Heres what I’m running:
authentication_backend:
file:
path: '/config/users_database.yml'
watch: false
search:
email: false
case_insensitive: false
password:
algorithm: 'sha2crypt'
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: 'deny'
networks:
- name: 'internal'
networks:
# - '10.10.0.0/16'
- '192.168.1.0/24'
- name: 'VPN'
networks: '10.0.1.0/24'
rules:
## Rules applied to everyone
- domain: '*.mydomain.com'
policy: 'one_factor'
session:
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
## Secret can also be set using a secret: https://www.authelia.com/c/secrets
secret: 'insecure_session_secret'
## Cookies configures the list of allowed cookie domains for sessions to be created on.
## Undefined values will default to the values below.
cookies:
# -
## The name of the session cookie.
- name: 'authelia_session'
## The domain to protect.
## Note: the Authelia portal must also be in that domain.
domain: 'mydomain.com'
## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections.
## Rules:
## - MUST use the secure scheme 'https://'
## - The above 'domain' option MUST either:
## - Match the host portion of this URI.
## - Match the suffix of the host portion when prefixed with '.'.
authelia_url: 'https://auth.mydomain.com/'
storage:
postgres:
....
identity_providers:
oidc:
## Cross-Origin Resource Sharing (CORS) settings.
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
endpoints:
- 'authorization'
- 'token'
- 'revocation'
- 'introspection'
# - 'pushed-authorization-request'
# - 'userinfo'
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
allowed_origins:
- 'https://mydomain.com/'
- 'https://grafana.mydomain.com/'
- 'https://wiki.mydomain.com/'
- 'https://foodz.mydomain.com/'
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
## provided they have the scheme http or https and do not have the hostname of localhost.
allowed_origins_from_client_redirect_uris: true
## Clients is a list of known clients and their configuration.
clients:
- client_id: 'grafana'
client_name: 'Grafana'
client_secret: 'XXXXXX'
public: false
consent_mode: 'pre-configured'
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://grafana.mydomain.com/login/generic_oauth'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
- client_id: 'wiki'
client_name: 'Wiki'
client_secret: 'XXXX'
consent_mode: 'pre-configured'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://wiki.mydomain.com/oidc/callback'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
....
Then my users_database.yml looks like:
users:
authelia:
disabled: false
displayname: "Test User"
password: ""
email: [email protected]
groups:
- admins
- dev
user001:
disabled: false
displayname: 'User 001'
password: "$6$rounds=50000$XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"
email: [email protected]
groups:
- admins
- users
I’ve been testing out jellyfin for the last couple months but it doesn’t really fill the void of this specific feature that’s being locked behind a pay wall. If anyone has good recommendations for securely and reliably hosting jellyfin behind SSL and auth with email password resets where I don’t have to worry about it as much as Plex.
I use jellyfin locally but for a handful of remote clients I have I may well block off their access they’re not going to be able to figure out my hand spun services and wall of text.