# Authelia

## What

Authelia is my SSO (Single Sign-On) and 2FA provider. It sits in front of services that don't have their own auth or that I want under a unified login.

## Where

Runs on **helsinki-a** as a Docker container.

- URL: [auth.pez.sh](https://auth.pez.sh)
- Backend port: 9091
- Integrated with LDAP (also on helsinki-a) for user management

## How It Works

Caddy is configured with a forward auth middleware that calls Authelia before passing traffic to the backend. If the user isn't authenticated, they're redirected to auth.pez.sh to log in.

Services protected by Authelia:
- Grafana, Prometheus
- Radarr, Sonarr, Lidarr, Readarr, Prowlarr
- Transmission (download.pez.sh)
- Soulseek (soulseek.pez.sh)
- apps.pez.sh

## LDAP

User accounts are managed in LDAP on helsinki-a. Authelia authenticates against LDAP. This centralises user management — one place to add/remove users rather than configuring each service individually.