theme: auto # jwt_secret: {{ with nomadVar "nomad/jobs" }} default_redirection_url: https://authelia.{{ .base_hostname }}/ {{ end }} ## Set the default 2FA method for new users and for when a user has a preferred method configured that has been ## disabled. This setting must be a method that is enabled. ## Options are totp, webauthn, mobile_push. default_2fa_method: "" server: host: 0.0.0.0 port: 9091 disable_healthcheck: false log: ## Level of verbosity for logs: info, debug, trace. level: debug format: json telemetry: metrics: enabled: false # address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}' totp: disable: false issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} digits: 6 ## The TOTP algorithm to use. ## It is CRITICAL you read the documentation before changing this option: ## https://www.authelia.com/c/totp#algorithm algorithm: sha1 webauthn: disable: false timeout: 60s display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} user_verification: preferred duo_api: disable: true # hostname: # integration_key: # secret_key: # enable_self_enrollment: false authentication_backend: disable_reset_password: false ## Password Reset Options. password_reset: ## External reset password url that redirects the user to an external reset portal. This disables the internal reset ## functionality. # TODO: not sure if this is needed, probably not? custom_url: "" refresh_interval: 5m ldap: implementation: custom # stunnel url url: ldap://127.0.0.1:389 timeout: 5s # TODO: Maybe use stunnel for this start_tls: false base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }} additional_users_dn: ou=people additional_groups_dn: ou=groups username_attribute: uid group_name_attribute: cn mail_attribute: mail display_name_attribute: displayName # To allow sign in both with username and email, one can use a filter like # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) users_filter: "(&({username_attribute}={input})(objectClass=person))" # Only supported filter by lldap right now groups_filter: (member={dn}) ## The username and password of the admin user. {{ with nomadVar "nomad/jobs/authelia" }} user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }} {{ end }} # password set using secrets file # password: password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: true zxcvbn: enabled: false min_score: 3 ## ## Access Control Configuration ## ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users. ## ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed ## to anyone. Otherwise restrictions follow the rules defined. ## ## Note: One can use the wildcard * to match any subdomain. ## It must stand at the beginning of the pattern. (example: *.mydomain.com) ## ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct. ## ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'. ## ## - 'domain' defines which domain or set of domains the rule applies to. ## ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not ## provided. If provided, the parameter represents either a user or a group. It should be of the form ## 'user:' or 'group:'. ## ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'. ## ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter ## is optional and matches any resource if not provided. ## ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies. access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: deny networks: - name: internal networks: - 192.168.1.0/24 - 192.168.2.0/24 - 192.168.10.0/24 - name: VPN networks: 192.168.5.0/24 rules: ## Rules applied to everyone - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' networks: - internal policy: one_factor - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' policy: two_factor - domain: # TODO: Drive these from Nomad variables - 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}' policy: two_factor session: ## The name of the session cookie. name: authelia_session domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }} # Stored in a secrets file # secret: expiration: 1h inactivity: 5m remember_me_duration: 1M redis: host: 127.0.0.1 port: 6379 # username: authelia # password: authelia # database_index: 0 maximum_active_connections: 8 minimum_idle_connections: 0 regulation: max_retries: 3 find_time: 2m ban_time: 5m ## ## Storage Provider Configuration ## ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers. storage: # encryption_key: ## ## MySQL / MariaDB (Storage Provider) ## mysql: host: 127.0.0.1 port: 3306 {{ with nomadVar "nomad/jobs/authelia" }} database: {{ .db_name }} username: {{ .db_user }} # password: {{- end }} timeout: 5s ## ## Notification Provider ## ## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration. ## The available providers are: filesystem, smtp. You must use only one of these providers. notifier: ## You can disable the notifier startup check by setting this to true. disable_startup_check: false {{ with nomadVar "nomad/jobs" }} smtp: host: {{ .smtp_server }} port: {{ .smtp_port }} username: {{ .smtp_user }} # password: {{- end }} {{ with nomadVar "nomad/jobs/authelia" }} sender: "{{ .email_sender }}" ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier. subject: "[Authelia] {title}" ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. startup_check_address: test@iamthefij.com {{- end }} identity_providers: oidc: # hmac_secret: # issuer_private_key: clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}