fix(authelia): Adjust configuration for Tailscale domain handling and simplify session settings

authelia/configuration.yml

@@ -1,14 +1,14 @@
 # Authelia Configuration File v4.38+
 # Documentation: https://www.authelia.com/configuration/
 
-# Server settings using the new 'address' format
+# Server settings
 server:
-  address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091
+  address: 'tcp://0.0.0.0:9091'
 
 # Logging configuration
 log:
   level: info
-  format: text # or json
+  format: text
 
 # Session configuration for v4.38+
 session:
@@ -22,10 +22,11 @@ session:
     password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
     database_index: 0
   cookies:
-    # Use the wildcard domain pattern to match all subdomains
-    - domain: ${AUTHELIA_SESSION_DOMAIN}
-      authelia_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
-      default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
+    # Using a wildcard domain pattern - works for Tailscale domains
+    - domain: '*.ts.net'
+      authelia_url: 'https://tailscale-nas.ts.net'
+      default_redirection_url: 'https://tailscale-nas.ts.net/home'
+      same_site: lax
 
 # Regulation (brute force protection)
 regulation:
@@ -44,19 +45,20 @@ authentication_backend:
   file:
     path: /config/users_database.yml
     password:
-      algorithm: argon2id # Recommended hashing algorithm
+      algorithm: argon2id
       iterations: 1
-      memory: 1024 # MiB
+      memory: 1024
       parallelism: 8
       salt_length: 16
       key_length: 32
 
 # Access control rules
 access_control:
-  default_policy: deny # Deny access by default
+  default_policy: deny
   rules:
-    - domain: ${AUTHELIA_SESSION_DOMAIN}
-      policy: one_factor # Requires username/password
+    # This will match any Tailscale domain
+    - domain: '*.ts.net'
+      policy: one_factor
 
 # Notifier configuration
 notifier:
@@ -70,4 +72,4 @@ identity_validation:
 
 # Identity Providers
 identity_providers:
-  oidc: null # Explicitly disable OIDC
+  oidc: null