wayne/tailwart
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
authelia-integration
tailwart/authelia/config/configuration.yml
Wayne Hayes ddf00fbf90 authelia: vendor into the tree under authelia/ with a single root .env 
Move the Authelia stack (compose, config, snippets, docs) out of the separate
/opt/authelia repo into authelia/, so the whole deployment shares ONE operator
.env at the repo root. The four shared infra vars (TS_OAUTH_CLIENT_SECRET,
TS_TAILNET, DB_MAGIC_NAME, REDIS_MAGIC_NAME) are defined once; authelia/.env is
a symlink to ../.env (gitignored, recreated per host). .env.example + .gitignore
folded in.

Run from the repo root:  docker compose -f authelia/docker-compose.yml up -d
(or: cd authelia && docker compose up -d  — the .env symlink makes it resolve).

The standalone /opt/authelia is left intact as a history archive; remove once
this is verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-11 21:30:18 -04:00

74 lines
2.4 KiB
YAML
Raw Permalink Blame History

# ============================================================================
# Authelia config — non-secret structure only. Secrets + infra hosts (Postgres
# address, Redis host, SMTP) are injected via AUTHELIA_* env from the compose
# file, so this stays commit-safe.
# ============================================================================
# STRAWMAN. Authelia's schema moves between releases (this targets 4.38+: note
# session.cookies[], identity_validation, storage.postgres.address). Verify
# against the pinned image tag before trusting it, then pin the tag.
theme: dark
server:
address: tcp://0.0.0.0:9091
log:
level: info
totp:
issuer: infinidim.net
# File-based user database (simple, good for play). Swap to LDAP later if needed.
authentication_backend:
file:
path: /config/users_database.yml
password:
algorithm: argon2
access_control:
default_policy: deny
rules:
# The portal itself must always be reachable.
- domain: auth.infinidim.net
policy: bypass
# Everything else under the domain needs at least one factor.
- domain: "*.infinidim.net"
policy: one_factor
session:
# secret + redis host/port/db come from env (AUTHELIA_SESSION_*).
cookies:
- domain: infinidim.net
authelia_url: https://auth.infinidim.net
default_redirection_url: https://infinidim.net
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
# storage (postgres), notifier (smtp), session.secret/redis, and
# identity_validation.reset_password.jwt_secret all arrive via env — see
# docker-compose.yml. Kept out of this file to avoid duplicating infra
# hostnames and to keep secrets off disk in the repo.
# ----------------------------------------------------------------------------
# OIDC provider (optional) — uncomment to let apps log in via OpenID Connect.
# Needs AUTHELIA_OIDC_HMAC_SECRET and a JWKS signing key:
# docker run --rm authelia/authelia:latest \
# authelia crypto certificate rsa generate --directory /tmp && cat /tmp/...
# ----------------------------------------------------------------------------
# identity_providers:
# oidc:
# hmac_secret: <env AUTHELIA_OIDC_HMAC_SECRET>
# jwks:
# - key: |
# -----BEGIN PRIVATE KEY----- ...
# clients:
# - client_id: stalwart
# client_name: Stalwart Mail
# client_secret: '<hashed>'
# redirect_uris:
# - https://mail.infinidim.net/...
# scopes: [openid, profile, email]
Reference in New Issue View Git Blame Copy Permalink