Update Authelia configuration to use environment variables for secrets and remove deprecated settings

2025-08-11 13:20:51 +03:00
parent dc7871c9ec
commit aceeab4cd3
3 changed files with 32 additions and 21 deletions
--- a/.env.example
+++ b/.env.example
@@ -13,6 +13,7 @@ ACME_EMAIL=admin@your-domain.com
 # Generate with: openssl rand -hex 32
 AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this
 AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this
+AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_32+_chars

 # SMTP Configuration for Authelia (optional)
 AUTHELIA_SMTP_HOST=smtp.gmail.com
--- a/.github/workflows/deploy.yml
+++ b/.github/workflows/deploy.yml
@@ -78,6 +78,17 @@ jobs:
          # --- Grafana ---
          GRAFANA_ADMIN_USER=${{ secrets.GRAFANA_ADMIN_USER }}
          GRAFANA_ADMIN_PASS=${{ secrets.GRAFANA_ADMIN_PASS }}
+
+          # --- Authelia ---
+          AUTHELIA_JWT_SECRET=${{ secrets.AUTHELIA_JWT_SECRET }}
+          AUTHELIA_SESSION_SECRET=${{ secrets.AUTHELIA_SESSION_SECRET }}
+          AUTHELIA_STORAGE_ENCRYPTION_KEY=${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }}
+          # (Optional SMTP if configured)
+          AUTHELIA_SMTP_HOST=${{ secrets.AUTHELIA_SMTP_HOST }}
+          AUTHELIA_SMTP_PORT=${{ secrets.AUTHELIA_SMTP_PORT }}
+          AUTHELIA_SMTP_USER=${{ secrets.AUTHELIA_SMTP_USER }}
+          AUTHELIA_SMTP_PASS=${{ secrets.AUTHELIA_SMTP_PASS }}
+          AUTHELIA_SMTP_FROM=${{ secrets.AUTHELIA_SMTP_FROM }}
          ENVVARS
          EOF

@@ -112,7 +123,8 @@ jobs:
          echo "Deployed to ${{ secrets.SSH_HOST }}:${{ secrets.SSH_PORT }} → ${REMOTE_DIR}"
          echo "Traefik:       https://traefik.gate.${{ secrets.DOMAIN }}"
          echo "Portainer:     https://portainer.gate.${{ secrets.DOMAIN }}"
-          echo "Status (Kuma): https://status.gate.${{ secrets.DOMAIN }}"
+          echo "Uptime Kuma:   https://uptime.gate.${{ secrets.DOMAIN }}"
+          echo "Authelia:      https://auth.gate.${{ secrets.DOMAIN }}"
          echo "Grafana:       https://grafana.gate.${{ secrets.DOMAIN }}"
          echo "Prometheus:    https://prometheus.gate.${{ secrets.DOMAIN }}"
          echo "Umami:         https://umami.gate.${{ secrets.DOMAIN }}"
--- a/authelia/configuration.yml
+++ b/authelia/configuration.yml
@@ -5,7 +5,7 @@
 server:
  ## Server options
  address: 'tcp://:9091'
-  asset_path: '/config/assets/'
+  # asset_path removed (directory didn't exist). Re-add if you mount custom portal assets.
  
  ## Endpoints
  endpoints:
@@ -21,11 +21,10 @@ log:
 ## Theme Configuration
 theme: 'light'

-## JWT Secret
-jwt_secret: '5812e26c776947f2fae8a9cc80605e59a895b7b6df573af284a4c3db9115411c'
-
-## Default Redirection URL
-default_redirection_url: 'https://3launchpad.com'
+## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret)
+identity_validation:
+  reset_password:
+    jwt_secret: '${AUTHELIA_JWT_SECRET}'

 ## TOTP Configuration
 totp:
@@ -42,7 +41,8 @@ webauthn:
  disable: false
  display_name: 'Authelia'
  attestation_conveyance_preference: 'indirect'
-  user_verification: 'preferred'
+  selection_criteria:
+    user_verification: 'preferred'  # migrated from deprecated webauthn.user_verification
  timeout: '60s'

 ## Duo Push API Configuration (optional)
@@ -113,7 +113,7 @@ access_control:
  ## Rules
  rules:
    ## Authelia itself
-    - domain: 'auth.gate.3la'
+  - domain: 'auth.gate.3launchpad.com'
      policy: 'bypass'

    ## Admin access
@@ -133,20 +133,17 @@ session:
  ## Session Name
  name: 'authelia_session'

-  ## Session Domain
-  domain: 'gate.3launchpad.com'
+  ## Session Secret (do not hardcode; provided via env var)
+  secret: '${AUTHELIA_SESSION_SECRET}'

-  ## Session Secret
-  secret: 'dcc8a066488b44cf185777f12a56bc0540bce2b3034e0b77c6118a9545dac831'
+  ## Session Expiration / Activity
+  expiration: 1h
+  inactivity: 5m

-  ## Session Expiration
-  expiration: '1h'
-  inactivity: '5m'
+  ## Remember Me (replaces deprecated remember_me_duration)
+  remember_me: 1M

-  ## Remember Me
-  remember_me_duration: '1M'
-
-  ## Cookies Configuration
+  ## Cookie-based configuration (domain key removed to avoid conflict)
  cookies:
    - domain: 'gate.3launchpad.com'
      authelia_url: 'https://auth.gate.3launchpad.com'
@@ -169,7 +166,8 @@ regulation:

 ## Storage Configuration
 storage:
-  ## Database Engine
+  ## Encryption key is required (newer versions). Provide via env var.
+  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
  local:
    path: '/config/db.sqlite3'