Authelia — SSO & Access Control
Host: authelia — CT129 on pve0-core, 10.37.176.64, VLAN 176 (DMZ)
URL: https://auth.home.pob.network
Authelia is the homelab SSO. All services behind Caddy are protected by it via forward auth or OIDC. Default policy is deny — access must be explicitly granted.
Authentication
- Backend: File-based (
/etc/authelia/users.yml) — 2 users (myself + girlfriend) - 2FA method: WebAuthn only. TOTP and Duo are disabled.
- Passkey login: Enabled
- WebAuthn attestation: Direct, with FIDO metadata validation enabled
Groups
| Group | Members | Purpose |
|---|---|---|
admin |
me | Full access including admin-only services |
parent |
me + girlfriend | Family services + media management |
famille |
me + girlfriend | General family services |
Access Control
Default policy: deny. All access must be explicitly granted.
| Domain(s) | Policy | Subject | Notes |
|---|---|---|---|
auth.home.pob.network |
bypass | — | Auth portal itself |
n8n, beszel, bt, jackett, docker-prod-01.pve.pob.network |
2FA | group:admin |
Admin-only tools |
changedt, teslamate, documents, mailarchiver, budget |
2FA | group:parent |
Sensitive family services |
sonarr, babybuddy |
1FA | group:parent |
Lower-risk family services |
git |
2FA | group:famille |
|
jellyfin |
1FA | group:famille |
Session
| Setting | Value |
|---|---|
| Domain | home.pob.network |
| Expiration | 24 hours |
| Inactivity timeout | 30 minutes |
| Remember me | 14 days |
OIDC Clients
Services that use Authelia as an OIDC provider (native SSO, not forward auth):
| Client | Redirect URI | Policy | PKCE | Notes |
|---|---|---|---|---|
| Beszel | beszel.home.pob.network/api/oauth2-redirect |
2FA | S256 | |
| Teslamate Grafana | teslamate.home.pob.network/grafana/login/generic_oauth |
2FA | S256 | |
| Jellyfin | jellyfin.home.pob.network/sso/OID/redirect/Authelia |
1FA | S256 | |
| mailarchiver | mailarchiver.home.pob.network/oidc-signin-completed |
— | No | |
| Portainer | docker-prod-01.pve.pob.network:9443/ |
2FA | No | Accessed via direct domain, not home.pob.network |
| Gitea | git.home.pob.network/user/oauth2/Authelia/callback |
— | No | |
| Actual Budget | budget.home.pob.network/openid/callback |
2FA | No |
Storage
SQLite database at /etc/authelia/db.sqlite. Suitable for single-instance, low-user-count deployment.
Notifications (SMTP)
Emails sent via internal SMTP relay at smtp.pve.pob.network:25.
| Setting | Value |
|---|---|
| Sender | Authelia <authelia@home.pob.network> |
| Startup check address | admin email |
| TLS | Disabled (internal relay, trusted network) |
Brute-force Protection
| Setting | Value |
|---|---|
| Max retries | 3 |
| Retry window | 2 minutes |
| Ban duration | 5 minutes |