Differences

This shows you the differences between two versions of the page.

--- config:authelia-npm [2026/03/09 12:39] – created Wuff
+++ config:authelia-npm [2026/03/09 13:29] (current) – Wuff
@@ Line 9: / Line 9: @@
 The examples use simple local yaml file for authelia users and local file for notifications (used for 2FA setup) and local sqlite database. Any complex SSO, Redis, LDAP, mysql/postgresql database or other integration is out of scope of this article.
+===== Docker setup =====
 <code yaml docker-npm.yml>
@@ Line 64: / Line 66: @@
 </code>
+Create the data directories:
 <code>
 mkdir -p /opt/authelia
-mkdir -p /opt/npm
+mkdir -p /opt/npm/{data,letsencrypt}
 </code>
+===== Authelia Configuration =====
 <code yaml /opt/authelia/configuration.yml>
@@ Line 859: / Line 865: @@
     ## Path to the SQLite3 Database.
     path: '/config/db.sqlite3'
-  ##
-  ## MySQL / MariaDB (Storage Provider)
-  ##
-  # mysql:
-    ## The address of the MySQL server to connect to in the address common syntax.
-    ## Format: [<scheme>://]<hostname>[:<port>].
-    ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`.
-    ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'.
-    # address: 'tcp://127.0.0.1:3306'
-    ## The database name to use.
-    # database: 'authelia'
-    ## The username used for SQL authentication.
-    # username: 'authelia'
-    ## The password used for SQL authentication.
-    ## Can also be set using a secret: https://www.authelia.com/c/secrets
-    # password: 'mypassword'
-    ## The connection timeout in the duration common syntax.
-    # timeout: '5 seconds'
-    ## MySQL TLS settings. Configuring this requires TLS.
-    # tls:
-      ## The server subject name to check the servers certificate against during the validation process.
-      ## This option is not required if the certificate has a SAN which matches the address options hostname.
-      # server_name: 'mysql.example.com'
-      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## defined by the `certificates_directory` option at the top of the configuration.
-      ## It's important to note the public key should be added to the directory, not the private key.
-      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
-      ## important to the administrator.
-      # skip_verify: false
-      ## Minimum TLS version for the connection.
-      # minimum_version: 'TLS1.2'
-      ## Maximum TLS version for the connection.
-      # maximum_version: 'TLS1.3'
-      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
-      ## i.e. Mutual TLS.
-      # certificate_chain: |
-        # -----BEGIN CERTIFICATE-----
-        # ...
-        # -----END CERTIFICATE-----
-        # -----BEGIN CERTIFICATE-----
-        # ...
-        # -----END CERTIFICATE-----
-      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
-      ## i.e. Mutual TLS.
-      # private_key: |
-        # -----BEGIN PRIVATE KEY-----
-        # ...
-        # -----END PRIVATE KEY-----
-  ##
-  ## PostgreSQL (Storage Provider)
-  ##
-  # postgres:
-    ## The address of the PostgreSQL server to connect to in the address common syntax.
-    ## Format: [<scheme>://]<hostname>[:<port>].
-    ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`.
-    ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'.
-    # address: 'tcp://127.0.0.1:5432'
-    ## List of additional server instance configurations to fallback to when the primary instance is not available.
-    # servers:
-      # -
-        ## The Address of this individual instance.
-        # address: 'tcp://127.0.0.1:5432'
-        ## The TLS configuration for this individual instance.
-        # tls:
-          # server_name: 'postgres.example.com'
-          # skip_verify: false
-          # minimum_version: 'TLS1.2'
-          # maximum_version: 'TLS1.3'
-          # certificate_chain: |
-            # -----BEGIN CERTIFICATE-----
-            # ...
-            # -----END CERTIFICATE-----
-            # -----BEGIN CERTIFICATE-----
-            # ...
-            # -----END CERTIFICATE-----
-          # private_key: |
-            # -----BEGIN PRIVATE KEY-----
-            # ...
-            # -----END PRIVATE KEY-----
-    ## The database name to use.
-    # database: 'authelia'
-    ## The schema name to use.
-    # schema: 'public'
-    ## The username used for SQL authentication.
-    # username: 'authelia'
-    ## The password used for SQL authentication.
-    ## Can also be set using a secret: https://www.authelia.com/c/secrets
-    # password: 'mypassword'
-    ## The connection timeout in the duration common syntax.
-    # timeout: '5 seconds'
-    ## PostgreSQL TLS settings. Configuring this requires TLS.
-    # tls:
-      ## The server subject name to check the servers certificate against during the validation process.
-      ## This option is not required if the certificate has a SAN which matches the address options hostname.
