fix(authelia): Update configuration for v4.38+ with required variables and improved domain handling

.env.example

@@ -63,10 +63,11 @@ HOMEPAGE_VAR_WEATHER_UNIT=metric
 
 # --- Authelia Settings ---
 # Generate strong random secrets for these using tools like `openssl rand -hex 32`
-AUTHELIA_JWT_SECRET= # Used for password reset functionality (also mapped to AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET in 4.38+)
+# These are all REQUIRED for Authelia to function properly
-AUTHELIA_SESSION_SECRET= # Secret for session cookies
+AUTHELIA_JWT_SECRET= # Secret used for JWT tokens (password reset, etc)
-AUTHELIA_STORAGE_ENCRYPTION_KEY= # For encrypting stored data
+AUTHELIA_SESSION_SECRET= # Secret for encrypting session cookies
-AUTHELIA_REDIS_PASSWORD= # Used as AUTHELIA_SESSION_REDIS_PASSWORD in 4.38+
+AUTHELIA_STORAGE_ENCRYPTION_KEY= # Secret for encrypting stored data
+AUTHELIA_REDIS_PASSWORD= # Password for Redis session storage
 
 # Note: The following variables are no longer needed with Authelia 4.38+ and the updated configuration
 # They are preserved for backward compatibility but will be automatically mapped to the new structure

README.md

@@ -27,7 +27,7 @@ The core idea is to manage media libraries (movies, TV shows, music), automate d
   - [Optional Services](#optional-services)
   - [Troubleshooting](#troubleshooting)
     - [SELinux Socket Permissions (Docker)](#selinux-socket-permissions-docker)
-    - [Authelia v4.38+ Compatibility](#authelia-v438-compatibility)
+    - [Authelia v4.38+ Configuration](#authelia-v438-configuration)
     - [Tailscale Issues](#tailscale-issues)
     - [File Permissions](#file-permissions)
   - [Advanced Topics](#advanced-topics)
@@ -351,22 +351,28 @@ If you are running Docker on a host with SELinux enabled (like Fedora, CentOS, R
     ```
     This allows the specific actions that were being denied. You might need to repeat this if different denials appear after applying the first policy.
 
-### Authelia v4.38+ Compatibility
+### Authelia v4.38+ Configuration
 
-If you see errors like these in your Authelia logs:
+Authelia v4.38+ introduces significant changes to its configuration structure, particularly for session domains and authentication flows. This Docker Compose template has been updated to support these changes, making it easier to set up:
-```
-Configuration: configuration key not expected: session.domains
-Configuration: configuration key not expected: session.domains[].default_redirection_url
-Configuration: configuration key not expected: session.domains[].domain
-Can't continue due to the errors loading the configuration
-```
 
-This is likely due to Authelia v4.38+ changing the session domain configuration format. The stack has been updated to use the new `cookies` configuration structure:
+1. **Centralized Configuration**: All required Authelia settings are defined in the `.env` file - you don't need to manually edit the Authelia YAML configuration.
-- Updated `authelia/configuration.yml` with new session cookies structure
-- Environment variables in Docker Compose are remapped to the new format
-- Old environment variables like `AUTHELIA_DEFAULT_REDIRECT_URL` are no longer directly used
 
-**Fix:** Update your `authelia/configuration.yml` with the latest version from the repository. See the configuration file for the current correct format.
+2. **Domain Handling**: The system now uses wildcard domain matching (`*.ts.net`) to handle Tailscale domains, eliminating environment variable expansion issues that could cause errors like:
+   ```
+   error decoding 'session.cookies[0].authelia_url': could not decode 'https://${APP_HOSTNAME}'
+   ```
+
+3. **Required Variables**: You only need to set these variables in your `.env` file:
+   - `AUTHELIA_JWT_SECRET`: For password reset tokens
+   - `AUTHELIA_SESSION_SECRET`: For session cookie encryption
+   - `AUTHELIA_STORAGE_ENCRYPTION_KEY`: For database encryption
+   - `AUTHELIA_REDIS_PASSWORD`: For Redis authentication
+
+   Generate these with: `openssl rand -hex 32`
+
+4. **Domain Configuration**: Your Tailscale domain is automatically set using `APP_HOSTNAME=${TAILSCALE_HOSTNAME}.${TAILSCALE_TAILNET_DOMAIN}` in the `.env` file.
+
+If you still encounter issues, make sure your `TAILSCALE_TAILNET_DOMAIN` ends with `.ts.net` for proper domain matching, or edit `authelia/configuration.yml` to match your specific domain pattern.
 
