Merge remote-tracking branch 'origin/master' into feat-settings-ui

.gitignore

@@ -25,3 +25,5 @@ authelia-image-dev.tar
 
 /authelia
 __debug_bin
+
+internal/suites/common/pki/ca/ca.private.pem

Dockerfile

@@ -1,7 +1,7 @@
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.17.1
+FROM alpine:3.17.2
 
 ARG TARGETOS
 ARG TARGETARCH

Dockerfile.coverage

@@ -46,7 +46,7 @@ RUN \
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.17.1
+FROM alpine:3.17.2
 
 RUN apk --no-cache add ca-certificates tzdata
 

Dockerfile.dev

@@ -43,7 +43,7 @@ RUN \
 # ===================================
 # ===== Authelia official image =====
 # ===================================
-FROM alpine:3.17.1
+FROM alpine:3.17.2
 
 WORKDIR /app
 

internal/commands/const.go

@@ -772,3 +772,7 @@ Layouts:
 	ANSIC: Mon Jan _2 15:04:05 2006
 	Date: 2006-01-02`
 )
+
+const (
+	fmtLogServerListening = "Server is listening for %s connections on '%s' path '%s'"
+)

internal/commands/context.go

@@ -9,7 +9,6 @@ import (
 	"github.com/sirupsen/logrus"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
-	"golang.org/x/sync/errgroup"
 
 	"github.com/authelia/authelia/v4/internal/authentication"
 	"github.com/authelia/authelia/v4/internal/authorization"
@@ -35,14 +34,8 @@ import (
 func NewCmdCtx() *CmdCtx {
 	ctx := context.Background()
 
-	ctx, cancel := context.WithCancel(ctx)
-
-	group, ctx := errgroup.WithContext(ctx)
-
 	return &CmdCtx{
 		Context: ctx,
-		cancel:  cancel,
-		group:   group,
 		log:     logging.Logger(),
 		providers: middlewares.Providers{
 			Random: &random.Cryptographical{},
@@ -55,9 +48,6 @@ func NewCmdCtx() *CmdCtx {
 type CmdCtx struct {
 	context.Context
 
-	cancel context.CancelFunc
-	group  *errgroup.Group
-
 	log *logrus.Logger
 
 	config    *schema.Configuration

internal/commands/root.go

@@ -2,21 +2,13 @@ package commands
 
 import (
 	"fmt"
-	"net"
 	"os"
-	"os/signal"
-	"path/filepath"
 	"strings"
-	"syscall"
 
-	"github.com/fsnotify/fsnotify"
 	"github.com/spf13/cobra"
-	"github.com/valyala/fasthttp"
 
-	"github.com/authelia/authelia/v4/internal/authentication"
 	"github.com/authelia/authelia/v4/internal/logging"
 	"github.com/authelia/authelia/v4/internal/model"
-	"github.com/authelia/authelia/v4/internal/server"
 	"github.com/authelia/authelia/v4/internal/utils"
 )
 
@@ -95,195 +87,11 @@ func (ctx *CmdCtx) RootRunE(_ *cobra.Command, _ []string) (err error) {
 
 	ctx.cconfig = nil
 
-	runServices(ctx)
+	servicesRun(ctx)
 
 	return nil
 }
 
-//nolint:gocyclo // Complexity is required in this function.
-func runServices(ctx *CmdCtx) {
-	defer ctx.cancel()
-
-	quit := make(chan os.Signal, 1)
-
-	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
-
-	defer signal.Stop(quit)
-
-	var (
-		mainServer, metricsServer     *fasthttp.Server
-		mainListener, metricsListener net.Listener
-	)
-
-	ctx.group.Go(func() (err error) {
-		defer func() {
-			if r := recover(); r != nil {
-				ctx.log.WithError(recoverErr(r)).Errorf("Server (main) critical error caught (recovered)")
-			}
-		}()
-
-		if mainServer, mainListener, err = server.CreateDefaultServer(*ctx.config, ctx.providers); err != nil {
-			ctx.log.WithError(err).Error("Create Server (main) returned error")
-
-			return err
-		}
-
-		if err = mainServer.Serve(mainListener); err != nil {
-			ctx.log.WithError(err).Error("Server (main) returned error")
-
-			return err
-		}
-
-		return nil
-	})
-
-	ctx.group.Go(func() (err error) {
-		if ctx.providers.Metrics == nil {
-			return nil
-		}
-
-		defer func() {
-			if r := recover(); r != nil {
-				ctx.log.WithError(recoverErr(r)).Errorf("Server (metrics) critical error caught (recovered)")
-			}
-		}()
-
-		if metricsServer, metricsListener, err = server.CreateMetricsServer(ctx.config.Telemetry.Metrics); err != nil {
-			ctx.log.WithError(err).Error("Create Server (metrics) returned error")
-
-			return err
-		}
-
-		if err = metricsServer.Serve(metricsListener); err != nil {
-			ctx.log.WithError(err).Error("Server (metrics) returned error")
-
-			return err
-		}
-
-		return nil
-	})
-
-	if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch {
-		provider := ctx.providers.UserProvider.(*authentication.FileUserProvider)
-		if watcher, err := runServiceFileWatcher(ctx, ctx.config.AuthenticationBackend.File.Path, provider); err != nil {
-			ctx.log.WithError(err).Errorf("File Watcher (user database) start returned error")
-		} else {
-			defer func(watcher *fsnotify.Watcher) {
-				if err := watcher.Close(); err != nil {
-					ctx.log.WithError(err).Errorf("File Watcher (user database) close returned error")
-				}
-			}(watcher)
-		}
-	}
-
-	select {
-	case s := <-quit:
-		switch s {
-		case syscall.SIGINT:
-			ctx.log.Debugf("Shutdown started due to SIGINT")
-		case syscall.SIGQUIT:
-			ctx.log.Debugf("Shutdown started due to SIGQUIT")
-		}
-	case <-ctx.Done():
-		ctx.log.Debugf("Shutdown started due to context completion")
-	}
-
-	ctx.cancel()
-
-	ctx.log.Infof("Shutting down")
-
-	var err error
-
-	if mainServer != nil {
-		if err = mainServer.Shutdown(); err != nil {
-			ctx.log.WithError(err).Errorf("Error occurred shutting down the server")
-		}
-	}
-
-	if metricsServer != nil {
-		if err = metricsServer.Shutdown(); err != nil {
-			ctx.log.WithError(err).Errorf("Error occurred shutting down the metrics server")
-		}
-	}
-
-	if err = ctx.providers.StorageProvider.Close(); err != nil {
-		ctx.log.WithError(err).Errorf("Error occurred closing the database connection")
-	}
-
-	if err = ctx.group.Wait(); err != nil {
-		ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown")
-	}
-}
-
-type ReloadFilter func(path string) (skipped bool)
-
-type ProviderReload interface {
-	Reload() (reloaded bool, err error)
-}
-
-func runServiceFileWatcher(ctx *CmdCtx, path string, reload ProviderReload) (watcher *fsnotify.Watcher, err error) {
-	if watcher, err = fsnotify.NewWatcher(); err != nil {
-		return nil, err
-	}
-
-	failed := make(chan struct{})
-
-	var directory, filename string
-
-	if path != "" {
-		directory, filename = filepath.Dir(path), filepath.Base(path)
-	}
-
-	ctx.group.Go(func() error {
-		for {
-			select {
-			case <-failed:
-				return nil
-			case event, ok := <-watcher.Events:
-				if !ok {
-					return nil
-				}
-
-				if filename != filepath.Base(event.Name) {
-					ctx.log.WithField("file", event.Name).WithField("op", event.Op).Tracef("File modification detected to irrelevant file")
-					break
-				}
-
-				switch {
-				case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create:
-					ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("File modification detected")
-
-					switch reloaded, err := reload.Reload(); {
-					case err != nil:
-						ctx.log.WithField("file", event.Name).WithField("op", event.Op).WithError(err).Error("Error occurred reloading file")
-					case reloaded:
-						ctx.log.WithField("file", event.Name).Info("Reloaded file successfully")
-					default:
-						ctx.log.WithField("file", event.Name).Debug("Reload of file was triggered but it was skipped")
-					}
-				case event.Op&fsnotify.Remove == fsnotify.Remove:
-					ctx.log.WithField("file", event.Name).WithField("op", event.Op).Debug("Remove of file was detected")
-				}
-			case err, ok := <-watcher.Errors:
-				if !ok {
-					return nil
-				}
-				ctx.log.WithError(err).Errorf("Error while watching files")
-			}
-		}
-	})
-
-	if err := watcher.Add(directory); err != nil {
-		failed <- struct{}{}
-
-		return nil, err
-	}
-
-	ctx.log.WithField("directory", directory).WithField("file", filename).Debug("Directory is being watched for changes to the file")
-
-	return watcher, nil
-}
-
 func doStartupChecks(ctx *CmdCtx) {
 	var (
 		failures []string

