@selfhost @selfhosting @selfhosted @linux Authelia docker-compose.yml:
services:
authelia:
image: authelia/authelia:latest
container\_name: authelia
volumes:
\- ./config:/config
\- ./logs:/var/log/authelia
networks:
\- web
\- authelia\_internal
environment:
\- TZ=America/Chicago
\- AUTHELIA\_JWT\_SECRET\_FILE=/config/secrets/jwt\_secret
\- AUTHELIA\_SESSION\_SECRET\_FILE=/config/secrets/session\_secret
\- AUTHELIA\_STORAGE\_ENCRYPTION\_KEY\_FILE=/config/secrets/storage\_encryption\_key
labels:
\- "traefik.enable=true"
\- "traefik.http.routers.authelia.rule=Host(`auth.laniesplace.us`)"
\- "traefik.http.routers.authelia.entrypoints=websecure"
\- "traefik.http.routers.authelia.tls.certresolver=le"
\- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=X-Forwarded-Proto,X-Forwarded-Host"
\- "traefik.http.middlewares.authelia-basic.forwardauth.authResponseHeaders=Remote-User,Remote-Name,Remote-Email"
\- "traefik.http.middlewares.authelia.forwardauth.tls.insecureSkipVerify=true"
\- "traefik.http.services.authelia.loadbalancer.server.port=9091"
\- "traefik.http.middlewares.authelia.forwardauth.address=http://authelia:9091/api/verify?rd=[https://auth.laniesplace.us](https://auth.laniesplace.us)"
\- "traefik.http.middlewares.authelia.forwardauth.trustForwardHeader=true"
\- "traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
restart: unless-stopped
security\_opt:
\- no-new-privileges:true
depends\_on:
\- redis
healthcheck:
test: ["CMD", "wget", "--no-check-certificate", "--quiet", "--tries=1", "--spider", "http://localhost:9091/api/health"]
interval: 30s
timeout: 10s
retries: 3
start\_period: 60s
redis:
image: redis:alpine
container\_name: authelia\_redis
networks:
\- authelia\_internal
restart: unless-stopped
volumes:
\- ./redis:/data
command: redis-server --save 60 1 --loglevel warning
healthcheck:
test: ["CMD", "redis-cli", "ping"]
interval: 30s
timeout: 10s
retries: 3
security\_opt:
\- no-new-privileges:true
networks:
web:
external: true
authelia\_internal:
internal: true
@selfhost @selfhosting @selfhosted @linux Authelia configuration.yml:
theme: light server: address: 0.0.0.0:9091 log: level: debug format: text file\_path: /var/log/authelia/authelia.log totp: issuer: laniesplace.us period: 30 skew: 1 authentication\_backend: file: path: /config/users\_database.yml password: algorithm: argon2id iterations: 3 memory: 65536 parallelism: 4 salt\_length: 16 key\_length: 32 access\_control: default\_policy: deny rules: \# Public Access \- domain: \- "pihole.laniesplace.us" \- "homer.laniesplace.us" policy: bypass \# High Security (Two Factor) \- domain: \- "portainer.laniesplace.us" \- "netdata.laniesplace.us" \- "cockpit.laniesplace.us" \- "glances.laniesplace.us" \- "code.laniesplace.us" policy: two\_factor subject: \- "group:admins" \# Medium Security (One Factor Admin) \- domain: \- "forgejo.laniesplace.us" \- "files.laniesplace.us" \- "uptime.laniesplace.us" policy: one\_factor subject: \- "group:admins" \# Standard Auth (One Factor) \- domain: \- "thelounge.laniesplace.us" \- "miniflux.laniesplace.us" \- "linkding.laniesplace.us" \- "wiki.laniesplace.us" policy: one\_factor \# Catch-all rule \- domain: "\*.laniesplace.us" policy: one\_factor session: name: authelia\_session domain: laniesplace.us same\_site: lax expiration: 3600 inactivity: 300 remember\_me: 1M regulation: max\_retries: 3 find\_time: 120 ban\_time: 300 storage: local: path: /config/db.sqlite3 notifier: disable\_startup\_check: false smtp: address: submission://smtp.gmail.com:587 username: [email protected] password: rcig lqpk cbsg aqcm sender: "Authelia \<[email protected]\>" identifier: auth.laniesplace.us subject: "[Authelia] {title}" startup\_check\_address: [email protected] timeout: 5s identity\_validation: reset\_password: jwt\_secret: ${AUTHELIA\_JWT\_SECRET\_FILE}