From 6b1a8b7d459f5fb7b9b1013d8279866a5667c5c6 Mon Sep 17 00:00:00 2001 From: aki Date: Sat, 26 Apr 2025 00:18:57 +0800 Subject: [PATCH] fix(authelia): Adjust configuration for Tailscale domain handling and simplify session settings --- authelia/configuration.yml | 28 +++++++++++++++------------- docker-compose.yml | 8 +++----- 2 files changed, 18 insertions(+), 18 deletions(-) diff --git a/authelia/configuration.yml b/authelia/configuration.yml index 114ca24..46e85f1 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -1,14 +1,14 @@ # Authelia Configuration File v4.38+ # Documentation: https://www.authelia.com/configuration/ -# Server settings using the new 'address' format +# Server settings server: - address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091 + address: 'tcp://0.0.0.0:9091' # Logging configuration log: level: info - format: text # or json + format: text # Session configuration for v4.38+ session: @@ -22,10 +22,11 @@ session: password: ${AUTHELIA_SESSION_REDIS_PASSWORD} database_index: 0 cookies: - # Use the wildcard domain pattern to match all subdomains - - domain: ${AUTHELIA_SESSION_DOMAIN} - authelia_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL} - default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL} + # Using a wildcard domain pattern - works for Tailscale domains + - domain: '*.ts.net' + authelia_url: 'https://tailscale-nas.ts.net' + default_redirection_url: 'https://tailscale-nas.ts.net/home' + same_site: lax # Regulation (brute force protection) regulation: @@ -44,19 +45,20 @@ authentication_backend: file: path: /config/users_database.yml password: - algorithm: argon2id # Recommended hashing algorithm + algorithm: argon2id iterations: 1 - memory: 1024 # MiB + memory: 1024 parallelism: 8 salt_length: 16 key_length: 32 # Access control rules access_control: - default_policy: deny # Deny access by default + default_policy: deny rules: - - domain: ${AUTHELIA_SESSION_DOMAIN} - policy: one_factor # Requires username/password + # This will match any Tailscale domain + - domain: '*.ts.net' + policy: one_factor # Notifier configuration notifier: @@ -70,4 +72,4 @@ identity_validation: # Identity Providers identity_providers: - oidc: null # Explicitly disable OIDC + oidc: null diff --git a/docker-compose.yml b/docker-compose.yml index 4d56e47..5155a6a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -47,16 +47,14 @@ services: volumes: - ${CONFIG_ROOT:-.}/authelia:/config:Z environment: - # Core secrets and keys + # Core secrets - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET} - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET} - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD} + # Only environment variable needed for identity validation - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET} - # Domain settings extracted from APP_HOSTNAME - - AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME} - - AUTHELIA_SERVER_DOMAIN=${APP_HOSTNAME} - - AUTHELIA_DEFAULT_REDIRECTION_URL=https://${APP_HOSTNAME}/home + # Timezone - TZ=${TIMEZONE} labels: - traefik.enable=true