Authelia — your setup steps

One login + 2FA in front of your self-hosted apps. ≈ 30–40 min, one sitting

YOU  steps only you can do CLAUDE  I run these — just say the word

The only real "keys" you're making

Everything cryptographic (session/storage/JWT/OIDC secrets, the RSA signing key) is auto-generated by scripts — you never see those. Your job is just:

WhatWhere
1 Porkbun API key (for the TLS cert)Porkbun website
1 master password (your one SSO login)You pick it, once
2FA — an authenticator code + a passkeyYour phone
Part A — the API key & DNS (you, in a browser)
1YOU

Make a Porkbun API key

This is what lets the server automatically prove it owns rockwood.bot and get a wildcard HTTPS certificate.

  1. Log into porkbun.comAccount → API Access.
  2. Create an API key (name it something like authelia-cert).
  3. Copy both values it shows you — the API Key (pk1_…) and the Secret Key (sk1_…). The secret is shown once.
Keep these two values handy for step 4. Don't paste them into chat — you'll put them straight onto the server yourself.
2YOU

Turn on API access for the domain

Porkbun requires this per-domain, and the cert step fails silently without it.

  1. Domain Management → rockwood.bot.
  2. Flip API Access ON for that domain.
3YOU

Add one DNS record

This is the only new public name — the login portal. (Your home apps stay private/LAN-only.)

TypeHostAnswer
Aauth64.23.204.231

i.e. auth.rockwood.bot → the droplet. TTL 600 is fine.

4YOU

Drop the API key onto the server

From any terminal (keeps the secret out of our chat log). Paste your two values in place of the placeholders:

# open a shell on the droplet
ssh droplet

# write the credentials file (paste your real pk1_/sk1_ values)
umask 077 && cat > /etc/letsencrypt/porkbun.ini <<'INI'
dns_porkbun_key=pk1_your_key_here
dns_porkbun_secret=sk1_your_secret_here
INI
exit

Then tell me "porkbun.ini is ready" and I take over for a bit. 👇

I take over — cert + install
5CLAUDE

Issue the cert & install Authelia

I run the wildcard-cert script (covers auth. and all your app names at once), generate every secret, stand up Authelia + Redis on the droplet, and install the login portal. Then I hand it back to you for the password.

Part B — password & 2FA (you)
6YOU

Set your master password

This is the password you'll type at the one login page for everything. Make it strong.

ssh droplet
/root/projects/linux-learning/authelia/scripts/set-password.sh

It asks twice, hidden. Then tell me "password set."

7YOU

First login + enroll 2FA

Open auth.rockwood.bot, log in with doug + your password. You'll set up two second factors:

  1. Authenticator (TOTP): choose "Register device." There's no email server yet, so the confirm link lands in a file on the server — just tell me "get my 2FA link" and I'll fetch it. Click it → scan the QR with your phone's authenticator app → enter the 6-digit code.
  2. Passkey: add one and follow the prompt (Face ID / fingerprint / security key).
  3. Log out and back in once to make sure it sticks.
After this, one login covers everything behind the gateway.
Part C — flip on the apps
8CLAUDE

Wire up the apps

I point your home DNS at the right place, copy the cert to Lucy, and stand up the local gateway for Radarr / Sonarr / Prowlarr. (I'll double-check with you before I touch the router's DNS.)

9YOU

Turn off each app's own login

In Radarr, Sonarr, and Prowlarr: Settings → General → Security → Authentication Required → "Disabled for Local Addresses" → Save.

This makes each app trust the gateway so Authelia is the single front door. It does not make them open — the gateway still requires your login.

Test: visit radarr.rockwood.bot → it bounces you to the login, then straight into Radarr. Done. 🎉

What's not in today's session (on purpose): couchlist stays public for friends; Home Assistant keeps its own app login; "Login with Authelia" for Audiobookshelf is an easy add-on any time.

Full technical runbook lives in the repo at authelia/DOUG-SESSION.md. Anything breaks — just ask me; everything here is reversible.

Heads up: this page is on stuff.rockwood.bot, which is public (no secrets are on it). Say the word if you'd rather I move it somewhere private.