Maybe I will try and give it a go to package Authelia as an app in Cloudron. Only thing is i have zero experience with that, so it's going to be a learning curve....

Maybe @Jan-Macenka can help/assist me with that?

But also as you correctly mention the required nginx changes to be persistent across Cloudron updates, it really makes so much more sense to bundle it as a Cloudron app.

Now for the test, if i remove Authelia's ip from the Restrict Access list in Cloudron, as suggested Authelia fails to start and Cloudron is doing it's job by refusing the not listed ip from Authelia. if i add Authelia's ip in the Restrict Access list in Cloudron again, Authelia starts up.
So i think it's possible to connect internally...... i guess

A second question would be, if i have the Ldap part working, how could i Adapt the Nginx-Config for the Cloudron Apps, to protect the required SSO flow Authelia offers?

I think and feel that's going to be a lot harder to accomplish....

If you connect to the internal ldap server, then it will auth only against per-app generated credentials (the app gets those via env variables) for the initial admin bind to allow searching.

Alternately you can enable exposed ldap and connect via the external route to then.

This is the error i got from Authelia in the logs:

This is the config i have in Authelia,

authentication_backend:
password_reset:
disable: true
ldap:
implementation: custom
url: ldaps://cloudrons_ip:636
start_tls: false
tls:
server_name: my.cloudrons_domain
skip_verify: true
minimum_version: TLS1.2
base_dn: ou=users,dc=cloudron
username_attribute: uid
additional_users_dn: ou=users,dc=cloudron
users_filter: (&({username_attribute}={input})(objectClass=person))
additional_groups_dn: ou=groups,dc=cloudron
groups_filter: (&(member=uid={input},cn=users,cn=accounts,dc=cloudron)(objectclass=groupofnames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: givenName
user: cn=admin,ou=system,dc=cloudron
password: "password for ldap in cloudron"

Am i missing a step somewhere or maybe i have the "users_filter" or "groups_filter" setup in the wrong way?
Maybe someone can give me a pointer into the right direction.......
.

I feel i'm so close to an almost working situation here.....

So this is the update so far from my side;

1. Set up a Container with Authelia (cloud also be a VM) in my private network alongside the Cloudron VM as in the same sub-net or vLAN
   Authelia is running in the same subnet as Cloudron now.

2. Let Cloudron do the Cert-handling and expose Authelia via Cloudron-App-Proxy
   Authelia is running through the Cloudron-App-Proxy and handling certs for Authelia.

These are the one's that i'm struggling with at the moment;

3. Adapt Authelias Config accordingly, utilize LDAP Backend and integrating the one that Cloudron offers.

4. Adapt the Nginx-Config for the Cloudron Apps, protect to require the SSO flow Authelia offers.

This is how I have set it up at the moment...

I am on holiday this week and coming home this weekend, so I will be here around that time to pick this up.

1. Set up a Container with Authelia (cloud also be a VM) in my private network alongside the Cloudron VM as in the same sub-net or vLAN
2. Adapt Authelias Config accordingly, I want it to utilize a LDAP Backend and for starters integrating the one that Cloudron offers.
3. Let Cloudron do the Cert-handling and expose Authelia via Cloudron-App-Proxy
4. Adapt the Nginx-Config for the Cloudron Apps, I want to protect to require the SSO flow Authelia offers.

How did you approach the issue? Did you do things differently?

I'll report back.....

On your Cloudron side, you have to enable the user directory server. The settings and default values are mentioned in the docs at https://docs.cloudron.io/user-management/#directory-server