internal/commands/services.go

@@ -0,0 +1,311 @@
+package commands
+
+import (
+	"context"
+	"fmt"
+	"net"
+	"os"
+	"os/signal"
+	"path/filepath"
+	"strings"
+	"sync"
+	"syscall"
+
+	"github.com/fsnotify/fsnotify"
+	"github.com/sirupsen/logrus"
+	"github.com/valyala/fasthttp"
+	"golang.org/x/sync/errgroup"
+
+	"github.com/authelia/authelia/v4/internal/authentication"
+	"github.com/authelia/authelia/v4/internal/server"
+)
+
+// NewServerService creates a new ServerService with the appropriate logger etc.
+func NewServerService(name string, server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, log *logrus.Logger) (service *ServerService) {
+	return &ServerService{
+		server:   server,
+		listener: listener,
+		paths:    paths,
+		isTLS:    isTLS,
+		log:      log.WithFields(map[string]any{"service": "server", "server": name}),
+	}
+}
+
+// NewFileWatcherService creates a new FileWatcherService with the appropriate logger etc.
+func NewFileWatcherService(name, path string, reload ProviderReload, log *logrus.Logger) (service *FileWatcherService, err error) {
+	if path == "" {
+		return nil, fmt.Errorf("path must be specified")
+	}
+
+	var info os.FileInfo
+
+	if info, err = os.Stat(path); err != nil {
+		return nil, fmt.Errorf("error stating file '%s': %w", path, err)
+	}
+
+	if path, err = filepath.Abs(path); err != nil {
+		return nil, fmt.Errorf("error determining absolute path of file '%s': %w", path, err)
+	}
+
+	var watcher *fsnotify.Watcher
+
+	if watcher, err = fsnotify.NewWatcher(); err != nil {
+		return nil, err
+	}
+
+	entry := log.WithFields(map[string]any{"service": "watcher", "watcher": name})
+
+	if info.IsDir() {
+		service = &FileWatcherService{
+			watcher:   watcher,
+			reload:    reload,
+			log:       entry,
+			directory: filepath.Clean(path),
+		}
+	} else {
+		service = &FileWatcherService{
+			watcher:   watcher,
+			reload:    reload,
+			log:       entry,
+			directory: filepath.Dir(path),
+			file:      filepath.Base(path),
+		}
+	}
+
+	if err = service.watcher.Add(service.directory); err != nil {
+		return nil, fmt.Errorf("failed to add path '%s' to watch list: %w", path, err)
+	}
+
+	return service, nil
+}
+
+// ProviderReload represents the required methods to support reloading a provider.
+type ProviderReload interface {
+	Reload() (reloaded bool, err error)
+}
+
+// Service represents the required methods to support handling a service.
+type Service interface {
+	Run() (err error)
+	Shutdown()
+}
+
+// ServerService is a Service which runs a webserver.
+type ServerService struct {
+	server   *fasthttp.Server
+	paths    []string
+	isTLS    bool
+	listener net.Listener
+	log      *logrus.Entry
+}
+
+// Run the ServerService.
+func (service *ServerService) Run() (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
+		}
+	}()
+
+	service.log.Infof(fmtLogServerListening, connectionType(service.isTLS), service.listener.Addr().String(), strings.Join(service.paths, "' and '"))
+
+	if err = service.server.Serve(service.listener); err != nil {
+		service.log.WithError(err).Error("Error returned attempting to serve requests")
+
+		return err
+	}
+
+	return nil
+}
+
+// Shutdown the ServerService.
+func (service *ServerService) Shutdown() {
+	if err := service.server.Shutdown(); err != nil {
+		service.log.WithError(err).Error("Error occurred during shutdown")
+	}
+}
+
+// FileWatcherService is a Service that watches files for changes.
+type FileWatcherService struct {
+	watcher *fsnotify.Watcher
+	reload  ProviderReload
+
+	log       *logrus.Entry
+	file      string
+	directory string
+}
+
+// Run the FileWatcherService.
+func (service *FileWatcherService) Run() (err error) {
+	defer func() {
+		if r := recover(); r != nil {
+			service.log.WithError(recoverErr(r)).Error("Critical error caught (recovered)")
+		}
+	}()
+
+	service.log.WithField("file", filepath.Join(service.directory, service.file)).Info("Watching for file changes to the file")
+
+	for {
+		select {
+		case event, ok := <-service.watcher.Events:
+			if !ok {
+				return nil
+			}
+
+			if service.file != "" && service.file != filepath.Base(event.Name) {
+				service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Tracef("File modification detected to irrelevant file")
+				break
+			}
+
+			switch {
+			case event.Op&fsnotify.Write == fsnotify.Write, event.Op&fsnotify.Create == fsnotify.Create:
+				service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File modification was detected")
+
+				var reloaded bool
+
+				switch reloaded, err = service.reload.Reload(); {
+				case err != nil:
+					service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).WithError(err).Error("Error occurred during reload")
+				case reloaded:
+					service.log.WithField("file", event.Name).Info("Reloaded successfully")
+				default:
+					service.log.WithField("file", event.Name).Debug("Reload of was triggered but it was skipped")
+				}
+			case event.Op&fsnotify.Remove == fsnotify.Remove:
+				service.log.WithFields(map[string]any{"file": event.Name, "op": event.Op}).Debug("File remove was detected")
+			}
+		case err, ok := <-service.watcher.Errors:
+			if !ok {
+				return nil
+			}
+
+			service.log.WithError(err).Errorf("Error while watching files")
+		}
+	}
+}
+
+// Shutdown the FileWatcherService.
+func (service *FileWatcherService) Shutdown() {
+	if err := service.watcher.Close(); err != nil {
+		service.log.WithError(err).Error("Error occurred during shutdown")
+	}
+}
+
+func svcSvrMainFunc(ctx *CmdCtx) (service Service) {
+	switch svr, listener, paths, isTLS, err := server.CreateDefaultServer(ctx.config, ctx.providers); {
+	case err != nil:
+		ctx.log.WithError(err).Fatal("Create Server Service (main) returned error")
+	case svr != nil && listener != nil:
+		service = NewServerService("main", svr, listener, paths, isTLS, ctx.log)
+	default:
+		ctx.log.Fatal("Create Server Service (main) failed")
+	}
+
+	return service
+}
+
+func svcSvrMetricsFunc(ctx *CmdCtx) (service Service) {
+	switch svr, listener, paths, isTLS, err := server.CreateMetricsServer(ctx.config, ctx.providers); {
+	case err != nil:
+		ctx.log.WithError(err).Fatal("Create Server Service (metrics) returned error")
+	case svr != nil && listener != nil:
+		service = NewServerService("metrics", svr, listener, paths, isTLS, ctx.log)
+	default:
+		ctx.log.Debug("Create Server Service (metrics) skipped")
+	}
+
+	return service
+}
+
+func svcWatcherUsersFunc(ctx *CmdCtx) (service Service) {
+	var err error
+
+	if ctx.config.AuthenticationBackend.File != nil && ctx.config.AuthenticationBackend.File.Watch {
+		provider := ctx.providers.UserProvider.(*authentication.FileUserProvider)
+
+		if service, err = NewFileWatcherService("users", ctx.config.AuthenticationBackend.File.Path, provider, ctx.log); err != nil {
+			ctx.log.WithError(err).Fatal("Create Watcher Service (users) returned error")
+		}
+	}
+
+	return service
+}
+
+func connectionType(isTLS bool) string {
+	if isTLS {
+		return "TLS"
+	}
+
+	return "non-TLS"
+}
+
+func servicesRun(ctx *CmdCtx) {
+	cctx, cancel := context.WithCancel(ctx)
+
+	group, cctx := errgroup.WithContext(cctx)
+
+	defer cancel()
+
+	quit := make(chan os.Signal, 1)
+
+	signal.Notify(quit, syscall.SIGINT, syscall.SIGTERM)
+
+	defer signal.Stop(quit)
+
+	var (
+		services []Service
+	)
+
+	for _, serviceFunc := range []func(ctx *CmdCtx) Service{
+		svcSvrMainFunc, svcSvrMetricsFunc,
+		svcWatcherUsersFunc,
+	} {
+		if service := serviceFunc(ctx); service != nil {
+			services = append(services, service)
+
+			group.Go(service.Run)
+		}
+	}
+
+	ctx.log.Info("Startup Complete")
+
+	select {
+	case s := <-quit:
+		switch s {
+		case syscall.SIGINT:
+			ctx.log.WithField("signal", "SIGINT").Debugf("Shutdown started due to signal")
+		case syscall.SIGTERM:
+			ctx.log.WithField("signal", "SIGTERM").Debugf("Shutdown started due to signal")
+		}
+	case <-cctx.Done():
+		ctx.log.Debugf("Shutdown started due to context completion")
+	}
+
+	cancel()
+
+	ctx.log.Infof("Shutting down")
+
+	wgShutdown := &sync.WaitGroup{}
+
+	for _, service := range services {
+		go func() {
+			service.Shutdown()
+
+			wgShutdown.Done()
+		}()
+
+		wgShutdown.Add(1)
+	}
+
+	wgShutdown.Wait()
+
+	var err error
+
+	if err = ctx.providers.StorageProvider.Close(); err != nil {
+		ctx.log.WithError(err).Error("Error occurred closing database connections")
+	}
+
+	if err = group.Wait(); err != nil {
+		ctx.log.WithError(err).Errorf("Error occurred waiting for shutdown")
+	}
+}

internal/server/const.go

@@ -83,12 +83,3 @@ const (
 	tmplCSPSwaggerNonce = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline' 'nonce-%s'; style-src 'self' 'nonce-%s'; base-uri 'self'"
 	tmplCSPSwagger      = "default-src 'self'; img-src 'self' https://validator.swagger.io data:; object-src 'none'; script-src 'self' 'unsafe-inline'; style-src 'self'; base-uri 'self'"
 )
-
-const (
-	connNonTLS = "non-TLS"
-	connTLS    = "TLS"
-)
-
-const (
-	fmtLogServerInit = "Initializing %s for %s connections on '%s' path '%s'"
-)

internal/server/handlers.go

@@ -92,10 +92,10 @@ func handleNotFound(next fasthttp.RequestHandler) fasthttp.RequestHandler {
 }
 
 //nolint:gocyclo
-func handleRouter(config schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler {
+func handleRouter(config *schema.Configuration, providers middlewares.Providers) fasthttp.RequestHandler {
 	log := logging.Logger()
 
-	optsTemplatedFile := NewTemplatedFileOptions(&config)
+	optsTemplatedFile := NewTemplatedFileOptions(config)
 
 	serveIndexHandler := ServeTemplatedFile(providers.Templates.GetAssetIndexTemplate(), optsTemplatedFile)
 	serveOpenAPIHandler := ServeTemplatedOpenAPI(providers.Templates.GetAssetOpenAPIIndexTemplate(), optsTemplatedFile)
@@ -104,7 +104,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
 	handlerPublicHTML := newPublicHTMLEmbeddedHandler()
 	handlerLocales := newLocalesEmbeddedHandler()
 
-	bridge := middlewares.NewBridgeBuilder(config, providers).
+	bridge := middlewares.NewBridgeBuilder(*config, providers).
 		WithPreMiddlewares(middlewares.SecurityHeaders).Build()
 
 	policyCORSPublicGET := middlewares.NewCORSPolicyBuilder().
@@ -141,16 +141,16 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
 		r.GET("/api/"+file, handlerPublicHTML)
 	}
 
-	middlewareAPI := middlewares.NewBridgeBuilder(config, providers).
+	middlewareAPI := middlewares.NewBridgeBuilder(*config, providers).
 		WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
 		Build()
 
-	middleware1FA := middlewares.NewBridgeBuilder(config, providers).
+	middleware1FA := middlewares.NewBridgeBuilder(*config, providers).
 		WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
 		WithPostMiddlewares(middlewares.Require1FA).
 		Build()
 
-	middleware2FA := middlewares.NewBridgeBuilder(config, providers).
+	middleware2FA := middlewares.NewBridgeBuilder(*config, providers).
 		WithPreMiddlewares(middlewares.SecurityHeaders, middlewares.SecurityHeadersNoStore, middlewares.SecurityHeadersCSPNone).
 		WithPostMiddlewares(middlewares.Require2FAWithAPIResponse).
 		Build()
@@ -167,7 +167,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
 	for name, endpoint := range config.Server.Endpoints.Authz {
 		uri := path.Join(pathAuthz, name)
 
-		authz := handlers.NewAuthzBuilder().WithConfig(&config).WithEndpointConfig(endpoint).Build()
+		authz := handlers.NewAuthzBuilder().WithConfig(config).WithEndpointConfig(endpoint).Build()
 
 		handler := middlewares.Wrap(metricsVRMW, bridge(authz.Handler))
 
@@ -275,7 +275,7 @@ func handleRouter(config schema.Configuration, providers middlewares.Providers)
 	}
 
 	if providers.OpenIDConnect != nil {
-		bridgeOIDC := middlewares.NewBridgeBuilder(config, providers).WithPreMiddlewares(
+		bridgeOIDC := middlewares.NewBridgeBuilder(*config, providers).WithPreMiddlewares(
 			middlewares.SecurityHeaders, middlewares.SecurityHeadersCSPNoneOpenIDConnect, middlewares.SecurityHeadersNoStore,
 		).Build()
 

internal/server/server.go

@@ -7,7 +7,6 @@ import (
 	"net"
 	"os"
 	"strconv"
-	"strings"
 
 	"github.com/sirupsen/logrus"
 	"github.com/valyala/fasthttp"
@@ -18,9 +17,9 @@ import (
 )
 
