From 94e6656f31293041154aa2e9162fc18dbf7ffeee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20Kr=C3=BCger?= Date: Sat, 15 Nov 2025 19:59:17 +0100 Subject: [PATCH] refactor: make Authelia user management scalable - Remove envsubst complexity for password hashes - Keep users_database.yml only on server (not in git) - Add users_database.yml to .gitignore - Update users_database.template.yml with multi-user examples - Configure Authelia to watch users_database.yml for changes - Users can now be added/removed by editing the file on server - Supports unlimited users without code changes --- arty.yml | 1 - net/authelia/.gitignore | 1 + net/authelia/configuration.yml | 3 ++- net/authelia/users_database.template.yml | 19 ++++++++++++++++--- net/compose.yaml | 4 ---- 5 files changed, 19 insertions(+), 9 deletions(-) create mode 100644 net/authelia/.gitignore diff --git a/arty.yml b/arty.yml index 7192256..c0f1f25 100644 --- a/arty.yml +++ b/arty.yml @@ -128,7 +128,6 @@ envs: # Authelia SSO NET_AUTHELIA_IMAGE: authelia/authelia:latest NET_AUTHELIA_TRAEFIK_HOST: auth.pivoine.art - AUTHELIA_USER_PASSWORD_HASH: "" # Generated via: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword' # AI Stack AI_TRAEFIK_ENABLED: true AI_COMPOSE_PROJECT_NAME: ai diff --git a/net/authelia/.gitignore b/net/authelia/.gitignore new file mode 100644 index 0000000..8fcf9bd --- /dev/null +++ b/net/authelia/.gitignore @@ -0,0 +1 @@ +net/authelia/users_database.yml diff --git a/net/authelia/configuration.yml b/net/authelia/configuration.yml index 97c100e..620cb3e 100644 --- a/net/authelia/configuration.yml +++ b/net/authelia/configuration.yml @@ -41,7 +41,8 @@ authentication_backend: disable: false refresh_interval: 5m file: - path: /config/users_database.yml + path: /etc/authelia/users_database.yml + watch: true password: algorithm: argon2 argon2: diff --git a/net/authelia/users_database.template.yml b/net/authelia/users_database.template.yml index f622da7..f955a32 100644 --- a/net/authelia/users_database.template.yml +++ b/net/authelia/users_database.template.yml @@ -1,16 +1,29 @@ --- ############################################################### -# Users Database # +# Users Database Template # ############################################################### -# This file can be used if you do not have an LDAP set up. +# This is a template file - copy to users_database.yml and edit +# The actual users_database.yml is not tracked in git for security + +# Generate password hashes using: +# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword' # List of users users: + # Example user - replace with actual users valknar: displayname: "Valknar" - password: "${AUTHELIA_USER_PASSWORD_HASH}" + password: "$argon2id$v=19$m=65536,t=3,p=4$REPLACE_WITH_ACTUAL_HASH" email: valknar@pivoine.art groups: - admins - dev + + # Add more users as needed: + # username: + # displayname: "Full Name" + # password: "$argon2id$v=19$m=65536,t=3,p=4$HASH_HERE" + # email: user@pivoine.art + # groups: + # - users diff --git a/net/compose.yaml b/net/compose.yaml index a398ae6..967bee3 100644 --- a/net/compose.yaml +++ b/net/compose.yaml @@ -275,13 +275,9 @@ services: AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET} AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET} AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY} - AUTHELIA_USER_PASSWORD_HASH: ${AUTHELIA_USER_PASSWORD_HASH} volumes: - authelia_config:/config - ./authelia:/etc/authelia:ro - command: > - sh -c "envsubst < /etc/authelia/users_database.template.yml > /config/users_database.yml && - authelia --config /etc/authelia/configuration.yml" networks: - compose_network labels: