One login + 2FA in front of your self-hosted apps. ≈ 30–40 min, one sitting
Everything cryptographic (session/storage/JWT/OIDC secrets, the RSA signing key) is auto-generated by scripts — you never see those. Your job is just:
| What | Where |
|---|---|
| 1 Porkbun API key (for the TLS cert) | Porkbun website |
| 1 master password (your one SSO login) | You pick it, once |
| 2FA — an authenticator code + a passkey | Your phone |
This is what lets the server automatically prove it owns rockwood.bot and get a wildcard HTTPS certificate.
authelia-cert).pk1_…) and the Secret Key (sk1_…). The secret is shown once.Porkbun requires this per-domain, and the cert step fails silently without it.
This is the only new public name — the login portal. (Your home apps stay private/LAN-only.)
| Type | Host | Answer |
|---|---|---|
| A | auth | 64.23.204.231 |
i.e. auth.rockwood.bot → the droplet. TTL 600 is fine.
From any terminal (keeps the secret out of our chat log). Paste your two values in place of the placeholders:
# open a shell on the droplet ssh droplet # write the credentials file (paste your real pk1_/sk1_ values) umask 077 && cat > /etc/letsencrypt/porkbun.ini <<'INI' dns_porkbun_key=pk1_your_key_here dns_porkbun_secret=sk1_your_secret_here INI exit
Then tell me "porkbun.ini is ready" and I take over for a bit. 👇
I run the wildcard-cert script (covers auth. and all your app names at once), generate every secret, stand up Authelia + Redis on the droplet, and install the login portal. Then I hand it back to you for the password.
This is the password you'll type at the one login page for everything. Make it strong.
ssh droplet /root/projects/linux-learning/authelia/scripts/set-password.sh
It asks twice, hidden. Then tell me "password set."
Open auth.rockwood.bot, log in with doug + your password. You'll set up two second factors:
I point your home DNS at the right place, copy the cert to Lucy, and stand up the local gateway for Radarr / Sonarr / Prowlarr. (I'll double-check with you before I touch the router's DNS.)
In Radarr, Sonarr, and Prowlarr: Settings → General → Security → Authentication Required → "Disabled for Local Addresses" → Save.
This makes each app trust the gateway so Authelia is the single front door. It does not make them open — the gateway still requires your login.
radarr.rockwood.bot → it bounces you to the login, then straight into Radarr. Done. 🎉What's not in today's session (on purpose): couchlist stays public for friends; Home Assistant keeps its own app login; "Login with Authelia" for Audiobookshelf is an easy add-on any time.
Full technical runbook lives in the repo at authelia/DOUG-SESSION.md. Anything breaks — just ask me; everything here is reversible.
Heads up: this page is on stuff.rockwood.bot, which is public (no secrets are on it). Say the word if you'd rather I move it somewhere private.