 // CreateDefaultServer Create Authelia's internal webserver with the given configuration and providers.
-func CreateDefaultServer(config schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, err error) {
+func CreateDefaultServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, isTLS bool, err error) {
 	if err = providers.Templates.LoadTemplatedAssets(assets); err != nil {
-		return nil, nil, fmt.Errorf("failed to load templated assets: %w", err)
+		return nil, nil, nil, false, fmt.Errorf("failed to load templated assets: %w", err)
 	}
 
 	server = &fasthttp.Server{
@@ -38,15 +37,14 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
 	address := net.JoinHostPort(config.Server.Host, strconv.Itoa(config.Server.Port))
 
 	var (
-		connectionType   string
 		connectionScheme string
 	)
 
 	if config.Server.TLS.Certificate != "" && config.Server.TLS.Key != "" {
-		connectionType, connectionScheme = connTLS, schemeHTTPS
+		isTLS, connectionScheme = true, schemeHTTPS
 
 		if err = server.AppendCert(config.Server.TLS.Certificate, config.Server.TLS.Key); err != nil {
-			return nil, nil, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
+			return nil, nil, nil, false, fmt.Errorf("unable to load tls server certificate '%s' or private key '%s': %w", config.Server.TLS.Certificate, config.Server.TLS.Key, err)
 		}
 
 		if len(config.Server.TLS.ClientCertificates) > 0 {
@@ -56,7 +54,7 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
 
 			for _, path := range config.Server.TLS.ClientCertificates {
 				if cert, err = os.ReadFile(path); err != nil {
-					return nil, nil, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
+					return nil, nil, nil, false, fmt.Errorf("unable to load tls client certificate '%s': %w", path, err)
 				}
 
 				caCertPool.AppendCertsFromPEM(cert)
@@ -69,51 +67,51 @@ func CreateDefaultServer(config schema.Configuration, providers middlewares.Prov
 		}
 
 		if listener, err = tls.Listen("tcp", address, server.TLSConfig.Clone()); err != nil {
-			return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err)
+			return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err)
 		}
 	} else {
-		connectionType, connectionScheme = connNonTLS, schemeHTTP
+		connectionScheme = schemeHTTP
 
 		if listener, err = net.Listen("tcp", address); err != nil {
-			return nil, nil, fmt.Errorf("unable to initialize tcp listener: %w", err)
+			return nil, nil, nil, false, fmt.Errorf("unable to initialize tcp listener: %w", err)
 		}
 	}
 
 	if err = writeHealthCheckEnv(config.Server.DisableHealthcheck, connectionScheme, config.Server.Host,
 		config.Server.Path, config.Server.Port); err != nil {
-		return nil, nil, fmt.Errorf("unable to configure healthcheck: %w", err)
+		return nil, nil, nil, false, fmt.Errorf("unable to configure healthcheck: %w", err)
 	}
 
-	paths := []string{"/"}
+	paths = []string{"/"}
 
 	if config.Server.Path != "" {
 		paths = append(paths, config.Server.Path)
 	}
 
-	logging.Logger().Infof(fmtLogServerInit, "server", connectionType, listener.Addr().String(), strings.Join(paths, "' and '"))
+	return server, listener, paths, isTLS, nil
-
-	return server, listener, nil
 }
 
 // CreateMetricsServer creates a metrics server.
-func CreateMetricsServer(config schema.TelemetryMetricsConfig) (server *fasthttp.Server, listener net.Listener, err error) {
+func CreateMetricsServer(config *schema.Configuration, providers middlewares.Providers) (server *fasthttp.Server, listener net.Listener, paths []string, tls bool, err error) {
-	if listener, err = config.Address.Listener(); err != nil {
+	if providers.Metrics == nil {
-		return nil, nil, err
+		return
 	}
 
 	server = &fasthttp.Server{
 		ErrorHandler:          handleError(),
 		NoDefaultServerHeader: true,
 		Handler:               handleMetrics(),
-		ReadBufferSize:        config.Buffers.Read,
+		ReadBufferSize:        config.Telemetry.Metrics.Buffers.Read,
-		WriteBufferSize:       config.Buffers.Write,
+		WriteBufferSize:       config.Telemetry.Metrics.Buffers.Write,
-		ReadTimeout:           config.Timeouts.Read,
+		ReadTimeout:           config.Telemetry.Metrics.Timeouts.Read,
-		WriteTimeout:          config.Timeouts.Write,
+		WriteTimeout:          config.Telemetry.Metrics.Timeouts.Write,
-		IdleTimeout:           config.Timeouts.Idle,
+		IdleTimeout:           config.Telemetry.Metrics.Timeouts.Idle,
 		Logger:                logging.LoggerPrintf(logrus.DebugLevel),
 	}
 
-	logging.Logger().Infof(fmtLogServerInit, "server (metrics)", connNonTLS, listener.Addr().String(), "/metrics")
+	if listener, err = config.Telemetry.Metrics.Address.Listener(); err != nil {
+		return nil, nil, nil, false, err
+	}
 
-	return server, listener, nil
+	return server, listener, []string{"/metrics"}, false, nil
 }

internal/server/server_test.go

@@ -152,7 +152,7 @@ func NewTLSServerContext(configuration schema.Configuration) (serverContext *TLS
 		return nil, err
 	}
 
-	s, listener, err := CreateDefaultServer(configuration, providers)
+	s, listener, _, _, err := CreateDefaultServer(&configuration, providers)
 
 	if err != nil {
 		return nil, err

internal/suites/ActiveDirectory/configuration.yml

@@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/ActiveDirectory/docker-compose.yml

@@ -4,5 +4,5 @@ services:
   authelia-backend:
     volumes:
       - './ActiveDirectory/configuration.yml:/config/configuration.yml:ro'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/BypassAll/configuration.yml

@@ -6,8 +6,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/BypassAll/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './BypassAll/configuration.yml:/config/configuration.yml:ro'
       - './BypassAll/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/CLI/configuration.yml

@@ -6,8 +6,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/CLI/docker-compose.yml

@@ -6,7 +6,7 @@ services:
       - './CLI/configuration.yml:/config/configuration.yml:ro'
       - './CLI/storage.yml:/config/configuration.storage.yml:ro'
       - './CLI/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
       - '/tmp:/tmp'
     user: ${USER_ID}:${GROUP_ID}
 ...

internal/suites/Caddy/configuration.yml

@@ -9,8 +9,8 @@ server:
   port: 9091
   asset_path: /config/assets/
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
   endpoints:
     authz:
       caddy:

internal/suites/Caddy/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './Caddy/configuration.yml:/config/configuration.yml:ro'
       - './Caddy/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/Docker/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/Docker/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './Docker/configuration.yml:/config/configuration.yml:ro'
       - './Docker/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/DuoPush/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: trace

internal/suites/DuoPush/docker-compose.yml

@@ -5,7 +5,7 @@ services:
     volumes:
       - './DuoPush/configuration.yml:/config/configuration.yml:ro'
       - './DuoPush/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
       - '/tmp:/tmp'
     user: ${USER_ID}:${GROUP_ID}
 ...

internal/suites/Envoy/configuration.yml

@@ -9,8 +9,8 @@ server:
   port: 9091
   asset_path: /config/assets/
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
   endpoints:
     authz:
       ext-authz:

internal/suites/Envoy/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './Envoy/configuration.yml:/config/configuration.yml:ro'
       - './Envoy/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/HAProxy/configuration.yml

@@ -8,8 +8,8 @@ jwt_secret: unsecure_secret
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/HAProxy/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './HAProxy/configuration.yml:/config/configuration.yml:ro'
       - './HAProxy/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/HighAvailability/configuration.yml

@@ -8,8 +8,8 @@ jwt_secret: unsecure_secret
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/HighAvailability/docker-compose.yml

@@ -4,5 +4,5 @@ services:
   authelia-backend:
     volumes:
       - './HighAvailability/configuration.yml:/config/configuration.yml:ro'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/LDAP/configuration.yml