-      # server_name: 'postgres.example.com'
-      ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the
-      ## certificate or the certificate of the authority signing the certificate to the certificates directory which is
-      ## defined by the `certificates_directory` option at the top of the configuration.
-      ## It's important to note the public key should be added to the directory, not the private key.
-      ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not
-      ## important to the administrator.
-      # skip_verify: false
-      ## Minimum TLS version for the connection.
-      # minimum_version: 'TLS1.2'
-      ## Maximum TLS version for the connection.
-      # maximum_version: 'TLS1.3'
-      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
-      ## i.e. Mutual TLS.
-      # certificate_chain: |
-        # -----BEGIN CERTIFICATE-----
-        # ...
-        # -----END CERTIFICATE-----
-        # -----BEGIN CERTIFICATE-----
-        # ...
-        # -----END CERTIFICATE-----
-      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
-      ## i.e. Mutual TLS.
-      # private_key: |
-        # -----BEGIN PRIVATE KEY-----
-        # ...
-        # -----END PRIVATE KEY-----
 ##
@@ Line 1509: / Line 1368: @@
 </code>
+===== Authelia password file =====
+For the user passwords, go to https://argon2.online/ to generate your passwords, use the settings you see below:
+{{.:pasted:20260309-131835.png}}
+Enter your password into the "Plain Text Input"
+Click the gear in "Salt" to generate a random string of characters.
+Be sure to have "Argon2id" activated.
+Other settings:
+    Parallelism: 4
+    Memory Cost: 65536
+    Iterations: 3
+    Hash Length: 32
+Click "Generate Hash"
+Copy the string that starts with $argon2id into the associated user password in the users_database.yml
 <code yaml /opt/authelia/users_database.yml>
@@ Line 1529: / Line 1411: @@
 </code>
+===== Docker startup =====
+Start the docker containers:
+<code>
+docker compose -f docker-npm.yaml up -d
+docker compose -f docker-authelia.yaml up -d
+</code>
+===== NPM GUI Configuration =====
+The default NPM GUI is internally accessible on http://192.168.1.2:71 (replace with other IP/port if different). Log in using the initial admin email and password as configured in the npm docker yaml file.
+Go to Hosts -> Proxy Hosts
+{{.:pasted:20260309-125721.png}}
+Set up the first subdomain 'auth' for Authelia, enter auth.example.com with your domain and click create in the domain names, set it to publicly accessible and point it to your internal IP and Authelia port:
+{{.:pasted:20260309-125824.png}}
+On the SSL Certificate tab, set it to 'Request a new Certificate' and Force SSL, then save.
+{{.:pasted:20260309-125806.png}}
+Click save.
+Then proceed with the first real subdomain. This example is for audiobookshelf on port 13378
+{{.:pasted:20260309-125755.png}}
+Request a new ssl certificate as in the auth subdomain.
+To use Authelia for the main authentication, click the cog icon and paste the below configuration and adjust it to your setup:
+{{.:pasted:20260309-130230.png}}
+Advanced nginx config for Authelia authentication. Internal IP/port needs to be entered as well as the error page. This example points to 192.168.1.2:13378
+<code>
+location / {
+    auth_request /authelia;
+    auth_request_set $target_url $scheme://$http_host$request_uri;
+    auth_request_set $user $upstream_http_remote_user;
+    auth_request_set $groups $upstream_http_remote_groups;
+    error_page 401 =302 https://auth.example.com?rd=$target_url; #Replace with your domain for Authelia
+    proxy_pass http://192.168.1.2:13378; #Replace with the target address of the service
+    client_body_buffer_size 128k;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+    send_timeout 5m;
+    proxy_read_timeout 360;
+    proxy_send_timeout 360;
+    proxy_connect_timeout 360;
+    proxy_set_header Host $host;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+    set_real_ip_from 10.0.0.0/8;
+    set_real_ip_from 172.0.0.0/8;
+    set_real_ip_from 192.168.0.0/16;
+    set_real_ip_from fc00::/7;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+}
+location /authelia {
+    internal;
+    proxy_pass http://192.168.1.2:6091/api/verify; #Replace with your host's IP address for Authelia's API
+    proxy_set_header Host $http_host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header Content-Length "";
+    proxy_pass_request_body off;
+}
+</code>
+Click save.
+Repeat for all other subdomains as required.
+===== Authelia login =====
+Going to https://auth.example.com (replace with your domain) will show the authelia login prompt now. You can log in and set up 2FA, see your authentication status and change your password and registered devices.
+This configuration enables 2FA by default, so logging in to any of the services will prompt 2FA setup. The auth code will be stored in /opt/authelia/notification.txt and not emailed to the user!
+{{.:pasted:20260309-132751.png}}
+By default, authentication is valid for 1 hour or 30 days when the remember me is checked on login. This can be changed in the authelia configuration.yml