV1rZxiw7/Ug0ohAndBY=,iv:vm5VwqXi5rbE8GybdNwAuwKe3CTJuAe0j5sZ+/joSJs=,tag:1ECDZ9/H+pnIVnnaBp0w3Q==,type:str]
+    lastmodified: "2026-02-19T23:24:21Z"
+    mac: ENC[AES256_GCM,data:T7aDzu8LhusZJzofSxmd0XFtEKal3P+mQoTNigJ5Lm+VW+liqhumiAiRGcKT3Qfm1s1cDDrcbEa3zyPC5QmQB7sKKTOssb9DM4qfn/jAmAoLPixo/c0dlpdAHzMwHe22cuRGVbC+uF3I+yHEbeCdei34gNQTRtAVYaEfoK2A1FA=,iv:pNvdhnNUXXFuvT8r5cFFUuCgT6gJqVqUDV70lNE88c0=,tag:Qyg8ulH8G4Nahd0iuQjmpA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.9.4
diff --git a/clusters/lab/security/authelia.yaml b/clusters/lab/security/authelia.yaml
index d48074f..831bb69 100644
--- a/clusters/lab/security/authelia.yaml
+++ b/clusters/lab/security/authelia.yaml
@@ -69,7 +69,7 @@ spec:
           enabled: true
           path: /config/db.sqlite3
       access_control:
-        default_policy: one_factor
+        default_policy: two_factor
       authentication_backend:
         file:
           enabled: true