 ### Tailscale Issues
 

authelia/configuration.yml

@@ -3,8 +3,6 @@
 
 # Server settings using the new 'address' format
 server:
-  # host: 0.0.0.0 # Deprecated
-  # port: 9091 # Deprecated
   address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091
 
 # Logging configuration
@@ -16,19 +14,18 @@ log:
 session:
   name: authelia_session
   secret: ${AUTHELIA_SESSION_SECRET}
-  expiration: 1h # Adjust as needed
+  expiration: 1h
-  inactivity: 5m # Adjust as needed
+  inactivity: 5m
-  # domain: ${AUTHELIA_SESSION_DOMAIN} # Deprecated top-level domain
   redis:
     host: redis
     port: 6379
-    # Set password directly here instead of relying on potentially problematic env var
+    password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
-    password: ${AUTHELIA_REDIS_PASSWORD}
     database_index: 0
   cookies:
-    - domain: ${APP_HOSTNAME}
+    # Use the wildcard domain pattern to match all subdomains
-      authelia_url: https://${APP_HOSTNAME}
+    - domain: ${AUTHELIA_SESSION_DOMAIN}
-      default_redirection_url: https://${APP_HOSTNAME}/home
+      authelia_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
+      default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
 
 # Regulation (brute force protection)
 regulation:
@@ -37,7 +34,6 @@ regulation:
   ban_time: 5m
 
 # Storage (for user preferences, etc. - encrypted using storage key)
-# Using SQLite as defined. Ensure Redis above is only for session state.
 storage:
   encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
   local:
@@ -59,36 +55,19 @@ authentication_backend:
 access_control:
   default_policy: deny # Deny access by default
   rules:
-    # Rule to allow authenticated users access to the domain
+    - domain: ${AUTHELIA_SESSION_DOMAIN}
-    # Use the renamed variable APP_HOSTNAME here as well
-    - domain: ${APP_HOSTNAME}
       policy: one_factor # Requires username/password
 
-# Notifier configuration (Required since v4.38+)
+# Notifier configuration
-# Added basic filesystem notifier to satisfy the requirement.
-# Configure SMTP if you need email notifications (e.g., password reset).
 notifier:
   filesystem:
     filename: /config/notification.txt
-  # smtp:
-  #   address: smtp.example.com:587
-  #   username: user@example.com
-  #   password: password # Consider using secrets
-  #   sender: Authelia <authelia@example.com>
-  #   subject: "[Authelia] {title}"
-  #   startup_check_address: test@authelia.com
 
-# Identity Validation (includes JWT secret for password reset, moved from top level)
+# Identity Validation (includes JWT secret for password reset)
 identity_validation:
   reset_password:
-    jwt_secret: ${AUTHELIA_JWT_SECRET} # Moved from top level
+    jwt_secret: ${AUTHELIA_JWT_SECRET}
 
-# Identity Providers (None configured for this setup)
+# Identity Providers
 identity_providers:
   oidc: null # Explicitly disable OIDC
-
-# Enable registration (requires manual approval by editing users_database.yml)
-# Set 'enable: true' to allow users to register.
-# They will be added to users_database.yml commented out or with disabled: true.
-# registration:
-#   enable: false # Set to true to enable registration form

docker-compose.yml

@@ -46,11 +46,16 @@ services:
     volumes:
       - ${CONFIG_ROOT:-.}/authelia:/config:Z
     environment:
+      # Core secrets and keys
       - AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
       - AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
-      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
       - AUTHELIA_SESSION_REDIS_PASSWORD=${AUTHELIA_REDIS_PASSWORD}
+      - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET=${AUTHELIA_JWT_SECRET}
+      # Domain settings extracted from APP_HOSTNAME
+      - AUTHELIA_SESSION_DOMAIN=${APP_HOSTNAME}
+      - AUTHELIA_SERVER_DOMAIN=${APP_HOSTNAME}
+      - AUTHELIA_DEFAULT_REDIRECTION_URL=https://${APP_HOSTNAME}/home
       - TZ=${TIMEZONE}
     labels:
       - traefik.enable=true
@@ -63,11 +68,11 @@ services:
       - traefik.http.middlewares.authelia-auth.forwardAuth.address=http://authelia:9091/api/verify?rd=https://${APP_HOSTNAME}/
       - traefik.http.middlewares.authelia-auth.forwardAuth.trustForwardHeader=true
       - traefik.http.middlewares.authelia-auth.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email
-      # Homepage labels for Authelia itself (optional, but can be nice)
+      # Homepage labels for Authelia itself
       - homepage.group=Security
       - homepage.name=Authelia
-      - homepage.icon=authelia.png # You might need to add this icon
+      - homepage.icon=authelia.png
-      - homepage.href=https://${APP_HOSTNAME}/ # Link to the login portal
+      - homepage.href=https://${APP_HOSTNAME}/
       - homepage.description=Authentication Portal
   sonarr:
     image: lscr.io/linuxserver/sonarr