# T10: Runtime Configuration and Validation

## Learnings
- Nginx needs `X-Forwarded-Host` and `X-Forwarded-Port` for proper OIDC callback URL generation.
- `curl -f` fails on 302 redirects, which are common when a page is protected by OIDC.
- Health checks and deployment scripts must be updated to allow 302/303/307 status codes for the frontend root.
- Bash `((errors++))` returns 1 if `errors` is 0, which can kill the script if `set -e` is active. Use `errors=$((errors + 1))` instead.
- Documenting required environment variables in systemd service files and `DEPLOYMENT.md` is crucial for operators.
- Authelia client configuration requires specific `redirect_uris` and `scopes` (openid, profile, email, groups).

## Verification
- `scripts/validate-env.sh` correctly identifies missing OIDC and session variables.
- `scripts/healthcheck.sh` and `deploy.sh` now handle auth redirects (302) for the frontend.