poprhythm
e6d4b0a349
Bcrypt hashes contain $ signs which Portainer interpolates when storing
as env vars, truncating the values. Use {{ secret "file" }} template
syntax instead — hashes live in /srv/authelia/config/secrets/ on the
host, written via Python to avoid shell interpolation.
Only $ -safe values (hex strings) remain as env vars.
38 lines
1.1 KiB
YAML
38 lines
1.1 KiB
YAML
services:
|
|
authelia:
|
|
container_name: authelia
|
|
image: authelia/authelia:4.38
|
|
restart: unless-stopped
|
|
volumes:
|
|
- /srv/authelia/config:/config
|
|
environment:
|
|
- TZ=America/New_York
|
|
- AUTHELIA_JWT_SECRET=${AUTHELIA_JWT_SECRET}
|
|
- AUTHELIA_SESSION_SECRET=${AUTHELIA_SESSION_SECRET}
|
|
- AUTHELIA_STORAGE_ENCRYPTION_KEY=${AUTHELIA_STORAGE_ENCRYPTION_KEY}
|
|
- AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET=${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}
|
|
# OIDC client secrets are NOT passed as env vars — bcrypt hashes contain $ which
|
|
# Portainer/shell interpolates. Stored as files in /srv/authelia/config/secrets/ instead.
|
|
- X_AUTHELIA_CONFIG_FILTERS=template
|
|
networks:
|
|
- npm-network
|
|
- authelia-internal
|
|
depends_on:
|
|
- authelia-redis
|
|
|
|
authelia-redis:
|
|
container_name: authelia-redis
|
|
image: redis:7-alpine
|
|
restart: unless-stopped
|
|
command: --save 60 1 --loglevel warning
|
|
volumes:
|
|
- /srv/authelia/redis:/data
|
|
networks:
|
|
- authelia-internal
|
|
|
|
networks:
|
|
npm-network:
|
|
external: true
|
|
authelia-internal:
|
|
driver: bridge
|