# Authentication

## Overview

All web-facing services are protected by a unified auth stack running on `helsinki-a`. This gives SSO across everything without having to configure per-service authentication.

## Stack

### Authelia

Authelia is the authentication and authorization gateway. It sits in front of services proxied by Caddy and handles:

- Username/password login
- Two-factor authentication (TOTP)
- Per-service access control rules

### LLDAP

LLDAP (Lightweight LDAP) is the user directory Authelia uses for authentication. It's simpler and easier to manage than a full OpenLDAP install, while still being compatible with anything that speaks LDAP.

All user management goes through LLDAP's web interface.

### Bitwarden (Vaultwarden)

Self-hosted Bitwarden running on `helsinki-a`. Stores all passwords and uses the official Bitwarden clients across devices.

## Flow

1. User hits a subdomain (e.g. `grafana.pez.sh`)
2. Cloudflare routes traffic to `helsinki-a`
3. Caddy receives the request and forwards it to Authelia middleware
4. Authelia checks if the user has a valid session
5. If not, redirect to the Authelia login portal (which authenticates against LLDAP)
6. Once authenticated, Caddy proxies the request to the actual backend service (which may be on any server in the homelab)