poprhythm
e6d4b0a349
Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.
Only $ -safe values (hex strings) remain as env vars.
27 lines
1.3 KiB
Bash
27 lines
1.3 KiB
Bash
# Authelia secrets — set all of these in Portainer stack environment variables
|
|
# Generate random values with: openssl rand -hex 32
|
|
|
|
# Core secrets (safe as env vars — no $ signs in values)
|
|
AUTHELIA_JWT_SECRET=
|
|
AUTHELIA_SESSION_SECRET=
|
|
AUTHELIA_STORAGE_ENCRYPTION_KEY=
|
|
|
|
# OIDC HMAC secret (safe as env var — hex string, no $ signs)
|
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=
|
|
|
|
# OIDC client secrets are NOT stored as env vars.
|
|
# Bcrypt hashes contain $ characters which Portainer/shell interpolates, truncating them.
|
|
# Instead, store hashes as files on the host:
|
|
# /srv/authelia/config/secrets/oidc_open_webui <- bcrypt hash of open-webui client secret
|
|
# /srv/authelia/config/secrets/oidc_linkding <- bcrypt hash of linkding client secret
|
|
#
|
|
# Write them with Python (not shell) to avoid $ interpolation:
|
|
# docker run --rm -v /srv/authelia/config:/config python:3-alpine python3 -c "
|
|
# open('/config/secrets/oidc_open_webui','w').write('<bcrypt-hash>')
|
|
# open('/config/secrets/oidc_linkding','w').write('<bcrypt-hash>')
|
|
# "
|
|
# Generate a bcrypt hash:
|
|
# docker run --rm authelia/authelia:4.38 authelia crypto hash generate bcrypt --password <plaintext>
|
|
#
|
|
# Note: the OIDC JWK private key is also host-managed inline in /srv/authelia/config/configuration.yml
|