Authelia Setup

In this Authelia setup I will be configuring Authelia to have local authentication and it enforces Smart Card authentication via WedAuthn for secure remote access

This guide is created with the help of Florian Mullers guide that can be found here and has been modified with improvements

Create Secrets and Keys

Run the below command in the UnRAID console and save the output somewhere safe, we will need these later. Put the random string/ key in a file in plain text on the first line.

Create JWT Secret and save it in /mnt/user/appdata/Authelia/secrets/jwtsecret

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

Create Session Secret and save it in /mnt/user/appdata/Authelia/secrets/session

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

Storage Encryption Key and save it in /mnt/user/appdata/Authelia/secrets/storage

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

MariaDB Password and save it in /mnt/user/appdata/Authelia/secrets/mariadb

 If you already have a mariadb password, you need to write it in this file

SMTP Password and save it in /mnt/user/appdata/Authelia/secrets/smtp

 If you already have a smtp password, you need to write it in this file

OIDC HMAC Secret and save it in /mnt/user/appdata/Authelia/secrets/oidcsecret

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

OIDC Private Key

openssl genrsa -out /mnt/user/appdata/Authelia/secrets/oidc.key 4096

openssl rsa -in /mnt/user/appdata/Authelia/secrets/oidc.key -outform PEM -pubout -out /mnt/user/appdata/Authelia/secrets/oidc.pem

Set the correct privlidges

chmod 600 -R /mnt/user/appdata/Authelia/secrets/
chmod 600 /mnt/user/appdata/Authelia/secrets

Environment Variables

We need to map each of the secret files we created above and map them to an environment variable. You can find a list of all Authelia Environment Variables here

Create the below variables on the Authelia Docker container for all the secrets required. This removes the need for them to be in your configuration.yml file for more security

# basics
AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwtsecret
AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session

# storage / mysql:
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/sql

# smtp notifications:
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp

# openid identity provider:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/config/secrets/oidcsecret
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/config/secrets/oidc.pem

# if you use LDAP for users
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap

# if you user REDIS for session management
AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis

# if you want to enable SSL on authelia
AUTHELIA_SERVER_TLS_KEY_FILE=/config/secrets/tlskey

Once all Environment Variables are correct, your UnRAID configuration should look like the below

Configuration.yml

This guide assumes you have Authelia, Redis and SQL already running and the site is accessible from auth.<domain-name>

We will now be doing the advanced configuration to get OpenID Connect and WebAuthn working securely. We will be utilising Docker Enviroment Variables to input our Certificates, Secrets and Tokens for this

1. Refer to the OIDC - configuration.yml page for a copy of our Authelia configuration file. Please input your Authelia domain name, SMTP server and OIDC Shared Secret NOTE: OIDC Shared Secret is not working as a Environemnt Variable in Authelia v4.37.5 and needs to be put directly into the configuration.yml file in plain text

2. Create a OIDC Shared Secret, this will be shared with Cloudflare for OIDC to function.

tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo

3. Replace the <OIDC Secret> in the configuration.yml file with the string generated above

4. Authelia should now succesfully boot, if there is an error check the logs and troubleshoot