self-hosted-cookbook/apps/reverse-proxy-sso/authelia.md

# Authelia
This is a fantastic, feature rich and simple to set-up Single Sign-On solution.
The config files below, will use a file-storage for users, because it's simpler and quite sufficient for simple self-hosting server at home (as opposed to seting up full featured LDAP back-end).

<br>

- [Homepage](https://www.authelia.com/)
- [Github repo](https://github.com/authelia/authelia)
- [Docs](https://www.authelia.com/docs/)


## docker-compose.yml
```yml
version: '3.3'
networks:
  net:
    driver: bridge

services:
  authelia:
    image: authelia/authelia
    container_name: authelia
    restart: unless-stopped
    expose:
      - 9091
    ports:
      - "9091:9091"
    networks:
      - net
    environment:
      - TZ=Europe/Dublin
    volumes:
      - ./data:/var/lib/authelia
      - ./config.yml:/etc/authelia/configuration.yml:ro
      - ./users.yml:/etc/authelia/users.yml:ro

  redis:
    image: redis:alpine
    container_name: redis
    volumes:
      - ./redis:/data
    expose:
      - 6379
    networks:
      - net
    restart: unless-stopped
    environment:
      - TZ=Europe/Dublin
```

## config.yml
```yml
host: 0.0.0.0
port: 9091

# log_level: debug
jwt_secret: DphJJcoCO2aXK666tq3d2AgMQ8gaugukKsUjKzMciA

authentication_backend:
  file:
    path: /etc/authelia/users.yml

storage:
    local:
        path: /var/lib/authelia/db.sqlite3

notifier:
    filesystem:
        filename: /tmp/authelia/notification.txt

session:
  name: authelia_session
  secret: U8kmbel7WhP1YneQh2134DXhsiSHctE5Emtf
  expiration: 3600 # 1 hour
  inactivity: 300 # 5 minutes
  # The domain to protect.
  # Note: the login portal must also be a subdomain of that domain.
  domain: example.com
  redis:
    host: redis
    port: 6379

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300

access_control:
  default_policy: one_factor
  rules:
    - domain: "*.example.com"
      subject: "group:admins"
      policy: one_factor
```

## users.yml
```yml
users:
  admin:
    displayname: "admin"
    password: ""   # password hash - see below how to generate
    email: admin@example.com
    groups:
      - admins
```

## Tips & Tricks
Generate password hash for the `users.yml`:
```sh
docker run authelia/authelia:latest authelia hash-password <PASS>
```
traefik & authelia 2020-10-31 16:45:17 +00:00			`# Authelia`
			`This is a fantastic, feature rich and simple to set-up Single Sign-On solution.`
			`The config files below, will use a file-storage for users, because it's simpler and quite sufficient for simple self-hosting server at home (as opposed to seting up full featured LDAP back-end).`

			`<br>`

			`- [Homepage](https://www.authelia.com/)`
			`- [Github repo](https://github.com/authelia/authelia)`
			`- [Docs](https://www.authelia.com/docs/)`


			`## docker-compose.yml`
			```yml
			`version: '3.3'`
			`networks:`
			`net:`
			`driver: bridge`

			`services:`
			`authelia:`
			`image: authelia/authelia`
			`container_name: authelia`
			`restart: unless-stopped`
			`expose:`
			`- 9091`
			`ports:`
			`- "9091:9091"`
			`networks:`
			`- net`
			`environment:`
			`- TZ=Europe/Dublin`
			`volumes:`
			`- ./data:/var/lib/authelia`
			`- ./config.yml:/etc/authelia/configuration.yml:ro`
			`- ./users.yml:/etc/authelia/users.yml:ro`

			`redis:`
			`image: redis:alpine`
			`container_name: redis`
			`volumes:`
			`- ./redis:/data`
			`expose:`
			`- 6379`
			`networks:`
			`- net`
			`restart: unless-stopped`
			`environment:`
			`- TZ=Europe/Dublin`
			```

			`## config.yml`
			```yml
			`host: 0.0.0.0`
			`port: 9091`

			`# log_level: debug`
			`jwt_secret: DphJJcoCO2aXK666tq3d2AgMQ8gaugukKsUjKzMciA`

			`authentication_backend:`
			`file:`
			`path: /etc/authelia/users.yml`

			`storage:`
			`local:`
			`path: /var/lib/authelia/db.sqlite3`

			`notifier:`
			`filesystem:`
			`filename: /tmp/authelia/notification.txt`

			`session:`
			`name: authelia_session`
			`secret: U8kmbel7WhP1YneQh2134DXhsiSHctE5Emtf`
			`expiration: 3600 # 1 hour`
			`inactivity: 300 # 5 minutes`
			`# The domain to protect.`
			`# Note: the login portal must also be a subdomain of that domain.`
			`domain: example.com`
			`redis:`
			`host: redis`
			`port: 6379`

			`regulation:`
			`max_retries: 3`
			`find_time: 120`
			`ban_time: 300`

			`access_control:`
			`default_policy: one_factor`
			`rules:`
			`- domain: "*.example.com"`
			`subject: "group:admins"`
			`policy: one_factor`
			```

			`## users.yml`
			```yml
			`users:`
			`admin:`
			`displayname: "admin"`
			`password: "" # password hash - see below how to generate`
			`email: admin@example.com`
			`groups:`
			`- admins`
			```

			`## Tips & Tricks`
			Generate password hash for the `users.yml`:
			```sh
			`docker run authelia/authelia:latest authelia hash-password <PASS>`
			```