refactor: make Authelia user management scalable

- Remove envsubst complexity for password hashes - Keep users_database.yml only on server (not in git) - Add users_database.yml to .gitignore - Update users_database.template.yml with multi-user examples - Configure Authelia to watch users_database.yml for changes - Users can now be added/removed by editing the file on server - Supports unlimited users without code changes
2025-11-15 19:59:17 +01:00
parent 37f1edbd01
commit 94e6656f31
5 changed files with 19 additions and 9 deletions
--- a/arty.yml
+++ b/arty.yml
@@ -128,7 +128,6 @@ envs:
    # Authelia SSO
    NET_AUTHELIA_IMAGE: authelia/authelia:latest
    NET_AUTHELIA_TRAEFIK_HOST: auth.pivoine.art
-    AUTHELIA_USER_PASSWORD_HASH: ""  # Generated via: docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'
    # AI Stack
    AI_TRAEFIK_ENABLED: true
    AI_COMPOSE_PROJECT_NAME: ai
--- a/net/authelia/.gitignore
+++ b/net/authelia/.gitignore
@@ -0,0 +1 @@
+net/authelia/users_database.yml
--- a/net/authelia/configuration.yml
+++ b/net/authelia/configuration.yml
@@ -41,7 +41,8 @@ authentication_backend:
    disable: false
  refresh_interval: 5m
  file:
-    path: /config/users_database.yml
+    path: /etc/authelia/users_database.yml
+    watch: true
    password:
      algorithm: argon2
      argon2:
--- a/net/authelia/users_database.template.yml
+++ b/net/authelia/users_database.template.yml
@@ -1,16 +1,29 @@
 ---
 ###############################################################
-#                         Users Database                       #
+#                   Users Database Template                    #
 ###############################################################

-# This file can be used if you do not have an LDAP set up.
+# This is a template file - copy to users_database.yml and edit
+# The actual users_database.yml is not tracked in git for security
+
+# Generate password hashes using:
+# docker run --rm authelia/authelia:latest authelia crypto hash generate argon2 --password 'yourpassword'

 # List of users
 users:
+  # Example user - replace with actual users
  valknar:
    displayname: "Valknar"
-    password: "${AUTHELIA_USER_PASSWORD_HASH}"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$REPLACE_WITH_ACTUAL_HASH"
    email: valknar@pivoine.art
    groups:
      - admins
      - dev
+
+  # Add more users as needed:
+  # username:
+  #   displayname: "Full Name"
+  #   password: "$argon2id$v=19$m=65536,t=3,p=4$HASH_HERE"
+  #   email: user@pivoine.art
+  #   groups:
+  #     - users
--- a/net/compose.yaml
+++ b/net/compose.yaml
@@ -275,13 +275,9 @@ services:
      AUTHELIA_JWT_SECRET: ${AUTHELIA_JWT_SECRET}
      AUTHELIA_SESSION_SECRET: ${AUTHELIA_SESSION_SECRET}
      AUTHELIA_STORAGE_ENCRYPTION_KEY: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
-      AUTHELIA_USER_PASSWORD_HASH: ${AUTHELIA_USER_PASSWORD_HASH}
    volumes:
      - authelia_config:/config
      - ./authelia:/etc/authelia:ro
-    command: >
-      sh -c "envsubst < /etc/authelia/users_database.template.yml > /config/users_database.yml &&
-             authelia --config /etc/authelia/configuration.yml"
    networks:
      - compose_network
    labels: