Split authelia config so secrets aren't in repo

2025-11-23 13:25:07 -06:00
parent e417287103
commit 46344bf719
2 changed files with 59 additions and 9 deletions
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -6,7 +6,7 @@ authentication_backend:
  password_change:
    disable: false
  file:
-    path: '/config/users.yml'
+    path: '/data/users.yml'
    watch: false
    search:
      email: false
@@ -37,11 +37,16 @@ session:
      remember_me: '1d'
 notifier:
  disable_startup_check: false
-  filesystem:
-    filename: '/config/notification.txt'
+  # filesystem:
+  #   filename: '/data/notification.txt'
+  smtp:
+    address: 'smtp://mail:25'
+    sender: 'Authelia <auth@loadingm.xyz>'
+    disable_require_tls: true # Determine if this is needed
+    disable_starttls: true
 storage:
  local:
-    path: '/config/db.sqlite3'
+    path: '/data/db.sqlite3'
 access_control:
  default_policy: deny
  rules:
@@ -52,3 +57,48 @@ server:
    authz:
      auth-request:
        implementation: 'AuthRequest'
+identity_providers:
+  oidc:
+    # enable_client_debug_messages: false
+    # minimum_parameter_entropy: 8
+    # enforce_pkce: 'public_clients_only'
+    # enable_pkce_plain_challenge: false
+    # enable_jwt_access_token_stateless_introspection: false
+    # discovery_signed_response_alg: 'none'
+    # discovery_signed_response_key_id: ''
+    # require_pushed_authorization_requests: false
+    # authorization_policies:
+    #   policy_name:
+    #     default_policy: 'two_factor'
+    #     rules:
+    #       - policy: 'deny'
+    #         subject: 'group:services'
+    #         networks:
+    #           - '192.168.1.0/24'
+    #           - '192.168.2.51'
+    lifespans:
+      access_token: '1h'
+      authorize_code: '1m'
+      id_token: '1h'
+      refresh_token: '90m'
+    # claims_policies:
+    #   policy_name:
+    #     id_token: []
+    #     access_token: []
+    #     id_token_audience_mode: 'specification'
+    #     custom_claims:
+    #       claim_name:
+    #         name: 'claim_name'
+    #         attribute: 'attribute_name'
+    # scopes:
+    #   scope_name:
+    #     claims: []
+    # cors:
+    #   endpoints:
+    #     - 'authorization'
+    #     - 'token'
+    #     - 'revocation'
+    #     - 'introspection'
+    #   allowed_origins:
+    #     - 'https://example.com'
+    #   allowed_origins_from_client_redirect_uris: false
--- a/docker-compose.yaml
+++ b/docker-compose.yaml
@@ -3,13 +3,13 @@ include:
  - ./jellyfin-compose.yaml
 secrets:
  JWT_SECRET:
-    file: './authelia/secrets/JWT_SECRET'
+    file: '/data/authelia/secrets/JWT_SECRET'
  SESSION_SECRET:
-    file: './authelia/secrets/SESSION_SECRET'
+    file: '/data/authelia/secrets/SESSION_SECRET'
  STORAGE_PASSWORD:
-    file: './authelia/secrets/STORAGE_PASSWORD'
+    file: '/data/authelia/secrets/STORAGE_PASSWORD'
  STORAGE_ENCRYPTION_KEY:
-    file: './authelia/secrets/STORAGE_ENCRYPTION_KEY'
+    file: '/data/authelia/secrets/STORAGE_ENCRYPTION_KEY'
 volumes:
  meilisearch:
  karakeep:
@@ -93,7 +93,7 @@ services:
      AUTHELIA_SESSION_SECRET_FILE: '/run/secrets/SESSION_SECRET'
      AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: '/run/secrets/STORAGE_ENCRYPTION_KEY'
    volumes:
-      - './authelia/:/config'
+      - './authelia/:/config:ro'
      - '/data/authelia/:/data'
    logging: *logging
  minecraft: