Authelia setup

1. Mostly adapted from here and the files provided: https://www.youtube.com/watch?v=4UKOh3ssQSU
2.  
3. Video is a tad dated but very informative, see comments and follow-up video as well
4.  
5. ===============
6. compose:
7. This can definitely be cleaned up a bit but oh well
8. - "caddy" referenced here is just the docker network most of my services use, probably should've called it caddy_net or something better but oh well
9. - I ran into a funky issue where Authelia was "working" but throwing a ton of errors and occasional 502's. Turns out my previous venture with Authentik left some redis files lying around. Cleaning out any config folders and running "docker system prune -a" resolved that issue. That's also why the db and redis containers are named the way they are, I can probably change those back but whatever
10. ===============
11. services:
12. app:
13. container_name: authelia
14. image: authelia/authelia:latest
15. restart: unless-stopped
16. depends_on:
17. - auth_db
18. - auth_redis
19. volumes:
20. - ./config:/config
21. environment:
22. AUTHELIA_JWT_SECRET_FILE: /config/secrets/JWT_SECRET
23. AUTHELIA_SESSION_SECRET_FILE: /config/secrets/SESSION_SECRET
24. AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE: /config/secrets/SMTP_PASSWORD
25. AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE: /config/secrets/STORAGE_ENCRYPTION_KEY
26. AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE: /config/secrets/STORAGE_PASSWORD
27. AUTHELIA_SESSION_REDIS_PASSWORD_FILE: /config/secrets/REDIS_PASSWORD
28. AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE: /config/secrets/HMAC_SECRET
29. networks:
30. - caddy
31. auth_db:
32. image: docker.io/library/postgres:16-alpine
33. restart: unless-stopped
34. volumes:
35. - ./postgres:/var/lib/postgresql/data
36. environment:
37. POSTGRES_USER: authelia
38. POSTGRES_PASSWORD: POSTGRES_PASSWORD_GOES_HERE
39. networks:
40. - caddy
41. auth_redis:
42. image: docker.io/library/redis:alpine
43. restart: unless-stopped
44. command: redis-server --save 60 1 --loglevel warning --requirepass
45. REDIS_PASSWORD_GOES_HERE
46. volumes:
47. - ./redis:/data
48. networks:
49. - caddy
50. networks:
51. caddy:
52. external: true
53.  
54. =====================================================
55. config:
56.  
57. # Miscellaneous https://www.authelia.com/configuration/miscellaneous/introduction/
58. # Set also AUTHELIA_JWT_SECRET_FILE
59. theme: dark
60. default_2fa_method: totp
61.  
62. # First Factor https://www.authelia.com/configuration/first-factor/file/
63. authentication_backend:
64. file:
65. path: /config/users_database.yml
66.  
67. # Second Factor https://www.authelia.com/configuration/second-factor/introduction/
68. totp:
69. issuer: 'example.com'
70. algorithm: 'sha1'
71. digits: 6
72. period: 30
73. skew: 1
74. secret_size: 32
75. allowed_algorithms:
76. - 'SHA1'
77. allowed_digits:
78. - 6
79. allowed_periods:
80. - 30
81. disable_reuse_security_policy: false
82.  
83. webauthn:
84. disable: true
85.  
86. # Security https://www.authelia.com/configuration/security/access-control/
87. # Set all your subdomain rules here. You can also do global if you want, check the docs
88. access_control:
89. default_policy: 'deny'
90. rules:
91. - domain: 'sub.example.com'
92. policy: 'two_factor'
93.  
94. # Session https://www.authelia.com/configuration/session/introduction/
95. # Set also AUTHELIA_SESSION_SECRET_FILE
96. session:
97. cookies:
98. - domain: 'example.com'
99. authelia_url: 'https://auth.example.com'
100.  
101. # https://www.authelia.com/configuration/session/redis/
102. # Set also AUTHELIA_SESSION_REDIS_PASSWORD_FILE if appropriate
103. redis:
104. host: auth_redis
105. port: 6379
106. timeout: '5s'
107. max_retries: 0
108. database_index: 0
109. maximum_active_connections: 8
110. minimum_idle_connections: 0
111.  
