theme: auto # jwt_secret: < in file > {{ with nomadVar "nomad/jobs" }} default_redirection_url: https://authelia.{{ .base_hostname }}/ {{ end }} ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. ## Options are totp, webauthn, mobile_push. default_2fa_method: "" server: host: 0.0.0.0 port: 9091 disable_healthcheck: false log: ## Level of verbosity for logs: info, debug, trace. level: debug ## Format the logs are written as: json, text. format: json telemetry: metrics: enabled: false # address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}' totp: disable: false issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} digits: 6 ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/c/totp#algorithm algorithm: sha1 webauthn: disable: false timeout: 60s display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} user_verification: preferred duo_api: disable: true # hostname: # integration_key: # secret_key: # enable_self_enrollment: false authentication_backend: disable_reset_password: false ## Password Reset Options. password_reset: ## External reset password url that redirects the user to an external reset portal. This disables the internal reset ## functionality. # TODO: not sure if this is needed, probably not? custom_url: "" refresh_interval: 5m ldap: implementation: custom # stunnel url url: ldap://127.0.0.1:389 timeout: 5s # TODO: Maybe use stunnel for this start_tls: false base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }} additional_users_dn: ou=people additional_groups_dn: ou=groups username_attribute: uid group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName # To allow sign in both with username and email, one can use a filter like # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: "(&({username_attribute}={input})(objectClass=person))" # Only supported filter by lldap right now groups_filter: (member={dn}) ## The username and password of the admin user. {{ with nomadVar "nomad/jobs/authelia" }} user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }} {{ end }} # password set using secrets file # password: password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: true zxcvbn: enabled: false min_score: 3 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed ## to anyone. Otherwise restrictions follow the rules defined. ## ## Note: One can use the wildcard * to match any subdomain. ## It must stand at the beginning of the pattern. (example: *.mydomain.com) ## ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. ## ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. ## ## - 'domain' defines which domain or set of domains the rule applies to. ## ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not ## provided. If provided, the parameter represents either a user or a group. It should be of the form ## 'user:' or 'group:'. ## ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. ## ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter ## is optional and matches any resource if not provided. ## ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: deny networks: - name: internal networks: - 192.168.1.0/24 - 192.168.2.0/24 - 192.168.10.0/24 - name: VPN networks: 192.168.5.0/24 rules: ## Rules applied to everyone - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' networks: - internal policy: one_factor - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' policy: two_factor - domain: # TODO: Drive these from Nomad variables - 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' policy: two_factor session: ## The name of the session cookie. name: authelia_session domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} # Stored in a secrets file # secret: expiration: 1h inactivity: 5m remember_me_duration: 1M # TODO: use redis when I figure out authentication and database indexes # redis: # host: # port: # # # username: authelia # # password: authelia # database_index: 0 # maximum_active_connections: 8 # minimum_idle_connections: 0 regulation: max_retries: 3 find_time: 2m ban_time: 5m ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: # encryption_key: ## ## MySQL / MariaDB (Storage Provider) ## mysql: host: 127.0.0.1 port: 3306 {{ with nomadVar "nomad/jobs/authelia" }} database: {{ .db_name }} username: {{ .db_user }} # password: {{- end }} timeout: 5s ## ## Notification Provider ## ## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false {{ with nomadVar "nomad/jobs" }} smtp: host: {{ .smtp_server }} port: {{ .smtp_port }} username: {{ .smtp_user }} # password: {{- end }} {{ with nomadVar "nomad/jobs/authelia" }} sender: "{{ .email_sender }}" ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. subject: "[Authelia] {title}" ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. startup_check_address: test@iamthefij.com {{- end }} # identity_providers: ## ## OpenID Connect (Identity Provider) ## ## It's recommended you read the documentation before configuration of this section: ## https://www.authelia.com/c/oidc # oidc: ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens). ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets # hmac_secret: this_is_a_secret_abc123abc123abc ## The issuer_private_key is used to sign the JWT forged by OpenID Connect. ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets # issuer_private_key: | # --- KEY START # --- KEY END ## The lifespans configure the expiration for these token types. # access_token_lifespan: 1h # authorize_code_lifespan: 1m # id_token_lifespan: 1h # refresh_token_lifespan: 90m ## Enables additional debug messages. # enable_client_debug_messages: false ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for ## security reasons. # minimum_parameter_entropy: 8 ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never' ## for security reasons. # enforce_pkce: public_clients_only ## Cross-Origin Resource Sharing (CORS) settings. # cors: ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. # endpoints: # - authorization # - token # - revocation # - introspection # - userinfo ## List of allowed origins. ## Any origin with https is permitted unless this option is configured or the ## allowed_origins_from_client_redirect_uris option is enabled. # allowed_origins: # - https://example.com ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, ## provided they have the scheme http or https and do not have the hostname of localhost. # allowed_origins_from_client_redirect_uris: false ## Clients is a list of known clients and their configuration. # clients: # - ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration. # id: myapp ## The description to show to users when they end up on the consent screen. Defaults to the ID above. # description: My Application ## The client secret is a shared secret between Authelia and the consumer of this client. # secret: this_is_a_secret ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not ## necessary. Read the documentation for more information. ## The subject identifier must be the host component of a URL, which is a domain name with an optional port. # sector_identifier: example.com ## Sets the client to public. This should typically not be set, please see the documentation for usage. # public: false ## The policy to require for this client; one_factor or two_factor. # authorization_policy: two_factor ## By default users cannot remember pre-configured consents. Setting this value to a period of time using a ## duration notation will enable users to remember consent for this client. The time configured is the amount ## of time the pre-configured consent is valid for granting new authorizations to the user. # pre_configured_consent_duration: ## Audience this client is allowed to request. # audience: [] ## Scopes this client is allowed to request. # scopes: # - openid # - groups # - email # - profile ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. # redirect_uris: # - https://oidc.example.com:8080/oauth2/callback ## Grant Types configures which grants this client can obtain. ## It's not recommended to define this unless you know what you're doing. # grant_types: # - refresh_token # - authorization_code ## Response Types configures which responses this client can be sent. ## It's not recommended to define this unless you know what you're doing. # response_types: # - code ## Response Modes configures which response modes this client supports. # response_modes: # - form_post # - query # - fragment ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256. # userinfo_signing_algorithm: none