253 lines
7.3 KiB
YAML
253 lines
7.3 KiB
YAML
theme: auto
|
|
|
|
# jwt_secret: <file>
|
|
|
|
{{ with nomadVar "nomad/jobs" }}
|
|
default_redirection_url: https://authelia.{{ .base_hostname }}/
|
|
{{ end }}
|
|
|
|
## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
|
|
## disabled. This setting must be a method that is enabled.
|
|
## Options are totp, webauthn, mobile_push.
|
|
default_2fa_method: ""
|
|
|
|
server:
|
|
host: 0.0.0.0
|
|
port: {{ env "NOMAD_PORT_main" }}
|
|
disable_healthcheck: false
|
|
|
|
log:
|
|
## Level of verbosity for logs: info, debug, trace.
|
|
level: debug
|
|
|
|
format: json
|
|
|
|
telemetry:
|
|
metrics:
|
|
enabled: false
|
|
# address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}'
|
|
|
|
totp:
|
|
disable: false
|
|
issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
digits: 6
|
|
|
|
## The TOTP algorithm to use.
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
## https://www.authelia.com/c/totp#algorithm
|
|
algorithm: sha1
|
|
|
|
webauthn:
|
|
disable: false
|
|
timeout: 60s
|
|
display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
user_verification: preferred
|
|
|
|
duo_api:
|
|
disable: true
|
|
# hostname:
|
|
# integration_key:
|
|
# secret_key:
|
|
# enable_self_enrollment: false
|
|
|
|
authentication_backend:
|
|
disable_reset_password: false
|
|
|
|
## Password Reset Options.
|
|
password_reset:
|
|
|
|
## External reset password url that redirects the user to an external reset portal. This disables the internal reset
|
|
## functionality.
|
|
# TODO: not sure if this is needed, probably not?
|
|
custom_url: ""
|
|
|
|
refresh_interval: 5m
|
|
|
|
ldap:
|
|
implementation: custom
|
|
|
|
# stunnel url
|
|
url: ldap://127.0.0.1:389
|
|
timeout: 5s
|
|
|
|
# TODO: Maybe use stunnel for this
|
|
start_tls: false
|
|
|
|
base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
|
additional_users_dn: ou=people
|
|
additional_groups_dn: ou=groups
|
|
|
|
username_attribute: uid
|
|
group_name_attribute: cn
|
|
mail_attribute: mail
|
|
display_name_attribute: displayName
|
|
|
|
# To allow sign in both with username and email, one can use a filter like
|
|
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
|
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
|
# Only supported filter by lldap right now
|
|
groups_filter: (member={dn})
|
|
|
|
## The username and password of the admin user.
|
|
{{ with nomadVar "secrets/ldap" }}
|
|
user: uid={{ .admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
|
{{ end }}
|
|
# password set using secrets file
|
|
# password: <secret>
|
|
|
|
password_policy:
|
|
standard:
|
|
enabled: false
|
|
min_length: 8
|
|
max_length: 0
|
|
require_uppercase: true
|
|
require_lowercase: true
|
|
require_number: true
|
|
require_special: true
|
|
|
|
zxcvbn:
|
|
enabled: false
|
|
min_score: 3
|
|
|
|
##
|
|
## Access Control Configuration
|
|
##
|
|
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
|
##
|
|
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
|
|
## to anyone. Otherwise restrictions follow the rules defined.
|
|
##
|
|
## Note: One can use the wildcard * to match any subdomain.
|
|
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
|
##
|
|
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
|
|
##
|
|
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
|
|
##
|
|
## - 'domain' defines which domain or set of domains the rule applies to.
|
|
##
|
|
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
|
|
## provided. If provided, the parameter represents either a user or a group. It should be of the form
|
|
## 'user:<username>' or 'group:<groupname>'.
|
|
##
|
|
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
|
##
|
|
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
|
|
## is optional and matches any resource if not provided.
|
|
##
|
|
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
|
|
access_control:
|
|
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
|
## resource if there is no policy to be applied to the user.
|
|
default_policy: deny
|
|
|
|
networks:
|
|
- name: internal
|
|
networks:
|
|
- 192.168.1.0/24
|
|
- 192.168.2.0/24
|
|
- 192.168.10.0/24
|
|
- name: VPN
|
|
networks: 192.168.5.0/24
|
|
|
|
rules:
|
|
{{ range nomadVarList "authelia/access_control/service_rules" }}{{ with nomadVar .Path }}
|
|
- domain: '{{ .name }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
{{ .rule.Value | indent 6 }}
|
|
{{ end }}{{ end }}
|
|
## Rules applied to everyone
|
|
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
networks:
|
|
- internal
|
|
policy: one_factor
|
|
|
|
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
policy: two_factor
|
|
|
|
- domain:
|
|
# TODO: Drive these from Nomad variables
|
|
- 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
policy: two_factor
|
|
|
|
session:
|
|
## The name of the session cookie.
|
|
name: authelia_session
|
|
domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
|
|
# Stored in a secrets file
|
|
# secret: <in file>
|
|
|
|
expiration: 1h
|
|
inactivity: 5m
|
|
remember_me_duration: 1M
|
|
|
|
redis:
|
|
host: 127.0.0.1
|
|
port: 6379
|
|
|
|
# username: authelia
|
|
# password: authelia
|
|
# database_index: 0
|
|
maximum_active_connections: 8
|
|
minimum_idle_connections: 0
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
##
|
|
## Storage Provider Configuration
|
|
##
|
|
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
|
storage:
|
|
# encryption_key: <in file>
|
|
|
|
##
|
|
## MySQL / MariaDB (Storage Provider)
|
|
##
|
|
mysql:
|
|
host: 127.0.0.1
|
|
port: 3306
|
|
{{ with nomadVar "nomad/jobs/authelia" }}
|
|
database: {{ .db_name }}
|
|
username: {{ .db_user }}
|
|
# password: <in_file>
|
|
{{- end }}
|
|
timeout: 5s
|
|
|
|
##
|
|
## Notification Provider
|
|
##
|
|
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
|
|
## The available providers are: filesystem, smtp. You must use only one of these providers.
|
|
notifier:
|
|
## You can disable the notifier startup check by setting this to true.
|
|
disable_startup_check: false
|
|
|
|
{{ with nomadVar "secrets/smtp" }}
|
|
smtp:
|
|
host: {{ .server }}
|
|
port: {{ .port }}
|
|
username: {{ .user }}
|
|
# password: <in file>
|
|
|
|
{{- end }}
|
|
{{ with nomadVar "nomad/jobs/authelia" }}
|
|
sender: "{{ .email_sender }}"
|
|
|
|
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
|
subject: "[Authelia] {title}"
|
|
|
|
## This address is used during the startup check to verify the email configuration is correct.
|
|
## It's not important what it is except if your email server only allows local delivery.
|
|
startup_check_address: test@iamthefij.com
|
|
{{- end }}
|
|
|
|
identity_providers:
|
|
oidc:
|
|
# hmac_secret: <file>
|
|
# issuer_private_key: <file>
|
|
|
|
clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}
|