diff --git a/.gitignore b/.gitignore index 8f0724e..487b297 100644 --- a/.gitignore +++ b/.gitignore @@ -1,4 +1,5 @@ *.env +*.bak .idea docker-compose.override.yml /authelia/*.yml diff --git a/README.md b/README.md index bf0df5e..cabe8fd 100644 --- a/README.md +++ b/README.md @@ -388,18 +388,15 @@ The `update-setup.sh` script provides various commands to manage your configurat * `./update-setup.sh update-services`: Updates configurations for running *arr/qBittorrent/Bazarr containers (sets URL base, extracts API keys to `.env`). Restarts affected containers. * `./update-setup.sh all`: Runs `update-env`, `update-authelia`, and `update-services` sequentially. Recommended for initial setup and major updates. -**Authentication Management:** +**Authelia Policy Management:** -* `./update-setup.sh list-auth`: Lists all detected services in `docker-compose.yml` and shows whether Authelia authentication is enabled or disabled for them. -* `./update-setup.sh enable-auth `: Enables Authelia authentication for the specified `` by adding the `authelia-auth@docker` middleware label in `docker-compose.yml`. -* `./update-setup.sh disable-auth `: Disables Authelia authentication for the specified `` by removing the `authelia-auth@docker` middleware label. -* `./update-setup.sh enable-all-auth`: Attempts to enable authentication for all applicable services. -* `./update-setup.sh disable-all-auth`: Attempts to disable authentication for all applicable services. +* `./update-setup.sh manage-policies`: Starts an interactive menu to list or set Authelia access policies (`one_factor`, `two_factor`, `bypass`, `deny`) for specific services defined in `authelia/configuration.yml`. +* `./update-setup.sh list-policies`: Lists services defined in `authelia/configuration.yml` and their current access policy. +* `./update-setup.sh set-policy `: Directly sets the Authelia access policy for the specified `` to the given `` (e.g., `one_factor`, `two_factor`, `bypass`, `deny`). -> **Important:** After using `enable-auth`, `disable-auth`, `enable-all-auth`, or `disable-all-auth`, you **must** restart your stack for the changes to take effect: +> **Important:** After changing Authelia policies using `manage-policies` or `set-policy`, you **must** restart Authelia for the changes to take effect: > ```bash -> docker compose down -> docker compose up -d +> docker compose restart authelia > ``` **User & File Management:** @@ -411,9 +408,11 @@ The `update-setup.sh` script provides various commands to manage your configurat * `./update-setup.sh help`: Displays the full list of commands and usage instructions. -### Managing Service Authentication +### Managing Service Authentication (Authelia Policies) -Use the `update-setup.sh` script to easily control which services require Authelia login. See the `Authentication Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details. +Use the `update-setup.sh` script to easily control which services require Authelia login and what level of authentication is needed. This is done by managing *access control rules* within Authelia's configuration (`authelia/configuration.yml`). + +See the `Authelia Policy Management` commands in the [Setup Script Commands](#setup-script-commands-update-setupsh) section above for details on how to list and set policies like `one_factor`, `two_factor`, `bypass`, or `deny` for each service. ## Optional Services diff --git a/authelia/configuration.example.yml b/authelia/configuration.example.yml index e878c6d..753d5af 100644 --- a/authelia/configuration.example.yml +++ b/authelia/configuration.example.yml @@ -4,8 +4,6 @@ # Server settings server: address: 'tcp://0.0.0.0:9091' - trusted_proxies: - - '172.16.0.0/12' # Docker networks # Logging configuration log: @@ -56,14 +54,76 @@ authentication_backend: # Access control rules access_control: - default_policy: deny + default_policy: deny # Deny access by default rules: - # This will match any subdomain of your specific Tailscale domain + # Rules are processed in order. First match wins. + # It's recommended to put more specific rules first. + + # 1. Bypass rules (No authentication required) + # Allow access to Authelia's own endpoints - domain: '*.your-tailnet.ts.net' + path_regex: '^/auth.*' # Match /auth and anything after it + policy: bypass + # Allow access to the root path (will be redirected by Traefik later) + - domain: '*.your-tailnet.ts.net' + path: '/' + policy: bypass + # Allow access to API endpoints (as requested, review security implications) + - domain: '*.your-tailnet.ts.net' + path_regex: '^/api.*' # Match /api and anything after it + policy: bypass + + # 2. One-Factor Authentication Rules (Requires login) + # Add rules for each service you want to protect. + # The domain should match your Tailscale domain. + # The path should match the Traefik PathPrefix for the service. + - domain: '*.your-tailnet.ts.net' + path_regex: '^/sonarr.*' policy: one_factor - # Also match the main domain without subdomain - - domain: 'your-tailnet.ts.net' + - domain: '*.your-tailnet.ts.net' + path_regex: '^/radarr.*' policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/lidarr.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/bazarr.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/qbittorrent.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/sabnzbd.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/calibre.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/home.*' # Protect the homepage + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/jellyseerr.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/prowlarr.*' + policy: one_factor + - domain: '*.your-tailnet.ts.net' + path_regex: '^/flaresolverr.*' + policy: one_factor + # Add other services here following the pattern: + # - domain: '*.your-tailnet.ts.net' + # path_regex: '^/.*' + # policy: one_factor + + # 3. Default rule for the domain (optional, if you want a catch-all) + # This rule will apply if no path-specific rule above matches. + # You might want to deny or require one_factor for unmatched paths. + # Example: Deny any other path on the domain + # - domain: '*.your-tailnet.ts.net' + # policy: deny + # Example: Require login for any other path + # - domain: '*.your-tailnet.ts.net' + # policy: one_factor # Notifier configuration notifier: