From 46344bf719613d68af89a4bd993b2521842b789a Mon Sep 17 00:00:00 2001 From: Matthew Pomes Date: Sun, 23 Nov 2025 13:25:07 -0600 Subject: [PATCH] Split authelia config so secrets aren't in repo --- authelia/configuration.yml | 58 +++++++++++++++++++++++++++++++++++--- docker-compose.yaml | 10 +++---- 2 files changed, 59 insertions(+), 9 deletions(-) diff --git a/authelia/configuration.yml b/authelia/configuration.yml index b2326e7..5d0c908 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -6,7 +6,7 @@ authentication_backend: password_change: disable: false file: - path: '/config/users.yml' + path: '/data/users.yml' watch: false search: email: false @@ -37,11 +37,16 @@ session: remember_me: '1d' notifier: disable_startup_check: false - filesystem: - filename: '/config/notification.txt' + # filesystem: + # filename: '/data/notification.txt' + smtp: + address: 'smtp://mail:25' + sender: 'Authelia ' + disable_require_tls: true # Determine if this is needed + disable_starttls: true storage: local: - path: '/config/db.sqlite3' + path: '/data/db.sqlite3' access_control: default_policy: deny rules: @@ -52,3 +57,48 @@ server: authz: auth-request: implementation: 'AuthRequest' +identity_providers: + oidc: + # enable_client_debug_messages: false + # minimum_parameter_entropy: 8 + # enforce_pkce: 'public_clients_only' + # enable_pkce_plain_challenge: false + # enable_jwt_access_token_stateless_introspection: false + # discovery_signed_response_alg: 'none' + # discovery_signed_response_key_id: '' + # require_pushed_authorization_requests: false + # authorization_policies: + # policy_name: + # default_policy: 'two_factor' + # rules: + # - policy: 'deny' + # subject: 'group:services' + # networks: + # - '192.168.1.0/24' + # - '192.168.2.51' + lifespans: + access_token: '1h' + authorize_code: '1m' + id_token: '1h' + refresh_token: '90m' + # claims_policies: + # policy_name: + # id_token: [] + # access_token: [] + # id_token_audience_mode: 'specification' + # custom_claims: + # claim_name: + # name: 'claim_name' + # attribute: 'attribute_name' + # scopes: + # scope_name: + # claims: [] + # cors: + # endpoints: + # - 'authorization' + # - 'token' + # - 'revocation' + # - 'introspection' + # allowed_origins: + # - 'https://example.com' + # allowed_origins_from_client_redirect_uris: false diff --git a/docker-compose.yaml b/docker-compose.yaml index fc83964..024128d 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -3,13 +3,13 @@ include: - ./jellyfin-compose.yaml secrets: JWT_SECRET: - file: './authelia/secrets/JWT_SECRET' + file: '/data/authelia/secrets/JWT_SECRET' SESSION_SECRET: - file: './authelia/secrets/SESSION_SECRET' + file: '/data/authelia/secrets/SESSION_SECRET' STORAGE_PASSWORD: - file: './authelia/secrets/STORAGE_PASSWORD' + file: '/data/authelia/secrets/STORAGE_PASSWORD' STORAGE_ENCRYPTION_KEY: - file: './authelia/secrets/STORAGE_ENCRYPTION_KEY' + file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY' volumes: meilisearch: karakeep: @@ -93,7 +93,7 @@ services: AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET' AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY' volumes: - - './authelia/:/config' + - './authelia/:/config:ro' - '/data/authelia/:/data' logging: *logging minecraft: