diff --git a/.env.example b/.env.example index db93ff1..3984f3f 100644 --- a/.env.example +++ b/.env.example @@ -13,6 +13,7 @@ ACME_EMAIL=admin@your-domain.com # Generate with: openssl rand -hex 32 AUTHELIA_JWT_SECRET=your_jwt_secret_here_at_least_32_chars_generate_this AUTHELIA_SESSION_SECRET=your_session_secret_here_at_least_32_chars_generate_this +AUTHELIA_STORAGE_ENCRYPTION_KEY=your_storage_encryption_key_32+_chars # SMTP Configuration for Authelia (optional) AUTHELIA_SMTP_HOST=smtp.gmail.com diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml index 8fbe194..82f6ccb 100644 --- a/.github/workflows/deploy.yml +++ b/.github/workflows/deploy.yml @@ -78,6 +78,17 @@ jobs: # --- Grafana --- GRAFANA_ADMIN_USER=${{ secrets.GRAFANA_ADMIN_USER }} GRAFANA_ADMIN_PASS=${{ secrets.GRAFANA_ADMIN_PASS }} + + # --- Authelia --- + AUTHELIA_JWT_SECRET=${{ secrets.AUTHELIA_JWT_SECRET }} + AUTHELIA_SESSION_SECRET=${{ secrets.AUTHELIA_SESSION_SECRET }} + AUTHELIA_STORAGE_ENCRYPTION_KEY=${{ secrets.AUTHELIA_STORAGE_ENCRYPTION_KEY }} + # (Optional SMTP if configured) + AUTHELIA_SMTP_HOST=${{ secrets.AUTHELIA_SMTP_HOST }} + AUTHELIA_SMTP_PORT=${{ secrets.AUTHELIA_SMTP_PORT }} + AUTHELIA_SMTP_USER=${{ secrets.AUTHELIA_SMTP_USER }} + AUTHELIA_SMTP_PASS=${{ secrets.AUTHELIA_SMTP_PASS }} + AUTHELIA_SMTP_FROM=${{ secrets.AUTHELIA_SMTP_FROM }} ENVVARS EOF @@ -112,7 +123,8 @@ jobs: echo "Deployed to ${{ secrets.SSH_HOST }}:${{ secrets.SSH_PORT }} → ${REMOTE_DIR}" echo "Traefik: https://traefik.gate.${{ secrets.DOMAIN }}" echo "Portainer: https://portainer.gate.${{ secrets.DOMAIN }}" - echo "Status (Kuma): https://status.gate.${{ secrets.DOMAIN }}" + echo "Uptime Kuma: https://uptime.gate.${{ secrets.DOMAIN }}" + echo "Authelia: https://auth.gate.${{ secrets.DOMAIN }}" echo "Grafana: https://grafana.gate.${{ secrets.DOMAIN }}" echo "Prometheus: https://prometheus.gate.${{ secrets.DOMAIN }}" echo "Umami: https://umami.gate.${{ secrets.DOMAIN }}" diff --git a/authelia/configuration.yml b/authelia/configuration.yml index 2574a57..52ba4ab 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -5,7 +5,7 @@ server: ## Server options address: 'tcp://:9091' - asset_path: '/config/assets/' + # asset_path removed (directory didn't exist). Re-add if you mount custom portal assets. ## Endpoints endpoints: @@ -21,11 +21,10 @@ log: ## Theme Configuration theme: 'light' -## JWT Secret -jwt_secret: '5812e26c776947f2fae8a9cc80605e59a895b7b6df573af284a4c3db9115411c' - -## Default Redirection URL -default_redirection_url: 'https://3launchpad.com' +## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret) +identity_validation: + reset_password: + jwt_secret: '${AUTHELIA_JWT_SECRET}' ## TOTP Configuration totp: @@ -42,7 +41,8 @@ webauthn: disable: false display_name: 'Authelia' attestation_conveyance_preference: 'indirect' - user_verification: 'preferred' + selection_criteria: + user_verification: 'preferred' # migrated from deprecated webauthn.user_verification timeout: '60s' ## Duo Push API Configuration (optional) @@ -113,7 +113,7 @@ access_control: ## Rules rules: ## Authelia itself - - domain: 'auth.gate.3la' + - domain: 'auth.gate.3launchpad.com' policy: 'bypass' ## Admin access @@ -133,20 +133,17 @@ session: ## Session Name name: 'authelia_session' - ## Session Domain - domain: 'gate.3launchpad.com' + ## Session Secret (do not hardcode; provided via env var) + secret: '${AUTHELIA_SESSION_SECRET}' - ## Session Secret - secret: 'dcc8a066488b44cf185777f12a56bc0540bce2b3034e0b77c6118a9545dac831' + ## Session Expiration / Activity + expiration: 1h + inactivity: 5m - ## Session Expiration - expiration: '1h' - inactivity: '5m' + ## Remember Me (replaces deprecated remember_me_duration) + remember_me: 1M - ## Remember Me - remember_me_duration: '1M' - - ## Cookies Configuration + ## Cookie-based configuration (domain key removed to avoid conflict) cookies: - domain: 'gate.3launchpad.com' authelia_url: 'https://auth.gate.3launchpad.com' @@ -169,7 +166,8 @@ regulation: ## Storage Configuration storage: - ## Database Engine + ## Encryption key is required (newer versions). Provide via env var. + encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' local: path: '/config/db.sqlite3'