Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file added templates/authelia/assets/logo.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
Binary file added templates/authelia/assets/screenshot.png
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
98 changes: 98 additions & 0 deletions templates/authelia/index.ts
Original file line number Diff line number Diff line change
@@ -0,0 +1,98 @@
import { bcryptHash, Output, randomString, Services } from "~templates-utils";
import { Input } from "./meta";

export function generate(input: Input): Output {
const services: Services = [];
const jwtSecret = randomString(32);
const sessionSecret = randomString(32);
const storageEncryptionKey = randomString(32);

const configYaml = `server:
address: 'tcp://:9091'

log:
level: 'info'

totp:
issuer: '{{ env "ROOT_DOMAIN" }}'

identity_validation:
reset_password:
jwt_secret: '${jwtSecret}'

authentication_backend:
file:
path: '/config/users_database.yml'

access_control:
default_policy: 'deny'
rules:
- domain: '*.{{ env "ROOT_DOMAIN" }}'
policy: 'one_factor'
- domain: '{{ env "ROOT_DOMAIN" }}'
policy: 'one_factor'

session:
secret: '${sessionSecret}'
cookies:
- name: 'authelia_session'
domain: '{{ env "SESSION_DOMAIN" }}'
authelia_url: '{{ env "AUTHELIA_URL" }}'
expiration: '1 hour'
inactivity: '5 minutes'

regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'

storage:
encryption_key: '${storageEncryptionKey}'
local:
path: '/data/db.sqlite3'

notifier:
filesystem:
filename: '/data/notification.txt'
`;

const usersYaml = `users:
admin:
disabled: false
displayname: 'Admin User'
password: '${bcryptHash(input.adminPassword)}'
email: 'admin@localhost'
groups:
- 'admins'
`;

services.push({
type: "app",
data: {
serviceName: input.appServiceName,
source: { type: "image", image: input.appServiceImage },
env: [
`X_AUTHELIA_CONFIG_FILTERS=template`,
`ROOT_DOMAIN=$(EASYPANEL_HOST)`,
`SESSION_DOMAIN=$(PRIMARY_DOMAIN)`,
`AUTHELIA_URL=https://$(PRIMARY_DOMAIN)`,
].join("\n"),
domains: [{ host: "$(EASYPANEL_DOMAIN)", port: 9091 }],
mounts: [
{ type: "volume", name: "data", mountPath: "/data" },
{
type: "file",
content: configYaml,
mountPath: "/config/configuration.yml",
},
{
type: "file",
content: usersYaml,
mountPath: "/config/users_database.yml",
},
],
},
});

return { services };
}
102 changes: 102 additions & 0 deletions templates/authelia/meta.yaml
Original file line number Diff line number Diff line change
@@ -0,0 +1,102 @@
name: Authelia
description:
Authelia is an open-source authentication and authorization server providing
two-factor authentication and single sign-on (SSO) for your applications via
a web portal. It acts as a companion to reverse proxies such as Traefik,
Nginx, or Caddy to control whether requests should pass through. Authelia is
also an OpenID Connect 1.0 certified identity provider, enabling modern
authentication flows for applications that support it. Key features include
multi-factor authentication via TOTP, WebAuthn, or Duo; fine-grained access
control rules; session management with configurable timeouts; LDAP and
file-based user backends; and SQLite, PostgreSQL, or MariaDB storage.
instructions:
After deployment, open the Authelia URL you configured. Log in with username
"admin" and the password you set during setup. On first login you will be
prompted to register a TOTP authenticator app. The "Authelia URL" field must
exactly match the full HTTPS URL you use to reach Authelia (e.g.
https://auth.yourdomain.com) — a mismatch causes the "issue retrieving user
state" error. Password reset notifications are written to
/data/notification.txt inside the container; view them via the Easypanel
console if no SMTP is configured.
changeLog:
- date: 2026-07-07
description: First Release
links:
- label: Website
url: https://www.authelia.com
- label: Documentation
url: https://www.authelia.com/configuration/prologue/introduction/
- label: GitHub
url: https://github.com/authelia/authelia
contributors:
- name: Ahson Shaikh
url: https://github.com/Ahson-Shaikh
schema:
type: object
required:
- appServiceName
- appServiceImage
- adminPassword
properties:
appServiceName:
type: string
title: App Service Name
default: authelia
appServiceImage:
type: string
title: App Service Image
default: authelia/authelia:4.39.20
adminPassword:
type: string
title: Admin Password
description: Password for the initial "admin" user account.
benefits:
- title: Multi-Factor Authentication
description:
Add TOTP, WebAuthn (passkeys and hardware keys), and Duo push
notifications on top of any password-based login, without modifying the
protected application.
- title: Single Sign-On
description:
One login session covers all protected apps. Users authenticate once and
are silently passed through to every service on your domain without
re-entering credentials.
- title: OpenID Connect Identity Provider
description:
Act as an OIDC provider for any application that supports it, enabling
centralised identity management and delegated login flows across your
entire infrastructure.
features:
- title: Reverse Proxy Integration
description:
Works natively with Traefik, Nginx, Caddy, HAProxy, and more via forward
authentication headers — no agents or sidecar containers required.
- title: Fine-Grained Access Control
description:
Define rules by domain, path, method, user, group, and network to allow,
bypass, or require one- or two-factor authentication per resource.
- title: File and LDAP User Backends
description:
Manage users with a simple YAML file for small deployments or connect to
an LDAP or Active Directory server for enterprise-scale user management.
- title: SQLite Storage
description:
Stores all persistent state — TOTP secrets, WebAuthn credentials, session
records — in a local SQLite database with no external DB required.
- title: Regulation and Brute-Force Protection
description:
Automatically bans accounts and IPs after configurable failed-attempt
thresholds, protecting against credential-stuffing and brute-force
attacks.
tags:
- Authentication
- Authorization
- 2FA
- MFA
- SSO
- Single Sign-On
- OpenID Connect
- OIDC
- Security
- Identity
- Access Control