1. Basic Authelia setup

Feb 7, 2026 • authelia • 2 min read

To set up Authelia with 1FA (Single Factor Authentication) and a separate user database file, you need to coordinate three parts: the Docker Compose file, the main configuration, and the user database.

1. The Authelia Docker Compose

Save this as docker-compose.authelia.yml in your Authelia directory.

YAML

services:
authelia:
image: authelia/authelia:latest
container_name: authelia
restart: unless-stopped
networks:
- proxy
volumes:
- /mnt/disk2/docker/authelia/config:/config
environment:
- TZ=Europe/London # Change to your timezone
labels:
- "traefik.enable=true"
- "traefik.http.routers.authelia.rule=Host(`auth.britbuzz.uk`)"
- "traefik.http.routers.authelia.entrypoints=websecure"
- "traefik.http.routers.authelia.tls=true"
- "traefik.http.routers.authelia.tls.certresolver=myresolver"
- "traefik.http.services.authelia.loadbalancer.server.port=9091"

networks:
proxy:
external: true

---

2. The Separate User Database (users_database.yml)

Create this file at /mnt/disk2/docker/authelia/config/users_database.yml. This keeps your credentials separate from the main logic.

YAML

users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$j76S/R... (Generate a hash!)"
email: [email protected]
groups:
- admins
- users

Note: To generate the password hash, run: docker run authelia/authelia:latest authelia hash-password your_password_here

---

3. The Main Configuration (configuration.yml)

Create this at /mnt/disk2/docker/authelia/config/configuration.yml. This tells Authelia to use 1FA and point to your user file.

YAML

server:
host: 0.0.0.0
port: 9091

storage:
local:
path: /config/db.sqlite3

authentication_backend:
file:
path: /config/users_database.yml # Points to your separate file

access_control:
default_policy: 'one_factor' # This enables 1FA globally

session:
name: authelia_session
domain: britbuzz.uk # Use your root domain
secret: 'unsecure_session_secret_change_me' # Change this!

notifier:
filesystem:
filename: /config/emails.txt

---

4. Connect to Traefik (dynamic_conf.yml)

Update your existing dynamic_conf.yml on the host to define the middleware that Traefik will use to protect your other apps.

YAML

http:
middlewares:
auth-authelia:
forwardAuth:
address: http://authelia:9091/api/verify?rd=https://auth.britbuzz.uk/
trustForwardHeader: true
authResponseHeaders:
- Remote-User
- Remote-Groups
- Remote-Name
- Remote-Email

---

Next Steps

Generate your password hash and put it in users_database.yml.
Spin up the container with docker compose -f docker-compose.authelia.yml up -d.
Protect an app: To put a service behind Authelia, simply add this label to that service:
- "traefik.http.routers.myservice.middlewares=auth-authelia@file"

Would you like me to show you how to add the Duo API settings to the configuration.yml so you can switch to 2FA later if you change your mind?