Authelia
Setting Up Authelia
Authelia is an open-source authentication and authorization server providing two-factor authentication and single sign-on (SSO) for your applications.
1. Prerequisites
- An existing Active Directory domain.
- A custom Certificate Authority (CA) and a signed certificate for your domain controller, as described in the Managing SSL Certificates guide.
- NGINX Proxy Manager set up and configured.
2. Creating the LXC Container
- Create a new Debian Bookworm LXC container on your Proxmox VE host.
- Allocate sufficient resources to the container (e.g., 1 CPU core, 512MB RAM, 8GB storage).
3. Installing Authelia
-
Log in to the LXC container's shell.
-
Install the Authelia package:
# Add the Authelia GPG key:
wget -q https://www.authelia.com/keys/authelia-security.gpg -O /usr/share/keyrings/authelia-security.gpg
# Add the Authelia repository:
echo "deb [arch=$(dpkg --print-architecture) signed-by=/usr/share/keyrings/authelia-security.gpg] https://apt.authelia.com stable main" | tee /etc/apt/sources.list.d/authelia.list > /dev/null
# Update the package list and install Authelia:
apt update
apt install authelia
4. Configuring Authelia
- Create the necessary directories and set permissions:
mkdir -p /etc/authelia/certs
mkdir -p /var/lib/authelia
mkdir -p /var/log/authelia
mkdir -p /config
chown -R authelia:authelia /etc/authelia/certs
chown authelia:authelia /var/lib/authelia
chown authelia:authelia /var/log/authelia
chown authelia:authelia /config
chmod -R 750 /etc/authelia/certs
chmod 700 /var/lib/authelia
chmod 700 /var/log/authelia
chmod 700 /config
-
Obtain SSL certificates for Authelia:
- In NGINX Proxy Manager, create an SSL certificate for your Authelia subdomain (e.g.,
auth.yourdomain.com). - Download the certificate files (
fullchain.pemandprivkey.pem). - Copy the
fullchain.pemto/etc/authelia/certs/cert.pemandprivkey.pemto/etc/authelia/certs/key.pemon your Authelia LXC.
- In NGINX Proxy Manager, create an SSL certificate for your Authelia subdomain (e.g.,
-
Configure Authelia:
- Edit the Authelia configuration file at
/etc/authelia/configuration.yaml. - The following is an example configuration. You will need to replace the placeholder values with your own.
- Edit the Authelia configuration file at
server:
address: tcp://auth.yourdomain.com:9091
tls:
key: '/certs/key.pem'
certificate: '/certs/cert.pem' #Left empty on purpose
client_certificates: [] #Left empty on purpose
log:
level: info
format: text
file_path: /var/log/authelia/authelia.log
theme: dark
totp:
algorithm: sha1
digits: 6
period: 30
skew: 1
secret_size: 32
authentication_backend:
password_reset:
disable: true
refresh_interval: 5m
ldap:
address: dc1.home.lan
user: "CN=authelia,OU=ServiceAccounts,OU=Users,DC=yourdomain,DC=com"
password: your_password
implementation: activedirectory
timeout: 5s
start_tls: false
username_attribute: sAMAccountName
base_dn: "DC=yourdomain,DC=com"
additional_users_dn: "OU=Users"
users_filter: "(&({username_attribute}={input})(objectClass=user))"
additional_groups_dn: "OU=Users"
groups_filter: "(&(objectClass=group)(member={dn}))"
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
tls:
server_name: dc1.yourdomain.com
skip_verify: false
minimum_version: TLS1.2
maximum_version: TLS1.3
certificate_chain: |
-----BEGIN CERTIFICATE-----
*** DC certificate chain used for LDAPS ***
-----END CERTIFICATE-----
private_key: |
-----BEGIN PRIVATE KEY-----
*** DC private key used for LDAPS ***
-----END PRIVATE KEY-----
access_control:
default_policy: one_factor
networks:
- name: internal
networks:
- '192.168.1.0/24'
rules:
- domain:
- "yourdomain.com"
policy: one_factor
networks:
- 'internal'
- domain:
- "yourdomain.com"
policy: one_factor
session:
name: authelia_session
expiration: 12h
inactivity: 45m
remember_me_duration: 1M
cookies:
- name: authelia_session
domain: yourdomain.com
authelia_url: https://auth.yourdomain.com
default_redirection_url: https://home.yourdomain.com
remember_me: 1M
regulation:
max_retries: 3
find_time: 5m
ban_time: 15m
storage:
encryption_key: your_encryption_key
local:
path: /config/db.sqlite3
notifier:
filesystem:
filename: /var/lib/authelia/notification.txt
#OauthID for immich
identity_providers:
oidc:
jwks:
- use: sig
algorithm: RS256
certificate_chain: |
-----BEGIN CERTIFICATE-----
/etc/authelia/certs/cert.pem
-----END CERTIFICATE-----
key: |
-----BEGIN PRIVATE KEY-----
/etc/authelia/certs/key.pem
-----END PRIVATE KEY-----
clients:
- client_id: your_client_id
client_name: 'immich'
public: true
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'app.immich:///oauth-callback'
- 'https://photos.yourdomain.com/auth/login'
- 'https://photos.yourdomain.com/user-settings'
scopes:
- 'openid'
- 'profile'
- 'email'
response_types:
- 'code'
grant_types:
- 'authorization_code'
token_endpoint_auth_method: 'none'
[!IMPORTANT]
- Replace all instances of
yourdomain.comwith your actual domain name.- Replace
your-authelia-password,your-session-secret, andyour-storage-encryption-keywith strong, randomly generated secrets.- The
ldapconfiguration assumes you have created a service account for Authelia in your Active Directory.
5. Starting and Enabling Authelia
- Reload the systemd daemon, then start and enable the Authelia service:
systemctl daemon-reload
systemctl start authelia
systemctl enable authelia
- Check the status of the service to ensure it is running correctly:
systemctl status authelia
Next Steps
Now that Authelia is set up, you can proceed to configure your homepage.
No comments to display
No comments to display