# Authelia Configuration File v4.38+ # Documentation: https://www.authelia.com/configuration/ # Server settings server: address: 'tcp://0.0.0.0:9091' # Logging configuration log: level: info format: text # Session configuration for v4.38+ session: name: authelia_session secret: ${AUTHELIA_SESSION_SECRET} expiration: 1h inactivity: 5m redis: host: redis port: 6379 password: ${AUTHELIA_SESSION_REDIS_PASSWORD} database_index: 0 cookies: # Using your specific Tailscale domain (e.g. example.ts.net) not just ts.net - domain: 'your-tailnet.ts.net' authelia_url: 'https://tailscale-nas.your-tailnet.ts.net' default_redirection_url: 'https://tailscale-nas.your-tailnet.ts.net/home' same_site: lax # Regulation (brute force protection) regulation: max_retries: 3 find_time: 2m ban_time: 5m # Storage (for user preferences, etc. - encrypted using storage key) storage: encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} local: path: /config/db.sqlite3 # Authentication backend (using file-based user database) authentication_backend: file: path: /config/users_database.yml password: algorithm: argon2id iterations: 1 memory: 1024 parallelism: 8 salt_length: 16 key_length: 32 # Access control rules access_control: default_policy: deny # Deny access by default rules: # Rules are processed in order. First match wins. # It's recommended to put more specific rules first. # 1. Bypass rules (No authentication required) # Allow access to Authelia's own endpoints - domain: '*.your-tailnet.ts.net' path_regex: '^/auth.*' # Match /auth and anything after it policy: bypass # Allow access to the root path (will be redirected by Traefik later) - domain: '*.your-tailnet.ts.net' path: '/' policy: bypass # Allow access to API endpoints (as requested, review security implications) - domain: '*.your-tailnet.ts.net' path_regex: '^/api.*' # Match /api and anything after it policy: bypass # 2. One-Factor Authentication Rules (Requires login) # Add rules for each service you want to protect. # The domain should match your Tailscale domain. # The path should match the Traefik PathPrefix for the service. - domain: '*.your-tailnet.ts.net' path_regex: '^/sonarr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/radarr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/lidarr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/bazarr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/qbittorrent.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/sabnzbd.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/calibre.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/home.*' # Protect the homepage policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/jellyseerr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/prowlarr.*' policy: one_factor - domain: '*.your-tailnet.ts.net' path_regex: '^/flaresolverr.*' policy: one_factor # Add other services here following the pattern: # - domain: '*.your-tailnet.ts.net' # path_regex: '^/.*' # policy: one_factor # 3. Default rule for the domain (optional, if you want a catch-all) # This rule will apply if no path-specific rule above matches. # You might want to deny or require one_factor for unmatched paths. # Example: Deny any other path on the domain # - domain: '*.your-tailnet.ts.net' # policy: deny # Example: Require login for any other path # - domain: '*.your-tailnet.ts.net' # policy: one_factor # Notifier configuration notifier: filesystem: filename: /config/notification.txt # Identity Validation (includes JWT secret for password reset) identity_validation: reset_password: jwt_secret: ${AUTHELIA_JWT_SECRET} # Identity Providers identity_providers: oidc: null