fix(authelia): Update configuration for v4.38+ compatibility and remove deprecated variables

.env.example

@@ -63,14 +63,15 @@ HOMEPAGE_VAR_WEATHER_UNIT=metric
 
 # --- Authelia Settings ---
 # Generate strong random secrets for these using tools like `openssl rand -hex 32`
-AUTHELIA_JWT_SECRET= # Example: your_strong_jwt_secret
+AUTHELIA_JWT_SECRET= # Used for password reset functionality (also mapped to AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in 4.38+)
-AUTHELIA_SESSION_SECRET= # Example: your_strong_session_secret
+AUTHELIA_SESSION_SECRET= # Secret for session cookies
-AUTHELIA_STORAGE_ENCRYPTION_KEY= # Example: your_strong_storage_encryption_key
+AUTHELIA_STORAGE_ENCRYPTION_KEY= # For encrypting stored data
-AUTHELIA_REDIS_PASSWORD= # Example: your_strong_redis_password
+AUTHELIA_REDIS_PASSWORD= # Used as AUTHELIA_SESSION_REDIS_PASSWORD in 4.38+
 
-# Authelia Session Configuration (Note: These may be less relevant with config v4.38+ structure)
+# Note: The following variables are no longer needed with Authelia 4.38+ and the updated configuration
-AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME}
+# They are preserved for backward compatibility but will be automatically mapped to the new structure
-AUTHELIA_DEFAULT_REDIRECT_URL=https://${APP_HOSTNAME}/home
+# AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME}
+# AUTHELIA_DEFAULT_REDIRECT_URL=https://${APP_HOSTNAME}/home
 
 # --- API Keys & Integration Tokens (Optional - Mainly for Homepage Widgets) ---
 # Find API keys within each application's settings (usually Settings > General or Security)

README.md

@@ -27,6 +27,7 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
     - [SELinux Socket Permissions (Docker)](#selinux-socket-permissions-docker)
+    - [Authelia v4.38+ Compatibility](#authelia-v438-compatibility)
     - [Tailscale Issues](#tailscale-issues)
     - [File Permissions](#file-permissions)
   - [Advanced Topics](#advanced-topics)
@@ -350,6 +351,23 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
     ```
     This allows the specific actions that were being denied. You might need to repeat this if different denials appear after applying the first policy.
 
+### Authelia v4.38+ Compatibility
+
+If you see errors like these in your Authelia logs:
+```
+Configuration: configuration key not expected: session.domains
+Configuration: configuration key not expected: session.domains[].default_redirection_url
+Configuration: configuration key not expected: session.domains[].domain
+Can't continue due to the errors loading the configuration
+```
+
+This is likely due to Authelia v4.38+ changing the session domain configuration format. The stack has been updated to use the new `cookies` configuration structure:
+- Updated `authelia/configuration.yml` with new session cookies structure
+- Environment variables in Docker Compose are remapped to the new format
+- Old environment variables like `AUTHELIA_DEFAULT_REDIRECT_URL` are no longer directly used
+
+**Fix:** Update your `authelia/configuration.yml` with the latest version from the repository. See the configuration file for the current correct format.
+
 ### Tailscale Issues
 
 *   **Authentication:** Ensure your `TAILSCALE_AUTHKEY` in `.env` is valid and hasn't expired (especially if using ephemeral keys). Check the `tailscale` container logs (`docker compose logs tailscale`) for authentication errors.

authelia/configuration.yml

@@ -12,7 +12,7 @@ log:
   level: info
   format: text # or json
 
-# Session configuration using the new 'domains' list format
+# Session configuration for v4.38+
 session:
   name: authelia_session
   secret: ${AUTHELIA_SESSION_SECRET}
@@ -25,12 +25,10 @@ session:
     # Set password directly here instead of relying on potentially problematic env var
     password: ${AUTHELIA_REDIS_PASSWORD}
     database_index: 0
-  # Define session domains explicitly
+  cookies:
-  domains:
+    - domain: ${APP_HOSTNAME}
-    - domain: ${APP_HOSTNAME} # Use the renamed variable from .env
+      authelia_url: https://${APP_HOSTNAME}
-      default_redirection_url: https://${APP_HOSTNAME}/home # Default redirect after login
+      default_redirection_url: https://${APP_HOSTNAME}/home
-      # Optional: Define specific Authelia portal URL if different from domain root
-      # authelia_url: https://${APP_HOSTNAME}/
 
 # Regulation (brute force protection)
 regulation:

docker-compose.yml

@@ -49,9 +49,8 @@ services:
       - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
-      - AUTHELIA_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
-      - AUTHELIA_SESSION_DOMAIN=${AUTHELIA_SESSION_DOMAIN}
+      - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
-      - AUTHELIA_DEFAULT_REDIRECT_URL=${AUTHELIA_DEFAULT_REDIRECT_URL}
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true