feat!: Use Authelia authentication to protect endpoints
- Uses Authelia as an authentication middleware and access control, with sensible policy - Redis as Authelia's backend for session data - Add https-proto middleware - Add/update example files
This commit is contained in:
140
authelia/configuration.example.yml
Normal file
140
authelia/configuration.example.yml
Normal file
@@ -0,0 +1,140 @@
|
||||
# Authelia Configuration File v4.38+
|
||||
# Documentation: https://www.authelia.com/configuration/
|
||||
|
||||
# Server settings
|
||||
server:
|
||||
address: 'tcp://0.0.0.0:9091'
|
||||
|
||||
# Logging configuration
|
||||
log:
|
||||
level: info
|
||||
format: text
|
||||
|
||||
# Session configuration for v4.38+
|
||||
session:
|
||||
name: authelia_session
|
||||
secret: ${AUTHELIA_SESSION_SECRET}
|
||||
expiration: 1h
|
||||
inactivity: 5m
|
||||
redis:
|
||||
host: redis
|
||||
port: 6379
|
||||
password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
|
||||
database_index: 0
|
||||
cookies:
|
||||
# Using your specific Tailscale domain (e.g. example.ts.net) not just ts.net
|
||||
- domain: 'your-tailnet.ts.net'
|
||||
authelia_url: 'https://tailscale-nas.your-tailnet.ts.net'
|
||||
default_redirection_url: 'https://tailscale-nas.your-tailnet.ts.net/home'
|
||||
same_site: lax
|
||||
|
||||
# Regulation (brute force protection)
|
||||
regulation:
|
||||
max_retries: 3
|
||||
find_time: 2m
|
||||
ban_time: 5m
|
||||
|
||||
# Storage (for user preferences, etc. - encrypted using storage key)
|
||||
storage:
|
||||
encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
|
||||
local:
|
||||
path: /config/db.sqlite3
|
||||
|
||||
# Authentication backend (using file-based user database)
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users_database.yml
|
||||
password:
|
||||
algorithm: argon2id
|
||||
iterations: 1
|
||||
memory: 1024
|
||||
parallelism: 8
|
||||
salt_length: 16
|
||||
key_length: 32
|
||||
|
||||
# Access control rules
|
||||
access_control:
|
||||
default_policy: deny # Deny access by default
|
||||
rules:
|
||||
# Rules are processed in order. First match wins.
|
||||
# It's recommended to put more specific rules first.
|
||||
|
||||
# 1. Bypass rules (No authentication required)
|
||||
# Allow access to Authelia's own endpoints
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/auth.*' # Match /auth and anything after it
|
||||
policy: bypass
|
||||
# Allow access to the root path (will be redirected by Traefik later)
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path: '/'
|
||||
policy: bypass
|
||||
# Allow access to API endpoints (as requested, review security implications)
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/api.*' # Match /api and anything after it
|
||||
policy: bypass
|
||||
|
||||
# 2. One-Factor Authentication Rules (Requires login)
|
||||
# Add rules for each service you want to protect.
|
||||
# The domain should match your Tailscale domain.
|
||||
# The path should match the Traefik PathPrefix for the service.
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/sonarr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/radarr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/lidarr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/bazarr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/qbittorrent.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/sabnzbd.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/calibre.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/home.*' # Protect the homepage
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/jellyseerr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/prowlarr.*'
|
||||
policy: one_factor
|
||||
- domain: '*.your-tailnet.ts.net'
|
||||
path_regex: '^/flaresolverr.*'
|
||||
policy: one_factor
|
||||
# Add other services here following the pattern:
|
||||
# - domain: '*.your-tailnet.ts.net'
|
||||
# path_regex: '^/<service_path>.*'
|
||||
# policy: one_factor
|
||||
|
||||
# 3. Default rule for the domain (optional, if you want a catch-all)
|
||||
# This rule will apply if no path-specific rule above matches.
|
||||
# You might want to deny or require one_factor for unmatched paths.
|
||||
# Example: Deny any other path on the domain
|
||||
# - domain: '*.your-tailnet.ts.net'
|
||||
# policy: deny
|
||||
# Example: Require login for any other path
|
||||
# - domain: '*.your-tailnet.ts.net'
|
||||
# policy: one_factor
|
||||
|
||||
# Notifier configuration
|
||||
notifier:
|
||||
filesystem:
|
||||
filename: /config/notification.txt
|
||||
|
||||
# Identity Validation (includes JWT secret for password reset)
|
||||
identity_validation:
|
||||
reset_password:
|
||||
jwt_secret: ${AUTHELIA_JWT_SECRET}
|
||||
|
||||
# Identity Providers
|
||||
identity_providers:
|
||||
oidc: null
|
||||
Reference in New Issue
Block a user