Authelia

Authelia provides single sign-on (SSO) and acts as an OpenID Connect (OIDC) provider for other services. It runs as a forward-auth middleware in Traefik.

Source: server/containers/authelia.nix

Network

Property	Value
Private network	Yes
Host address	`10.10.10.8`
Container address	`10.10.10.9`
Port	9091
Subdomain	`auth.nemnix.site`

Authentication Mode

Authelia is configured for one-factor authentication only. All second-factor methods are disabled:

nix

totp.disable = true;
duo_api.disable = true;
webauthn.disable = true;

The user database is a static file managed via agenix:

nix

authentication_backend.file = {
  search.email = true;
  path = "/etc/authelia/users_database.yml";
};

Password reset and password change are both disabled:

nix

password_reset.disable = true;
password_change.disable = true;

Access Control

nix

access_control.rules = [
  { domain = [ "auth.nemnix.site" "cloud.nemnix.site" "photos.nemnix.site" ];
    policy = "bypass"; }
  { domain = "*.nemnix.site";
    policy = "one_factor"; }
];

Rule	Domains	Policy
Bypass	`auth`, `cloud`, `photos`	No authentication required at the Authelia level
One-factor	`*.nemnix.site` (everything else)	Username + password required

INFO

Services listed as "bypass" handle their own authentication. Immich and OpenCloud use OIDC with Authelia directly, so the forward-auth middleware is bypassed for their domains. The forward-auth middleware is used for services like AdGuard that have no native auth.

Brute Force Protection

nix

regulation = {
  max_retries = 3;
  find_time = "5m";
  ban_time = "15m";
};

After 3 failed login attempts within 5 minutes, the account is locked for 15 minutes.

Session

nix

session.cookies = [{
  inherit domain;  # "nemnix.site"
  authelia_url = "https://auth.nemnix.site";
}];

Sessions are scoped to the nemnix.site domain, enabling SSO across all subdomains.

Storage

nix

storage.local.path = "/var/lib/authelia-main/db.sqlite3";

Session and authorization data is stored in a local SQLite database.

OIDC Provider

Authelia acts as an OIDC identity provider for Immich and Nextcloud (when enabled):

Immich Client

nix

{
  authorization_policy = "one_factor";
  client_id = "immich";
  token_endpoint_auth_method = "client_secret_post";
  redirect_uris = [
    "app.immich:///oauth-callback"
    "https://photos.nemnix.site/auth/login"
    "https://photos.nemnix.site/user-settings"
  ];
}

Nextcloud Client

nix

{
  authorization_policy = "one_factor";
  client_id = "nextcloud";
  token_endpoint_auth_method = "client_secret_basic";
  require_pkce = true;
  pkce_challenge_method = "S256";
  claims_policy = "nextcloud_policy";
  redirect_uris = [ "https://cloud.nemnix.site/apps/oidc_login/oidc" ];
}

The Nextcloud client uses PKCE (Proof Key for Code Exchange) with S256 for additional security.

Traefik Middleware

The Authelia forward-auth middleware is defined in authelia.nix and referenced by other services:

nix

middlewares.authelia.forwardAuth = {
  address = "http://10.10.10.9:9091/api/authz/forward-auth";
  trustForwardHeader = true;
  authResponseHeaders = [
    "Remote-User"
    "Remote-Name"
    "Remote-Email"
    "Remote-Groups"
  ];
};

Services that want Authelia protection add middlewares = [ "authelia" ] to their Traefik router.

Secrets

Authelia requires several secrets, all managed via agenix:

Secret	Purpose
`authelia_jwtSecretFile`	JWT signing key
`authelia_sessionSecretFile`	Session encryption key
`authelia_storageEncryptionKeyFile`	Database encryption key
`authelia_oidcIssuerPrivateKeyFile`	OIDC token signing key
`authelia_oidcHmacSecretFile`	OIDC HMAC key
`authelia_users_database`	User credentials file

All secrets are owned by the authelia-main user/group with mode 440.

Authelia ​

Network ​

Authentication Mode ​

Access Control ​

Brute Force Protection ​

Session ​

Storage ​

OIDC Provider ​

Immich Client ​

Nextcloud Client ​

Traefik Middleware ​

Secrets ​