Authelia Setup
In this Authelia setup I will be configuring Authelia to have local authentication and it enforces Smart Card authentication via WedAuthn for secure remote access
This guide is created with the help of Florian Mullers guide that can be found here and has been modified with improvements
Create Secrets and Keys
Run the below command in the UnRAID console and save the output somewhere safe, we will need these later. Put the random string/ key in a file in plain text on the first line.
Create JWT Secret and save it in /mnt/user/appdata/Authelia/secrets/jwtsecret
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo
Create Session Secret and save it in /mnt/user/appdata/Authelia/secrets/session
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo
Storage Encryption Key and save it in /mnt/user/appdata/Authelia/secrets/storage
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo
MariaDB Password and save it in /mnt/user/appdata/Authelia/secrets/mariadb
If you already have a mariadb password, you need to write it in this file
SMTP Password and save it in /mnt/user/appdata/Authelia/secrets/smtp
If you already have a smtp password, you need to write it in this file
OIDC HMAC Secret and save it in /mnt/user/appdata/Authelia/secrets/oidcsecret
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo
OIDC Private Key
openssl genrsa -out /mnt/user/appdata/Authelia/secrets/oidc.key 4096
openssl rsa -in /mnt/user/appdata/Authelia/secrets/oidc.key -outform PEM -pubout -out /mnt/user/appdata/Authelia/secrets/oidc.pem
Set the correct privlidges
chmod 600 -R /mnt/user/appdata/Authelia/secrets/
chmod 600 /mnt/user/appdata/Authelia/secrets
Environment Variables
We need to map each of the secret files we created above and map them to an environment variable. You can find a list of all Authelia Environment Variables here

Create the below variables on the Authelia Docker container for all the secrets required. This removes the need for them to be in your configuration.yml file for more security
# basics
AUTHELIA_JWT_SECRET_FILE=/config/secrets/jwtsecret
AUTHELIA_SESSION_SECRET_FILE=/config/secrets/session
# storage / mysql:
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE=/config/secrets/storage
AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE=/config/secrets/sql
# smtp notifications:
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE=/config/secrets/smtp
# openid identity provider:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE=/config/secrets/oidcsecret
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE=/config/secrets/oidc.pem
# if you use LDAP for users
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE=/config/secrets/ldap
# if you user REDIS for session management
AUTHELIA_SESSION_REDIS_PASSWORD_FILE=/config/secrets/redis
# if you want to enable SSL on authelia
AUTHELIA_SERVER_TLS_KEY_FILE=/config/secrets/tlskey
Once all Environment Variables are correct, your UnRAID configuration should look like the below

Configuration.yml
This guide assumes you have Authelia, Redis and SQL already running and the site is accessible from auth.<domain-name>
We will now be doing the advanced configuration to get OpenID Connect and WebAuthn working securely. We will be utilising Docker Enviroment Variables to input our Certificates, Secrets and Tokens for this
Refer to the OIDC - configuration.yml page for a copy of our Authelia configuration file. Please input your Authelia domain name, SMTP server and OIDC Shared Secret NOTE: OIDC Shared Secret is not working as a Environemnt Variable in Authelia v4.37.5 and needs to be put directly into the configuration.yml file in plain text
Create a OIDC Shared Secret, this will be shared with Cloudflare for OIDC to function.
tr -cd '[:alnum:]' < /dev/urandom | fold -w "64" | head -n 1 | tr -d '\n' ; echo
Replace the <OIDC Secret> in the configuration.yml file with the string generated above
Authelia should now succesfully boot, if there is an error check the logs and troubleshoot
Last updated
Was this helpful?