From 4ad7bf0a3825c094c2e8a4926424b3cc1cd7feb3 Mon Sep 17 00:00:00 2001
From: aki <aki@mailserver.opossum-arcturus.ts.net>
Date: Sat, 26 Apr 2025 00:41:41 +0800
Subject: [PATCH] fix(authelia): Update configuration and setup script for
 Tailscale domain handling in Authelia v4.38+

---
 README.md                          | 13 ++++++++-----
 authelia/configuration.example.yml | 15 +++++++++------
 update-setup.sh                    | 20 ++++++++++----------
 3 files changed, 27 insertions(+), 21 deletions(-)

diff --git a/README.md b/README.md
index 8f590e8..72bc8da 100644
--- a/README.md
+++ b/README.md
@@ -401,7 +401,10 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
 
 Authelia v4.38+ introduces significant changes to its configuration structure, particularly for session domains and authentication flows. The setup in this repository has been carefully configured to work with these changes:
 
-1. **Domain Configuration**: The configuration now properly uses the base Tailscale domain (e.g., `ts.net`) for cookies rather than a wildcard domain, which is not allowed for cookie configuration in Authelia v4.38+. Wildcards are still used in access control rules where they are permitted.
+1. **Domain Configuration**: 
+   - You must use your specific Tailnet domain (e.g., `example.ts.net`) for cookies, not just `ts.net`
+   - The domain `ts.net` is part of the [Public Suffix List](https://publicsuffix.org/), which means browsers restrict cookies on it for security reasons
+   - Authelia will refuse to start if you try to use a domain from this list
 
 2. **Required Secret Variables**: You must set these four variables in your `.env` file:
    - `AUTHELIA_JWT_SECRET`: Used for password reset tokens
@@ -412,15 +415,15 @@ Authelia v4.38+ introduces significant changes to its configuration structure, p
    Generate strong random values for these with: `openssl rand -hex 32`
 
 3. **Automatic Domain Setup**: The `update-setup.sh` script automatically:
-   - Extracts your Tailscale base domain (e.g., `ts.net`) from your `.env` file
-   - Configures cookie domains properly without wildcards
-   - Sets the correct URLs based on your Tailscale hostname
+   - Uses your specific Tailnet domain (e.g., `example.ts.net`) from your `.env` file
+   - Configures cookie domains properly to avoid Public Suffix List issues
+   - Sets up proper access control rules for both your domain and its subdomains
 
 4. **File Permissions**: The Authelia container runs with your user ID and group ID, preventing permission issues when managing the configuration files with git or other tools.
 
 If you encounter any of these common errors, running the setup script should resolve them:
 ```
-error: option 'domain' must be the domain you wish to protect not a wildcard domain
+error: option 'domain' is not a valid cookie domain: the domain is part of the special public suffix list
 error: option 'authelia_url' does not share a cookie scope with domain
 error: can't be specified at the same time: option 'domain' and option 'cookies'
 configuration key 'jwt_secret' is deprecated in 4.38.0
diff --git a/authelia/configuration.example.yml b/authelia/configuration.example.yml
index 55fc269..3a2cdae 100644
--- a/authelia/configuration.example.yml
+++ b/authelia/configuration.example.yml
@@ -22,10 +22,10 @@ session:
     password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
     database_index: 0
   cookies:
-    # Using parent domain to allow proper cookie scope
-    - domain: 'ts.net'
-      authelia_url: 'https://tailscale-nas.ts.net'
-      default_redirection_url: 'https://tailscale-nas.ts.net/home'
+    # Using your specific Tailscale domain (e.g. example.ts.net) not just ts.net
+    - domain: 'your-tailnet.ts.net'
+      authelia_url: 'https://tailscale-nas.your-tailnet.ts.net'
+      default_redirection_url: 'https://tailscale-nas.your-tailnet.ts.net/home'
       same_site: lax
 
 # Regulation (brute force protection)
@@ -56,8 +56,11 @@ authentication_backend:
 access_control:
   default_policy: deny
   rules:
-    # This will match any Tailscale domain - using wildcard with domains is allowed in rules
-    - domain: '*.ts.net'
+    # This will match any subdomain of your specific Tailscale domain
+    - domain: '*.your-tailnet.ts.net'
+      policy: one_factor
+    # Also match the main domain without subdomain
+    - domain: 'your-tailnet.ts.net'
       policy: one_factor
 
 # Notifier configuration
diff --git a/update-setup.sh b/update-setup.sh
index 73620dd..50a459f 100644
--- a/update-setup.sh
+++ b/update-setup.sh
@@ -233,22 +233,22 @@ update_authelia_config() {
         TAILSCALE_HOSTNAME=$(grep -o "TAILSCALE_HOSTNAME=.*" "$ENV_FILE" | cut -d'=' -f2 | tr -d '"' | tr -d "'")
         
         if [ -n "$TAILNET_DOMAIN" ] && [ -n "$TAILSCALE_HOSTNAME" ]; then
-            # Extract the base domain (e.g., from "example.ts.net" get "ts.net")
-            BASE_DOMAIN=$(echo "$TAILNET_DOMAIN" | grep -o '[^.]\+\.[^.]\+$')
+            # Use the full Tailnet domain (e.g., "example.ts.net") for cookies 
+            # not just "ts.net" which is a public suffix and not allowed
             
-            # Replace placeholders with actual values
-            # For cookie domain, use the base domain (e.g., "ts.net" not "*.ts.net")
-            sed -i "s/domain: 'ts.net'/domain: '$BASE_DOMAIN'/g" "$AUTHELIA_CONFIG"
+            # Replace domain placeholder with actual Tailnet domain
+            sed -i "s/domain: 'your-tailnet.ts.net'/domain: '$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
             
-            # For access control rules, wildcard pattern is allowed
-            sed -i "s/domain: '\*.ts.net'/domain: '\*.$BASE_DOMAIN'/g" "$AUTHELIA_CONFIG"
+            # For access control rules, update both wildcards and direct domain
+            sed -i "s/domain: '\*.your-tailnet.ts.net'/domain: '\*.$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
+            sed -i "s/domain: 'your-tailnet.ts.net'/domain: '$TAILNET_DOMAIN'/g" "$AUTHELIA_CONFIG"
             
             # For URLs, use the full hostname
-            sed -i "s/https:\/\/tailscale-nas.ts.net/https:\/\/$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN/g" "$AUTHELIA_CONFIG"
+            sed -i "s/https:\/\/tailscale-nas.your-tailnet.ts.net/https:\/\/$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN/g" "$AUTHELIA_CONFIG"
             
             echo -e "${GREEN}Configured Authelia with your Tailscale domain:${NC}"
-            echo -e "${CYAN}  - Base domain for cookies: ${GREEN}$BASE_DOMAIN${NC}"
-            echo -e "${CYAN}  - Access control for: ${GREEN}*.$BASE_DOMAIN${NC}"
+            echo -e "${CYAN}  - Cookie domain: ${GREEN}$TAILNET_DOMAIN${NC}"
+            echo -e "${CYAN}  - Access control for: ${GREEN}*.$TAILNET_DOMAIN and $TAILNET_DOMAIN${NC}"
             echo -e "${CYAN}  - Authelia URL: ${GREEN}https://$TAILSCALE_HOSTNAME.$TAILNET_DOMAIN${NC}"
         else
             echo -e "${YELLOW}Warning: Could not find both TAILSCALE_HOSTNAME and TAILSCALE_TAILNET_DOMAIN in .env${NC}"