@@ -10,8 +10,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/LDAP/docker-compose.yml

@@ -4,5 +4,5 @@ services:
   authelia-backend:
     volumes:
       - './LDAP/configuration.yml:/config/configuration.yml:ro'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/MariaDB/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/MariaDB/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './MariaDB/configuration.yml:/config/configuration.yml:ro'
       - './MariaDB/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/MultiCookieDomain/configuration.yml

@@ -9,8 +9,8 @@ theme: auto
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 telemetry:
   metrics:

internal/suites/MultiCookieDomain/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './MultiCookieDomain/configuration.yml:/config/configuration.yml:ro'
       - './MultiCookieDomain/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/MySQL/configuration.yml

@@ -6,8 +6,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/MySQL/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './MySQL/configuration.yml:/config/configuration.yml:ro'
       - './MySQL/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/NetworkACL/configuration.yml

@@ -6,8 +6,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/NetworkACL/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './NetworkACL/configuration.yml:/config/configuration.yml:ro'
       - './NetworkACL/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/OIDC/configuration.yml

@@ -2,8 +2,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug
@@ -64,72 +64,6 @@ identity_providers:
   oidc:
     enable_client_debug_messages: true
     hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
-    issuer_certificate_chain: |
-      -----BEGIN CERTIFICATE-----
-      MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw
-      EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw
-      MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC
-      AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
-      UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
-      5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
-      01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
-      7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
-      t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E
-      BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG
-      9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P
-      8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ
-      1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51
-      U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS
-      DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4
-      96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA==
-      -----END CERTIFICATE-----
-      -----BEGIN CERTIFICATE-----
-      MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT
-      MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw
-      MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-      DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK
-      +4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4
-      bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m
-      w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ
-      EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA
-      3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE
-      AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
-      FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4
-      iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ
-      8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm
-      G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq
-      1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA
-      I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql
-      Bc9iI6nN3PCr
-      -----END CERTIFICATE-----
-    issuer_private_key: |
-      -----BEGIN RSA PRIVATE KEY-----
-      MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
-      UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
-      5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
-      01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
-      7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
-      t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t
-      lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX
-      1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ
-      2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R
-      1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz
-      K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq
-      scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW
-      wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs
-      nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi
-      Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz
-      Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY
-      bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW
-      PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b
-      spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz
-      2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2
-      d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX
-      S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP
-      1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY
-      JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo
-      xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX
-      -----END RSA PRIVATE KEY-----
     clients:
       - id: oidc-tester-app
         secret: foobar

internal/suites/OIDC/docker-compose.yml

@@ -2,9 +2,11 @@
 version: '3'
 services:
   authelia-backend:
+    environment:
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
     volumes:
       - './OIDC/configuration.yml:/config/configuration.yml:ro'
       - './OIDC/users.yml:/config/users.yml'
-      - './OIDC/keypair/key.pem:/config/issuer.pem:ro'
+      - './common/pki:/pki:ro'
-      - './common/pki:/config/ssl:ro'
 ...

internal/suites/OIDC/keypair/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU
-dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk
-frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+
-PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU
-2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm
-a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4
-GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw
-BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs
-OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA
-Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb
-1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1
-XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR
-QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h
-x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR
-dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw
-TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/
-NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM
-F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO
-HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1
-TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0
-QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd
-Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As
-K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+
-IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU
-pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g=
------END RSA PRIVATE KEY-----

internal/suites/OIDC/keypair/key.pub

@@ -1,9 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ
-Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3
-r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy
-7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5
-Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T
-LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4
-NwIDAQAB
------END RSA PUBLIC KEY-----

