fix(authelia): Adjust configuration for Tailscale domain handling and simplify session settings

2025-04-26 00:18:57 +08:00 · 2025-04-26 00:18:57 +08:00 · 6b1a8b7d45
commit 6b1a8b7d45
parent 09b20f71fc
2 changed files with 18 additions and 18 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@ -1,14 +1,14 @@
 # Authelia Configuration File v4.38+
 # Documentation: https://www.authelia.com/configuration/

-# Server settings using the new 'address' format
+# Server settings
 server:
-  address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091
+  address: 'tcp://0.0.0.0:9091'

 # Logging configuration
 log:
  level: info
-  format: text # or json
+  format: text

 # Session configuration for v4.38+
 session:
@ -22,10 +22,11 @@ session:
    password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
    database_index: 0
  cookies:
-    # Use the wildcard domain pattern to match all subdomains
-    - domain: ${AUTHELIA_SESSION_DOMAIN}
-      authelia_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
-      default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
+    # Using a wildcard domain pattern - works for Tailscale domains
+    - domain: '*.ts.net'
+      authelia_url: 'https://tailscale-nas.ts.net'
+      default_redirection_url: 'https://tailscale-nas.ts.net/home'
+      same_site: lax

 # Regulation (brute force protection)
 regulation:
@ -44,19 +45,20 @@ authentication_backend:
  file:
    path: /config/users_database.yml
    password:
-      algorithm: argon2id # Recommended hashing algorithm
+      algorithm: argon2id
      iterations: 1
-      memory: 1024 # MiB
+      memory: 1024
      parallelism: 8
      salt_length: 16
      key_length: 32

 # Access control rules
 access_control:
-  default_policy: deny # Deny access by default
+  default_policy: deny
  rules:
-    - domain: ${AUTHELIA_SESSION_DOMAIN}
-      policy: one_factor # Requires username/password
+    # This will match any Tailscale domain
+    - domain: '*.ts.net'
+      policy: one_factor

 # Notifier configuration
 notifier:
@ -70,4 +72,4 @@ identity_validation:

 # Identity Providers
 identity_providers:
-  oidc: null # Explicitly disable OIDC
+  oidc: null
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -47,16 +47,14 @@ services:
    volumes:
      - ${CONFIG_ROOT:-.}/authelia:/config:Z
    environment:
-      # Core secrets and keys
+      # Core secrets
      - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
      - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
      - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
      - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+      # Only environment variable needed for identity validation
      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
-      # Domain settings extracted from APP_HOSTNAME
-      - AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME}
-      - AUTHELIA_SERVER_DOMAIN=${APP_HOSTNAME}
-      - AUTHELIA_DEFAULT_REDIRECTION_URL=https://${APP_HOSTNAME}/home
+      # Timezone
      - TZ=${TIMEZONE}
    labels:
      - traefik.enable=true