112. # Storage https://www.authelia.com/configuration/storage/postgres/
113. # Set also AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE
114. # Set also AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
115. storage:
116. postgres:
117. address: 'tcp://auth_db:5432'
118. database: 'authelia'
119. username: 'authelia'
120.  
121. # SMTP Notifier https://www.authelia.com/configuration/notifications/smtp/
122. # Set also AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
123. notifier:
124. smtp:
125. address: 'submissions://yoursmtphost.com:465'
126. username: 'user'
127. sender: 'Admin <[email protected]>'
128.  
129. # Immich block
130. # https://www.authelia.com/integration/openid-connect/immich/
131. identity_providers:
132. oidc:
133. jwks:
134. - key_id: 'authelia'
135. algorithm: 'RS256'
136. use: 'sig'
137. certificate_chain: |
138. -----BEGIN CERTIFICATE-----
139. paste_contents_here
140. -----END CERTIFICATE-----
141. key: |
142. -----BEGIN PRIVATE KEY-----
143. paste_contents_here
144. -----END PRIVATE KEY-----
145. enable_client_debug_messages: false
146. minimum_parameter_entropy: 8
147. enforce_pkce: 'public_clients_only'
148. enable_pkce_plain_challenge: false
149. enable_jwt_access_token_stateless_introspection: false
150. discovery_signed_response_alg: 'none'
151. discovery_signed_response_key_id: ''
152. require_pushed_authorization_requests: false
153. lifespans:
154. access_token: '1h'
155. authorize_code: '1m'
156. id_token: '1h'
157. refresh_token: '90m'
158. cors:
159. endpoints:
160. - 'authorization'
161. - 'token'
162. - 'revocation'
163. - 'introspection'
164. allowed_origins:
165. - 'https://photos.example.com'
166. allowed_origins_from_client_redirect_uris: false
167. clients:
168. - client_id: immich
169. client_name: Immich OIDC
170. client_secret: 'secret_goes_here'
171. public: false
172. authorization_policy: two_factor
173. consent_mode: pre-configured
174. token_endpoint_auth_method: "client_secret_basic"
175. pre_configured_consent_duration: 1w
176. scopes:
177. - openid
178. - groups
179. - email
180. - profile
181. redirect_uris:
182. - https://auth.example.com/
183. - https://auth.example.com/oauth2/callback
184. - https://photos.example.com/oauth2/callback
185. - https://photos.example.com/auth/login
186. - https://photos.example.com/user-settings
187. - https://photos.example.com
188. - app.immich:/
189. - app.immich:///oauth-callback
190. - https://photos.example.com/api/oauth/mobile-redirect
191. grant_types:
192. - refresh_token
193. - authorization_code
194. response_types:
195. - code
196. response_modes:
197. - form_post
198. - query
199. - fragment
200.  
201. =================================
202.  
203. users-database.yml
204. Most of this is autopopulated and can be set in the UI, just fill in the bare minimum
205. ----
206.  
207. users:
208. username:
209. password: argon2_pass_goes_here
210. displayname: name
211. email: [email protected]
212. groups:
213. - admins
214. - dev
215. given_name: ""
216. middle_name: ""
217. family_name: ""
218. nickname: ""
219. gender: ""
220. birthdate: ""
221. website: ""
222. profile: ""
223. picture: ""
224. zoneinfo: ""
225. locale: ""
226. phone_number: ""
227. phone_extension: ""
228. disabled: false
229. address: null
230. extra: {}
231.  
232. ================================
233. Caddyfile
234. Obviously this is only relevant if you use caddy, otherwise refer to the documentation for your reverse proxy
235. ----
236.  
237. #Authelia
238. (authelia) {
239. forward_auth authelia:9091 {
240. uri /api/verify?rd=https://auth.example.com
241. copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
242. }
243. }
244.  
245. auth.example.com {
246. # Any other imports/shenanigans here
247. reverse_proxy authelia:9091
248. }
249.  
250. sub.example.com {
251. import authelia
252. # Any other imports/shenanigans here
253. reverse_proxy otherservice:8080
254. }
255.  
256.