internal/suites/OIDCTraefik/configuration.yml

@@ -2,8 +2,8 @@
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug
@@ -65,72 +65,6 @@ identity_providers:
   oidc:
     enable_client_debug_messages: true
     hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
-    issuer_certificate_chain: |
-      -----BEGIN CERTIFICATE-----
-      MIIC6DCCAdCgAwIBAgIRAIxvm0gFgsbh3D22rSZLuFQwDQYJKoZIhvcNAQELBQAw
-      EzERMA8GA1UEChMIQXV0aGVsaWEwIBcNMjIxMDAyMDAzMDQyWhgPMjEyMjA5MDgw
-      MDMwNDJaMBMxETAPBgNVBAoTCEF1dGhlbGlhMIIBIjANBgkqhkiG9w0BAQEFAAOC
-      AQ8AMIIBCgKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
-      UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
-      5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
-      01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
-      7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
-      t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABozUwMzAOBgNVHQ8BAf8E
-      BAMCBaAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDAYDVR0TAQH/BAIwADANBgkqhkiG
-      9w0BAQsFAAOCAQEAaZJ09yGa+DGr/iTqshGdPKNCtcf/CXCkL52xiI7DzLxDt30P
-      8vCuXXrrTGBY7eWYupcNy/MyqaUrz1ED+map3nQzZQBJ9vWIfr01B9phkg/WSaNJ
-      1DlYtbPYzr86BlGP1V5d3Wv6JqF3tkWHI0kI38CT68fWdDKrfa5j3JdZGIVJW+51
-      U0IE3Nqhfc76YzwQ3sNX5FT2Fr55RowH+l5OBPk0Bcztq58XmyPR/bvPfDASt8iS
-      DBT+0iiDiwk6LvOkasL8p7nuh5Grc9LMEYXY/QMUbkIWhIVRFlqyJA9s8vGHx1D4
-      96iYKudj+yvO17Szzr/NNmcwETbCs4j6P6QeiA==
-      -----END CERTIFICATE-----
-      -----BEGIN CERTIFICATE-----
-      MIIDBTCCAe2gAwIBAgIQAK/NIAl3Bdg4Xk0y/ZGL7jANBgkqhkiG9w0BAQsFADAT
-      MREwDwYDVQQKEwhBdXRoZWxpYTAgFw0yMjEwMDIwMDMwMjFaGA8yMTIyMDkwODAw
-      MzAyMVowEzERMA8GA1UEChMIQXV0aGVsaWEwggEiMA0GCSqGSIb3DQEBAQUAA4IB
-      DwAwggEKAoIBAQCg7jdO1HmydfkPzTtz57pvAS3YOdBT0hlNjJ4N2lrKhNnixrzK
-      +4R1dWQDP2SHbZQ0TskF8eQ8HhTr7AsApotTthJFkUgV2g+bv7wVroz0Hok5xtd4
-      bnpOvG3YUCP13Nk3ZVxdQXqR3/G3MrbyiXVPcgU+0giJ8EBykbtMu8L79/1iyk+m
-      w4fZfzTOeorRgspO3z3+pTAib2MCTA7bby1dX9qI/ysFPLdbJYfNQDxij8SzNLyJ
-      EkQ4kh3jKXf1VcZjbQTtYTZ3JJDqM08OxGMKuXUxPHd72Xlb+Fzql8LjYdEy/YKA
-      3r8FMf14lzcjvxtLnFXh//hiXh4+xgXMkrLZAgMBAAGjUzBRMA4GA1UdDwEB/wQE
-      AwICpDAPBgNVHSUECDAGBgRVHSUAMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYE
-      FGKpXiZA+8VQyMBqTTep+dVTthSbMA0GCSqGSIb3DQEBCwUAA4IBAQAE4DJg+Rb4
-      iiocvxxQ85lhh94ql++E8MKuzIdN7ORs+ybUnsDD1WFDebubroTQuTSBkFrNuGNJ
-      8B7NZsHiWWLvNsrnxxeC5CicqfhSDti0rKWsbGyeoq7Kqok5E4pwOzeRsxL2e/Hm
-      G6LsUQuQMUG2vxKNynqmJS4VpgSVkiGhUfURFuRRDuRpVQ/XTl7jDIGf/ls7TAZq
-      1AnmnSi4Cqy4hrTnwYUYkFCcH69onUKAoaVNl1eAH7ogxakz32WyWObY98NBrjzA
-      I6VQlaQNSHtdFqDpu7NWJZZZSgN4BknbMYQEPNYCm701cPB4ahJbpg5C3pVPFSql
-      Bc9iI6nN3PCr
-      -----END CERTIFICATE-----
-    issuer_private_key: |
-      -----BEGIN RSA PRIVATE KEY-----
-      MIIEowIBAAKCAQEAy71EOkV3jOpVQtVTH5HYcI4PryUCiAEyxAIuO+66gaAa4aCd
-      UCRr8iO/pt5nOwPxjPo+hMHhkcKpX7evj+wgYXAccpIQFSCYWTJkaXFL0jL7yFuE
-      5xpjgRM/x6FfK0IbN5WmVWO9EjesbyMCyDoYpjwzIrxnB70F9Y0nrXst1SnW/Sy0
-      01BQZNzD1tky1KDvEkw7L5mMPZFZMr5wV+ELvbo1LLvvrGYhhzbXWk7pPbxT0gAa
-      7yVvQbDKuCDqssAUyQa2JdlDaQocpldtK6l+dc3IsSWKd2UMouta75ngr9E1igy3
-      t7owMRqH8NjwKHt6KQeDVSdBnWNjG572vaRimQIDAQABAoIBAA/EhhM8bRQqzo5t
-      lBFNaELNu8kCRD/iV9tzj8BzqVt+2JW9qG8bYn9K5Po1HCglFfyjIVOE7cAqIJGX
-      1a59x8PCuXDkfPolm6TLkZnXeta5u2K2MoLwN+M1aio5AvSGGTUkD8tr/KX8SQwQ
-      2ZZFaML0xcBadF7U8jEey4NRlSp5/voiIAB+FrJHepZBz2XJYCX5s2vYLPMn+51R
-      1HyO0n2aQ9H1Na8aBjTfAp9GDKJWBV3bSM7cVaLGlMFj/HNXUNVnSsVsJj0tdWKz
-      K6r9zPskLnS+eNjCgqrOtZSqJ7M3PL0/PoTFPrr1Fevr+soKWCaPF94Ib94O9SEq
-      scvP3kECgYEA0HBdGab0HjcZgFtsIaMm+eBcDhUmUrvMPUw6FmspKnc8wplscONW
-      wrDGhR0dpT8+aAMD5jFC2pvyHjI5AWkW+53LB15j6SVzUlUMfS3VTwE2prLtDHDs
-      nCDW2+fXY2kjv45efZGpMGbLJVePx2RCPzUlAlc14lzxnHgpo7eho1cCgYEA+jpi
-      Eo/Jqa5CNd4hrXqFxZTFtU2Mn38ZKI3QK/l47/347yHLebjsYIIwJRoHenxWxNlz
-      Y+BZ38vkP+f9BGAVGiRcyMmIJU0X305wKwl26Y2Q/tEm2OpwmDboD2pL9byi9vfY
-      bz7pQGK/l9j86KofRwVJJRLsofPI1SsjnC8c448CgYAkpg0IjJ1RjriSJADwLSKW
-      PseQxlE1rMVtZbC07mSPjeWGBbnWY3KGytQs5YCn5GXRne4alEC/9Tlt68CwKc0b
-      spPXGNaSUL5lFIUcoWlm+bylNMKPNG+1x+RfR/VMCll5vcuJYooP85L2Xt3t3gfz
-      2yFFtxXHVjY5H7uaiJgIAwKBgQDvkGXEj5TqtsL8/6YOiHb6Kuz+Hzi6mtxjTyI2
-      d6mpWuWxTBGaf8kOvJWLb9gpFFGeNPGcdXaWJIZqCJjcT4Dkflu2f/uwepaYXGhX
-      S8Bk6fwfee5PTmRt1mNmHsaKhgcfmznDh9+YnPIBVuULe5RmUlEtBWk3xEZKj/qP
-      1Ss7UQKBgAwZQz+h5Z/XOJH3Qs5nJBKAZUiYkj3ux7G6tjx0cz7XcUYd/6enBpkY
-      JeqVHB6G+bMRLwb+Hc5Vgpbd5GdaUWo8udaghHgSGPUVcn0lK38XhYek6ACGz7Lo
-      xEfgtKoBlUq+uPb8H05HY0t9KybA3LA5wkRYYnJ17/nkZtrrJAmX
-      -----END RSA PRIVATE KEY-----
     clients:
       - id: oidc-tester-app
         secret: foobar

internal/suites/OIDCTraefik/docker-compose.yml

@@ -2,9 +2,11 @@
 version: '3'
 services:
   authelia-backend:
+    environment:
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.bundle.crt
+      AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
     volumes:
       - './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
       - './OIDCTraefik/users.yml:/config/users.yml'
-      - './OIDCTraefik/keypair/key.pem:/config/issuer.pem:ro'
+      - './common/pki:/pki:ro'
-      - './common/pki:/config/ssl:ro'
 ...

internal/suites/OIDCTraefik/keypair/key.pem

@@ -1,27 +0,0 @@
------BEGIN RSA PRIVATE KEY-----
-MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU
-dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk
-frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+
-PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU
-2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm
-a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4
-GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw
-BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs
-OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA
-Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb
-1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1
-XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR
-QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h
-x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR
-dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw
-TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/
-NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM
-F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO
-HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1
-TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0
-QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd
-Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As
-K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+
-IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU
-pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g=
------END RSA PRIVATE KEY-----

internal/suites/OIDCTraefik/keypair/key.pub

@@ -1,9 +0,0 @@
------BEGIN RSA PUBLIC KEY-----
-MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvOFmoEJFt1JkfdlwM3vJ
-Fg5rrY9d6LyyqezjZkBZDQ4qdEEUdCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3
-r0ugjJXjhvJdBSaoLlzL3saeyrXkfrOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy
-7Wzq0y7XxGeNidEmFjMAf9dwf6/+PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5
-Z9iqn4LRXnAFnC438hZZKZU/+JxU2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4T
-LjVS/3h75sh2Wk0xVaSwjPEjCOgma+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4
-NwIDAQAB
------END RSA PUBLIC KEY-----

internal/suites/OneFactorOnly/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/OneFactorOnly/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './OneFactorOnly/configuration.yml:/config/configuration.yml:ro'
       - './OneFactorOnly/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/PathPrefix/configuration.yml

@@ -9,8 +9,8 @@ server:
   port: 9091
   path: auth
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/PathPrefix/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './PathPrefix/configuration.yml:/config/configuration.yml:ro'
       - './PathPrefix/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/Postgres/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/Postgres/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './Postgres/configuration.yml:/config/configuration.yml:ro'
       - './Postgres/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/ShortTimeouts/configuration.yml

@@ -9,8 +9,8 @@ default_redirection_url: https://home.example.com:8080/
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/ShortTimeouts/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './ShortTimeouts/configuration.yml:/config/configuration.yml:ro'
       - './ShortTimeouts/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/Standalone/configuration.yml

@@ -8,8 +8,8 @@ theme: auto
 server:
   port: 9091
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 telemetry:
   metrics:

internal/suites/Standalone/docker-compose.yml

@@ -8,7 +8,7 @@ services:
     volumes:
       - './Standalone/configuration.yml:/config/configuration.yml:ro'
       - './Standalone/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
       - '/tmp:/tmp'
     user: ${USER_ID}:${GROUP_ID}
 ...

