From 43118ca1aeb962ab4eda8c597dce21cdf2483bc3 Mon Sep 17 00:00:00 2001
From: Imran Remtulla <contact@imranr.dev>
Date: Sat, 15 Nov 2025 04:22:15 -0500
Subject: [PATCH] Use Authelia for app authentication

---
 authelia_config/configuration.yml  | 45 ++++++++++++++++++++++++++++++
 authelia_config/users_database.yml |  8 ++++++
 server.docker-compose.yaml         | 42 ++++++++++++++++++++++++++++
 3 files changed, 95 insertions(+)
 create mode 100644 authelia_config/configuration.yml
 create mode 100644 authelia_config/users_database.yml

diff --git a/authelia_config/configuration.yml b/authelia_config/configuration.yml
new file mode 100644
index 0000000..c386bcf
--- /dev/null
+++ b/authelia_config/configuration.yml
@@ -0,0 +1,45 @@
+jwt_secret: o1F3utPMgWDabE2QiJCfpmWGLpct+82L1FDAl5EbLKg=
+
+log:
+  level: debug
+
+totp:
+  issuer: imranr.cloud
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+
+access_control:
+  rules:
+    - domain: files.imranr.cloud
+      resources:
+      - '^/share([/?].*)?$'
+      - '^/static([/?].*)?$'
+      - '^/api/public([/?].*)?$'
+      policy: bypass
+    - domain: '*.imranr.cloud'
+      policy: two_factor
+
+session:
+  secret: NKKxihcGtg7+L4KBOgZ5EkQ+lTbSanRD2h7fyG1kwmU=
+  cookies:
+    - domain: imranr.cloud
+      authelia_url: https://auth.imranr.cloud
+  redis:
+    host: authelia-db
+    port: 6379
+
+regulation:
+  max_retries: 3
+  find_time: 120
+  ban_time: 300
+
+storage:
+  encryption_key: 'W51AIX8vy6HngZeH96ZtN05dBrLrF7sLLJxgQWEbnsQ='
+  local:
+    path: /config/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /config/notification.txt
\ No newline at end of file
diff --git a/authelia_config/users_database.yml b/authelia_config/users_database.yml
new file mode 100644
index 0000000..31d9769
--- /dev/null
+++ b/authelia_config/users_database.yml
@@ -0,0 +1,8 @@
+users:
+  admin:
+    disabled: false
+    displayname: "Admin"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$JhBeqYrylaX/0+y3F4j1Ow$E48HpwTxF1qdUeRufRp5wCR1Hg/nh1mYohm0pSr4lBo" # docker run -it authelia/authelia:latest authelia crypto hash generate argon2
+    email: contact@imranr.dev
+    groups:
+      - admins
\ No newline at end of file
diff --git a/server.docker-compose.yaml b/server.docker-compose.yaml
index ff2cf76..cd2d4bc 100644
--- a/server.docker-compose.yaml
+++ b/server.docker-compose.yaml
@@ -23,9 +23,48 @@ services:
             - "com.centurylinklabs.watchtower.enable=false"
         command: "-c /frpc.toml"
 
+    authelia: # https://github.com/authelia/authelia
+        image: authelia/authelia
+        container_name: authelia
+        user: "1000:1000"
+        depends_on:
+            - authelia-db
+        volumes:
+            - ./authelia_config:/config
+        networks:
+            - traefik
+        labels:
+            - "traefik.enable=true"
+            - "traefik.http.routers.authelia.rule=Host(`auth.imranr.cloud`)"
+            - "traefik.http.routers.authelia.entryPoints=websecure"
+            - "traefik.http.routers.authelia.tls.certresolver=le"
+            - "traefik.http.routers.authelia.tls=true"
+            - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/verify?rd=https%3A%2F%2Fauth.imranr.cloud%2F"
+            - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
+            - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+            - "traefik.http.middlewares.authelia-basic.forwardAuth.address=http://authelia:9091/api/verify?auth=basic"
+            - "traefik.http.middlewares.authelia-basic.forwardAuth.trustForwardHeader=true"
+            - "traefik.http.middlewares.authelia-basic.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email"
+        expose:
+            - 9091
+        restart: unless-stopped
+    authelia-db:
+        image: redis:alpine
+        container_name: authelia-db
+        user: "1000:1000"
+        volumes:
+            - authelia_db:/data
+        networks:
+            - traefik
+        expose:
+            - 6379
+        restart: unless-stopped
+
     traefik: # https://github.com/traefik/traefik
         image: traefik:latest
         container_name: traefik
+        depends_on:
+            - authelia
         command:
             - "--api=true"
             - "--api.dashboard=true"
@@ -59,6 +98,7 @@ services:
             - "traefik.http.routers.api.service=api@internal"
             - "traefik.http.routers.api.tls=true"
             - "traefik.http.routers.api.tls.certresolver=le"
+            - "traefik.http.routers.api.middlewares=authelia@docker"
         restart: unless-stopped
         networks:
             - traefik
@@ -82,10 +122,12 @@ services:
             - "traefik.http.routers.filebrowser.tls=true"
             - "traefik.http.services.filebrowser.loadbalancer.server.port=80"
             - "traefik.http.routers.filebrowser.tls.certresolver=le"
+            - "traefik.http.routers.filebrowser.middlewares=authelia@docker"
 
 volumes:
     filebrowser_db:
     traefik_acme:
+    authelia_db:
 
 networks:
     traefik: