# Authelia secrets — set all of these in Portainer stack environment variables
# Generate random values with: openssl rand -hex 32

# Core secrets (safe as env vars — no $ signs in values)
AUTHELIA_JWT_SECRET=
AUTHELIA_SESSION_SECRET=
AUTHELIA_STORAGE_ENCRYPTION_KEY=

# OIDC HMAC secret (safe as env var — hex string, no $ signs)
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=

# OIDC client secrets are NOT stored as env vars.
# Bcrypt hashes contain $ characters which Portainer/shell interpolates, truncating them.
# Instead, store hashes as files on the host:
#   /srv/authelia/config/secrets/oidc_open_webui   <- bcrypt hash of open-webui client secret
#   /srv/authelia/config/secrets/oidc_linkding     <- bcrypt hash of linkding client secret
#
# Write them with Python (not shell) to avoid $ interpolation:
#   docker run --rm -v /srv/authelia/config:/config python:3-alpine python3 -c "
#     open('/config/secrets/oidc_open_webui','w').write('<bcrypt-hash>')
#     open('/config/secrets/oidc_linkding','w').write('<bcrypt-hash>')
#   "
# Generate a bcrypt hash:
#   docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
#
# Note: the OIDC JWK private key is also host-managed inline in /srv/authelia/config/configuration.yml