From 914890b3392a0cac96f87e3738ecc153b52fcfe0 Mon Sep 17 00:00:00 2001
From: Davide Piu <davide@davidepiu.xyz>
Date: Thu, 19 Feb 2026 23:18:38 +0000
Subject: [PATCH] feat: protect Uptime Kuma and Weave GitOps with Authelia
 ForwardAuth

- Add Traefik ForwardAuth middleware pointing to Authelia
- Apply to status.davidepiu.xyz and flux.davidepiu.xyz
- Users must login via auth.davidepiu.xyz before accessing these services
---
 clusters/lab/apps/uptime-kuma.yaml              |  2 +-
 clusters/lab/infrastructure/weave-gitops.yaml   |  2 +-
 clusters/lab/security/authelia-forwardauth.yaml | 15 +++++++++++++++
 3 files changed, 17 insertions(+), 2 deletions(-)
 create mode 100644 clusters/lab/security/authelia-forwardauth.yaml

diff --git a/clusters/lab/apps/uptime-kuma.yaml b/clusters/lab/apps/uptime-kuma.yaml
index a2c3748..3de17ad 100644
--- a/clusters/lab/apps/uptime-kuma.yaml
+++ b/clusters/lab/apps/uptime-kuma.yaml
@@ -36,7 +36,7 @@ spec:
       className: traefik
       annotations:
         cert-manager.io/cluster-issuer: letsencrypt-prod
-        traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+        traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
       hosts:
       - host: status.davidepiu.xyz
         paths:
diff --git a/clusters/lab/infrastructure/weave-gitops.yaml b/clusters/lab/infrastructure/weave-gitops.yaml
index 059ff10..44cf3f2 100644
--- a/clusters/lab/infrastructure/weave-gitops.yaml
+++ b/clusters/lab/infrastructure/weave-gitops.yaml
@@ -64,7 +64,7 @@ metadata:
   namespace: flux-system
   annotations:
     cert-manager.io/cluster-issuer: letsencrypt-prod
-    traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
+    traefik.ingress.kubernetes.io/router.middlewares: default-authelia-forwardauth@kubernetescrd,default-redirect-https@kubernetescrd
 spec:
   ingressClassName: traefik
   rules:
diff --git a/clusters/lab/security/authelia-forwardauth.yaml b/clusters/lab/security/authelia-forwardauth.yaml
new file mode 100644
index 0000000..b04195d
--- /dev/null
+++ b/clusters/lab/security/authelia-forwardauth.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia-forwardauth
+  namespace: default
+spec:
+  forwardAuth:
+    address: http://authelia-authelia.authelia.svc.cluster.local/api/authz/forward-auth
+    trustForwardHeader: true
+    authResponseHeaders:
+    - Remote-User
+    - Remote-Groups
+    - Remote-Email
+    - Remote-Name