internal/suites/Traefik/configuration.yml

@@ -9,8 +9,8 @@ server:
   port: 9091
   asset_path: /config/assets/
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/suites/Traefik/docker-compose.yml

@@ -5,5 +5,5 @@ services:
     volumes:
       - './Traefik/configuration.yml:/config/configuration.yml:ro'
       - './Traefik/users.yml:/config/users.yml'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/Traefik2/configuration.yml

@@ -9,8 +9,8 @@ server:
   port: 9091
   asset_path: /config/assets/
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
   endpoints:
     authz:
       forward-auth:

internal/suites/Traefik2/docker-compose.yml

@@ -7,5 +7,5 @@ services:
       - './Traefik2/users.yml:/config/users.yml'
       - './Traefik2/favicon.ico:/config/assets/favicon.ico'
       - './Traefik2/logo.png:/config/assets/logo.png'
-      - './common/pki:/config/ssl:ro'
+      - './common/pki:/pki:ro'
 ...

internal/suites/common/pki/ca/ca.public.crt

@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw
+WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD
+VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN
+MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl
+bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2
+ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1
+3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP
+abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi
+VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz
+HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1
+vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E
+BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2
+mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/
+hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70
+W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm
++a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63
+eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2
+HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4=
+-----END CERTIFICATE-----

internal/suites/common/pki/gen.sh

@@ -1,5 +1,7 @@
 #!/bin/bash
 
-go run ./cmd/authelia crypto certificate rsa generate  --directory ./internal/suites/common/pki -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca
+# go run ./cmd/authelia crypto certificate rsa generate  --directory ./internal/suites/common/pki/ca -n 'Authelia Development Standalone Root CA' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --ca
-go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
+# cp ./internal/suites/common/pki/ca/ca.public.crt ./internal/suites/common/pki/ca.public.crt
-go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
+go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca -n '*.example.com' --sans '*.example.com,example.com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
+go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.backend.crt --file.certificate-bundle public.backend.bundle.crt --file.private-key private.backend.pem -n 'login.example.com' --sans 'login.example.com,authelia' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle
+go run ./cmd/authelia crypto certificate rsa generate --directory ./internal/suites/common/pki --path.ca ./internal/suites/common/pki/ca --file.certificate public.oidc.crt --file.certificate-bundle public.oidc.bundle.crt --file.private-key private.oidc.pem -n 'login.example.com' --sans 'login.example.com,login.example1.com,login.example2.com,login.example3,com' --not-before 'Jan 1 00:00:00 2000' --not-after 'Jan 1 00:00:00 2100' -o 'Authelia' --organizational-unit 'Development' --bundle

internal/suites/common/pki/private.oidc.pem

@@ -0,0 +1,27 @@
+-----BEGIN RSA PRIVATE KEY-----
+MIIEowIBAAKCAQEA0x+u2Kkd1VZGkj7FDwgoXQp0fx1mx5VXd2VEJN9yYTXzlNRZ
+Taw8WrOcud7hsBPw3DkhbCjEzvw0Ee+DjwtSCotKbtsBwjyLCegjluPHKUvsVNYZ
+m19TxYY2erx7gohdEcmCGnpWSPRUAKBasIfpM0q6LXG70o8vTuKS82Ub++Sgl1Pa
+kRL/e/KBUYFZksGEMK1oiPiOtRoJF+vUhRf46ZBg3aZ/HLNvcT5TAMgRRws+K3ek
+C5+h5oXFexUosj2DCxcjTbsL7C5nqfR3jwmjrBaGN8KnloEDvC84+OsN/nE2PLa5
+c1kTlRCvKd0gmRuucOKsJ6zvYf/hAqp/WCj1MQIDAQABAoIBAAOHCP3XvYbd/Sne
+YJ6CrWH4lb+19wyooyB8kanoDdov85TuA1v3375IN/snDTBK9QBI+BT9jWRD9H7E
+OLeAIevJLgIyKJJdPpl4xndz8NTwzs8QELd23Uh0mJ5uXcXtj1iHvGPC3YQ0iN7F
+zx4Z9zyDKB8wQkofWFQCFyB39QK9ZGDW4ZstVb57fS62SuqFPW/rO2qSpsuUUwgy
+Z2P2NqoqtqLIyw3qbsJCArzGoHuMCtjKDYenf8wJxORAsAGAREj71w2bQ20cMMIA
+w30jgoXtEC9zS2BOb3mUBHiDOKnn4vwlNd7wiLPdZIGP75G4EkI4AHLhJQ1a5YuF
+8E6V9AECgYEA1LSQVdWggvHTQnj5PHr5k7+YkL/MeIvOkLW5s0r7Lt3x45bAFaQh
+XVZIXrynv62IZmTzCPwOwrXGJJieT0Ctom0XHgtp8nu7Okxk4AISRfjy7J03EXsJ
+cS508IJ1B3HZepGvVwp+geJ0r9JmQ19JqZsJ7VENYoPKtYRZ9aV7CUECgYEA/hi1
+Yw2FcSBk/kXVlcWvKtohY6NISgI5U1Kp7T16ZH3anpew6WwQ3GfueVet714BdwaZ
+knqiiMvaTAOG66KYHCzRBSeXOozT/0N9AfKqS1y7xW+mR2nUrAiWCL95uZpB9SxE
+3gylWULV4/+wlF006tEcJ5qiXymAAYv+wEg+f/ECgYBu2XLm6J/v3esFF1p8RHJQ
+p2bw+KOspt+N1sbiQ09IC26F9wg/vvuMUu0AQj0BzYPqKO3nXsSqgGS0qbzG/KQA
+o+2KQNSEBCt8pFdlzm6LfMPMv9n1CDPRgi57MOGgcZqvH8FLETMAqW26O2ID9mLD
+OwMfZEAfeSNpGYJwXD8UgQKBgQC+0k1+Csx47YwKzOUeqivncZL7occLFWp5oa3N
+ZYsB5uYEjgSk96wd6ctUwzzzc1SET6eLMp/XPcg9p7RuR1gWaK28QkQ3C0W2ALfj
+e5raJ9U366YjIV4+p+AMx8chVLBN8CXz3+lZBHFe3Ul90hWIduu+7kkcUC06fCkf
+u+F78QKBgFajhBPESe344ixG/fASpsVe2Yg14SgYCeWkinOe856zABY8dkfWWBIq
+KX2eq1WJXErHWDuuNPP3Jol1CouqqHseqYQ+SaOhlHdoGws70bsIvBHrtj7NiEQZ
+HFLhEk+OnnG+wJ1jQ5cseA4kbTuPjEL0NNVk7OSndiuxnnDbe91R
+-----END RSA PRIVATE KEY-----

