tailwart/authelia/config/configuration.yml

# ============================================================================
# Authelia config — non-secret structure only. Secrets + infra hosts (Postgres
# address, Redis host, SMTP) are injected via AUTHELIA_* env from the compose
# file, so this stays commit-safe.
# ============================================================================
# STRAWMAN. Authelia's schema moves between releases (this targets 4.38+: note
# session.cookies[], identity_validation, storage.postgres.address). Verify
# against the pinned image tag before trusting it, then pin the tag.

theme: dark

server:
  address: tcp://0.0.0.0:9091

log:
  level: info

totp:
  issuer: infinidim.net

# File-based user database (simple, good for play). Swap to LDAP later if needed.
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2

access_control:
  default_policy: deny
  rules:
    # The portal itself must always be reachable.
    - domain: auth.infinidim.net
      policy: bypass
    # Everything else under the domain needs at least one factor.
    - domain: "*.infinidim.net"
      policy: one_factor

session:
  # secret + redis host/port/db come from env (AUTHELIA_SESSION_*).
  cookies:
    - domain: infinidim.net
      authelia_url: https://auth.infinidim.net
      default_redirection_url: https://infinidim.net

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# storage (postgres), notifier (smtp), session.secret/redis, and
# identity_validation.reset_password.jwt_secret all arrive via env — see
# docker-compose.yml. Kept out of this file to avoid duplicating infra
# hostnames and to keep secrets off disk in the repo.

# ----------------------------------------------------------------------------
# OIDC provider (optional) — uncomment to let apps log in via OpenID Connect.
# Needs AUTHELIA_OIDC_HMAC_SECRET and a JWKS signing key:
#   docker run --rm authelia/authelia:latest \
#     authelia crypto certificate rsa generate --directory /tmp && cat /tmp/...
# ----------------------------------------------------------------------------
# identity_providers:
#   oidc:
#     hmac_secret: <env AUTHELIA_OIDC_HMAC_SECRET>
#     jwks:
#       - key: |
#           -----BEGIN PRIVATE KEY----- ...
#     clients:
#       - client_id: stalwart
#         client_name: Stalwart Mail
#         client_secret: '<hashed>'
#         redirect_uris:
#           - https://mail.infinidim.net/...
#         scopes: [openid, profile, email]
authelia: vendor into the tree under authelia/ with a single root .env Move the Authelia stack (compose, config, snippets, docs) out of the separate /opt/authelia repo into authelia/, so the whole deployment shares ONE operator .env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET, TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore folded in. Run from the repo root: docker compose -f authelia/docker-compose.yml up -d (or: cd authelia && docker compose up -d — the .env symlink makes it resolve). The standalone /opt/authelia is left intact as a history archive; remove once this is verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com> 2026-06-11 21:30:18 -04:00			`# ============================================================================`
			`# Authelia config — non-secret structure only. Secrets + infra hosts (Postgres`
			`# address, Redis host, SMTP) are injected via AUTHELIA_* env from the compose`
			`# file, so this stays commit-safe.`
			`# ============================================================================`
			`# STRAWMAN. Authelia's schema moves between releases (this targets 4.38+: note`
			`# session.cookies[], identity_validation, storage.postgres.address). Verify`
			`# against the pinned image tag before trusting it, then pin the tag.`

			`theme: dark`

			`server:`
			`address: tcp://0.0.0.0:9091`

			`log:`
			`level: info`

			`totp:`
			`issuer: infinidim.net`

			`# File-based user database (simple, good for play). Swap to LDAP later if needed.`
			`authentication_backend:`
			`file:`
			`path: /config/users_database.yml`
			`password:`
			`algorithm: argon2`

			`access_control:`
			`default_policy: deny`
			`rules:`
			`# The portal itself must always be reachable.`
			`- domain: auth.infinidim.net`
			`policy: bypass`
			`# Everything else under the domain needs at least one factor.`
			`- domain: "*.infinidim.net"`
			`policy: one_factor`

			`session:`
			`# secret + redis host/port/db come from env (AUTHELIA_SESSION_*).`
			`cookies:`
			`- domain: infinidim.net`
			`authelia_url: https://auth.infinidim.net`
			`default_redirection_url: https://infinidim.net`

			`regulation:`
			`max_retries: 3`
			`find_time: 2m`
			`ban_time: 5m`

			`# storage (postgres), notifier (smtp), session.secret/redis, and`
			`# identity_validation.reset_password.jwt_secret all arrive via env — see`
			`# docker-compose.yml. Kept out of this file to avoid duplicating infra`
			`# hostnames and to keep secrets off disk in the repo.`

			`# ----------------------------------------------------------------------------`
			`# OIDC provider (optional) — uncomment to let apps log in via OpenID Connect.`
			`# Needs AUTHELIA_OIDC_HMAC_SECRET and a JWKS signing key:`
			`# docker run --rm authelia/authelia:latest \`
			`# authelia crypto certificate rsa generate --directory /tmp && cat /tmp/...`
			`# ----------------------------------------------------------------------------`
			`# identity_providers:`
			`# oidc:`
			`# hmac_secret: <env AUTHELIA_OIDC_HMAC_SECRET>`
			`# jwks:`
			`# - key: \|`
			`# -----BEGIN PRIVATE KEY----- ...`
			`# clients:`
			`# - client_id: stalwart`
			`# client_name: Stalwart Mail`
			`# client_secret: '<hashed>'`
			`# redirect_uris:`
			`# - https://mail.infinidim.net/...`
			`# scopes: [openid, profile, email]`