This setup uses two global environment variables: PRIVATE_DOMAIN and PUBLIC_DOMAIN. Those are two registered domain names I use for public and private services.

There is also an .env file which defines a few more variables:

AUTHELIA_JWT_SECRET=...
AUTHELIA_SESSION_SECRET=...
AUTHELIA_SESSION_DOMAIN=...
AUTHELIA_TOTP_ISSUER=...
TRAEFIK_CERTIFICATERESOLVERS_LE_ACME_EMAIL=...

The value of those depend on your setup and can be found in the Traefik and Authelia documentation.

Lessons learned

Authelia will ONLY work with https. Both the authelia url itself and the one being authenticated must be https.
The authorization link should NOT end with /#/ or /%2F/ or anything, just /. Otherwise it will not redirect you back after authorizing.