internal/suites/common/pki/public.oidc.bundle.crt

@@ -0,0 +1,44 @@
+-----BEGIN CERTIFICATE-----
+MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb
+MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV
+BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w
+MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs
+aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+
+xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv
+g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg
+WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr
+1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0
+d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq
+f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa
+s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs
+ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w
+DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh
+aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9
++3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ
+sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D
+YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky
+ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIDhTCCAm2gAwIBAgIRAPl83YWFsuwIwxBRmdJyLLQwDQYJKoZIhvcNAQELBQAw
+WzERMA8GA1UEChMIQXV0aGVsaWExFDASBgNVBAsTC0RldmVsb3BtZW50MTAwLgYD
+VQQDEydBdXRoZWxpYSBEZXZlbG9wbWVudCBTdGFuZGFsb25lIFJvb3QgQ0EwIBcN
+MDAwMTAxMDAwMDAwWhgPMjEwMDAxMDEwMDAwMDBaMFsxETAPBgNVBAoTCEF1dGhl
+bGlhMRQwEgYDVQQLEwtEZXZlbG9wbWVudDEwMC4GA1UEAxMnQXV0aGVsaWEgRGV2
+ZWxvcG1lbnQgU3RhbmRhbG9uZSBSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOC
+AQ8AMIIBCgKCAQEA2RtD74ISXHruAIIkIRTLGf5VK0b7iN5+CPW8qWjg74PCnid1
+3DOqVCZ3HSXMP0iaH5rd+WAYojQo5Z1uZ75tXgzYjt6tyXG5H1nN1fkmjkHyNORP
+abOZtngVaixvlT/hsONXszFdqogXhhI4DtEo0lvxJcnOHER4QVylM4YgDMF85jXi
+VD893Y6Luik9B6FXLVK9iAJ5MfvD/r8kEPLsDTl2u/Ye0q4igVDJq9tOtb2enhlz
+HtipYhzzNwEzQwy3tjzP9xpQG6XE6/JW20gQaBvoRBN64DMgRlh1/8ZVyYE8v/B1
+vRVpSgmyCdDJeaRYZ6J+hO3LXBXU20CVZsM5VQIDAQABo0IwQDAOBgNVHQ8BAf8E
+BAMCAqQwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUlrBVtyTWJQWRimLeZXr2
+mrOzy2gwDQYJKoZIhvcNAQELBQADggEBAKXjAw5v8VTM6EDiUvR8XdiikYkycAG/
+hcEt+QLkkBb72+tUNYbr57YJeJuqQcaPTBUQrIXsID8JV5dQJFfyIG2s3G0iuN70
+W4fSRPqsSBIcyOK+2APLjkYV8qwLdh03Lyll4SZo7PCK8ItemsIK1NWhd74N49fm
++a8eyY5bgfA0FMkjY/ts4gAnYExGRoLOQRu/CgOvBlj2KQUrSNptze1rNlP32b63
+eUv1wf/ajK2TxI1pQgkeu2lM3Tyu7q7J4UVn0UY0wtZvHtw2+UBGKZB3ok6ejBy2
+HMjgLGuayGjhyUN8zRkuSvBynuI2wGhIlHklEbaQW5oFKbniXRqdzc4=
+-----END CERTIFICATE-----

internal/suites/common/pki/public.oidc.crt

@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3zCCAsegAwIBAgIQZjmlbZI+QaeqQpApxA2eDjANBgkqhkiG9w0BAQsFADBb
+MREwDwYDVQQKEwhBdXRoZWxpYTEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxMDAuBgNV
+BAMTJ0F1dGhlbGlhIERldmVsb3BtZW50IFN0YW5kYWxvbmUgUm9vdCBDQTAgFw0w
+MDAxMDEwMDAwMDBaGA8yMTAwMDEwMTAwMDAwMFowRTERMA8GA1UEChMIQXV0aGVs
+aWExFDASBgNVBAsTC0RldmVsb3BtZW50MRowGAYDVQQDExFsb2dpbi5leGFtcGxl
+LmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANMfrtipHdVWRpI+
+xQ8IKF0KdH8dZseVV3dlRCTfcmE185TUWU2sPFqznLne4bAT8Nw5IWwoxM78NBHv
+g48LUgqLSm7bAcI8iwnoI5bjxylL7FTWGZtfU8WGNnq8e4KIXRHJghp6Vkj0VACg
+WrCH6TNKui1xu9KPL07ikvNlG/vkoJdT2pES/3vygVGBWZLBhDCtaIj4jrUaCRfr
+1IUX+OmQYN2mfxyzb3E+UwDIEUcLPit3pAufoeaFxXsVKLI9gwsXI027C+wuZ6n0
+d48Jo6wWhjfCp5aBA7wvOPjrDf5xNjy2uXNZE5UQryndIJkbrnDirCes72H/4QKq
+f1go9TECAwEAAaOBsjCBrzAOBgNVHQ8BAf8EBAMCBaAwEwYDVR0lBAwwCgYIKwYB
+BQUHAwEwDAYDVR0TAQH/BAIwADAfBgNVHSMEGDAWgBSWsFW3JNYlBZGKYt5levaa
+s7PLaDBZBgNVHREEUjBQghFsb2dpbi5leGFtcGxlLmNvbYISbG9naW4uZXhhbXBs
+ZTEuY29tghJsb2dpbi5leGFtcGxlMi5jb22CDmxvZ2luLmV4YW1wbGUzggNjb20w
+DQYJKoZIhvcNAQELBQADggEBAH46LB6fFF+5dbFhEa8rsDX17oZPVsIMHi+vhmMh
+aS5IACOpmc3q/yyhZelNwB/MRzlPziQwpqwr9B5SQ9UOBvZDuv9ESXYHlVHSIGo9
++3Ax9fvxLVpF3E62whr+d8YHjXE85UgUKaDAWYCAVB7fkY7WfyS3t8IxgJVa+oMZ
+sLeI4YmheKdgRZsE+83VcNUVuGhsh3R5NKFo46tonpbdx13Eg2k3IInKAkZmTA5D
+YoPfPTDbd1BOC+h2C0s+guUyoG1Fi5DzS/x8xNoRcZ7/fkdcboAXa8dlVZeqGRky
+ddYggjZYnqGaD9qKFAox4EqkCYB1XwNeUPUapdvGICC7UGc=
+-----END CERTIFICATE-----

internal/suites/environment.go

@@ -42,7 +42,7 @@ func waitUntilAutheliaBackendIsReady(dockerEnvironment *DockerEnvironment) error
 		90*time.Second,
 		dockerEnvironment,
 		"authelia-backend",
-		[]string{"Initializing server for"})
+		[]string{"Startup Complete"})
 }
 
 func waitUntilAutheliaFrontendIsReady(dockerEnvironment *DockerEnvironment) error {

internal/suites/example/compose/samba/Dockerfile

@@ -1,4 +1,4 @@
-FROM alpine:3.17.1
+FROM alpine:3.17.2
 
 RUN \
 apk add --no-cache \

internal/suites/example/kube/authelia/authelia.yml

@@ -33,7 +33,7 @@ spec:
               mountPath: /config/configuration.yml
               readOnly: true
             - name: authelia-ssl
-              mountPath: /config/ssl
+              mountPath: /pki
               readOnly: true
             - name: secrets
               mountPath: /config/secrets

internal/suites/example/kube/authelia/configs/configuration.yml

@@ -8,8 +8,8 @@ default_redirection_url: https://home.example.com:8080
 server:
   port: 443
   tls:
-    certificate: /config/ssl/public.backend.crt
+    certificate: /pki/public.backend.crt
-    key: /config/ssl/private.backend.pem
+    key: /pki/private.backend.pem
 
 log:
   level: debug

internal/utils/crypto_test.go

@@ -54,7 +54,7 @@ func TestShouldNotReturnErrWhenX509DirectoryExist(t *testing.T) {
 func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) {
 	pool, warnings, errors := NewX509CertPool("../suites/common/pki/")
 	assert.NotNil(t, pool)
-	require.Len(t, errors, 2)
+	require.Len(t, errors, 3)
 
 	if runtime.GOOS == "windows" {
 		require.Len(t, warnings, 1)
@@ -64,7 +64,8 @@ func TestShouldReadCertsFromDirectoryButNotKeys(t *testing.T) {
 	}
 
 	assert.EqualError(t, errors[0], "could not import certificate private.backend.pem")
-	assert.EqualError(t, errors[1], "could not import certificate private.pem")
+	assert.EqualError(t, errors[1], "could not import certificate private.oidc.pem")
+	assert.EqualError(t, errors[2], "could not import certificate private.pem")
 }
 
 func TestShouldGenerateCertificateAndPersistIt(t *testing.T) {