360 lines
12 KiB
YAML
360 lines
12 KiB
YAML
theme: auto
|
|
|
|
# jwt_secret: < in file >
|
|
|
|
{{ with nomadVar "nomad/jobs" }}
|
|
default_redirection_url: https://authelia.{{ .base_hostname }}/
|
|
{{ end }}
|
|
|
|
## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
|
|
## disabled. This setting must be a method that is enabled.
|
|
## Options are totp, webauthn, mobile_push.
|
|
default_2fa_method: ""
|
|
|
|
server:
|
|
host: 0.0.0.0
|
|
port: 9091
|
|
disable_healthcheck: false
|
|
|
|
log:
|
|
## Level of verbosity for logs: info, debug, trace.
|
|
level: debug
|
|
|
|
## Format the logs are written as: json, text.
|
|
format: json
|
|
|
|
telemetry:
|
|
metrics:
|
|
enabled: false
|
|
# address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}'
|
|
|
|
totp:
|
|
disable: false
|
|
issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
digits: 6
|
|
|
|
## The TOTP algorithm to use.
|
|
## It is CRITICAL you read the documentation before changing this option:
|
|
## https://www.authelia.com/c/totp#algorithm
|
|
algorithm: sha1
|
|
|
|
webauthn:
|
|
disable: false
|
|
timeout: 60s
|
|
display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
user_verification: preferred
|
|
|
|
duo_api:
|
|
disable: true
|
|
# hostname:
|
|
# integration_key:
|
|
# secret_key:
|
|
# enable_self_enrollment: false
|
|
|
|
authentication_backend:
|
|
disable_reset_password: false
|
|
|
|
## Password Reset Options.
|
|
password_reset:
|
|
|
|
## External reset password url that redirects the user to an external reset portal. This disables the internal reset
|
|
## functionality.
|
|
# TODO: not sure if this is needed, probably not?
|
|
custom_url: ""
|
|
|
|
refresh_interval: 5m
|
|
|
|
ldap:
|
|
implementation: custom
|
|
|
|
# stunnel url
|
|
url: ldap://127.0.0.1:389
|
|
timeout: 5s
|
|
|
|
# TODO: Maybe use stunnel for this
|
|
start_tls: false
|
|
|
|
base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
|
additional_users_dn: ou=people
|
|
additional_groups_dn: ou=groups
|
|
|
|
username_attribute: uid
|
|
group_name_attribute: cn
|
|
mail_attribute: mail
|
|
display_name_attribute: displayName
|
|
|
|
# To allow sign in both with username and email, one can use a filter like
|
|
# (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
|
|
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
|
# Only supported filter by lldap right now
|
|
groups_filter: (member={dn})
|
|
|
|
## The username and password of the admin user.
|
|
{{ with nomadVar "nomad/jobs/authelia" }}
|
|
user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
|
|
{{ end }}
|
|
# password set using secrets file
|
|
# password: <secret>
|
|
|
|
password_policy:
|
|
standard:
|
|
enabled: false
|
|
min_length: 8
|
|
max_length: 0
|
|
require_uppercase: true
|
|
require_lowercase: true
|
|
require_number: true
|
|
require_special: true
|
|
|
|
zxcvbn:
|
|
enabled: false
|
|
min_score: 3
|
|
|
|
##
|
|
## Access Control Configuration
|
|
##
|
|
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
|
|
##
|
|
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
|
|
## to anyone. Otherwise restrictions follow the rules defined.
|
|
##
|
|
## Note: One can use the wildcard * to match any subdomain.
|
|
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
|
|
##
|
|
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
|
|
##
|
|
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
|
|
##
|
|
## - 'domain' defines which domain or set of domains the rule applies to.
|
|
##
|
|
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
|
|
## provided. If provided, the parameter represents either a user or a group. It should be of the form
|
|
## 'user:<username>' or 'group:<groupname>'.
|
|
##
|
|
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
|
|
##
|
|
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
|
|
## is optional and matches any resource if not provided.
|
|
##
|
|
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
|
|
access_control:
|
|
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
|
## resource if there is no policy to be applied to the user.
|
|
default_policy: deny
|
|
|
|
networks:
|
|
- name: internal
|
|
networks:
|
|
- 192.168.1.0/24
|
|
- 192.168.2.0/24
|
|
- 192.168.10.0/24
|
|
- name: VPN
|
|
networks: 192.168.5.0/24
|
|
|
|
rules:
|
|
## Rules applied to everyone
|
|
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
networks:
|
|
- internal
|
|
policy: one_factor
|
|
|
|
- domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
policy: two_factor
|
|
|
|
- domain:
|
|
# TODO: Drive these from Nomad variables
|
|
- 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
|
|
policy: two_factor
|
|
|
|
session:
|
|
## The name of the session cookie.
|
|
name: authelia_session
|
|
domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
|
|
|
|
# Stored in a secrets file
|
|
# secret: <in file>
|
|
|
|
expiration: 1h
|
|
inactivity: 5m
|
|
remember_me_duration: 1M
|
|
|
|
# TODO: use redis when I figure out authentication and database indexes
|
|
# redis:
|
|
# host:
|
|
# port:
|
|
#
|
|
# # username: authelia
|
|
# # password: authelia
|
|
# database_index: 0
|
|
# maximum_active_connections: 8
|
|
# minimum_idle_connections: 0
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
##
|
|
## Storage Provider Configuration
|
|
##
|
|
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
|
|
storage:
|
|
# encryption_key: <in file>
|
|
|
|
##
|
|
## MySQL / MariaDB (Storage Provider)
|
|
##
|
|
mysql:
|
|
host: 127.0.0.1
|
|
port: 3306
|
|
{{ with nomadVar "nomad/jobs/authelia" }}
|
|
database: {{ .db_name }}
|
|
username: {{ .db_user }}
|
|
# password: <in_file>
|
|
{{- end }}
|
|
timeout: 5s
|
|
|
|
##
|
|
## Notification Provider
|
|
##
|
|
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
|
|
## The available providers are: filesystem, smtp. You must use only one of these providers.
|
|
notifier:
|
|
## You can disable the notifier startup check by setting this to true.
|
|
disable_startup_check: false
|
|
|
|
{{ with nomadVar "nomad/jobs" }}
|
|
smtp:
|
|
host: {{ .smtp_server }}
|
|
port: {{ .smtp_port }}
|
|
username: {{ .smtp_user }}
|
|
# password: <in file>
|
|
|
|
{{- end }}
|
|
{{ with nomadVar "nomad/jobs/authelia" }}
|
|
sender: "{{ .email_sender }}"
|
|
|
|
## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
|
|
subject: "[Authelia] {title}"
|
|
|
|
## This address is used during the startup check to verify the email configuration is correct.
|
|
## It's not important what it is except if your email server only allows local delivery.
|
|
startup_check_address: test@iamthefij.com
|
|
{{- end }}
|
|
|
|
# identity_providers:
|
|
##
|
|
## OpenID Connect (Identity Provider)
|
|
##
|
|
## It's recommended you read the documentation before configuration of this section:
|
|
## https://www.authelia.com/c/oidc
|
|
# oidc:
|
|
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
|
|
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
|
|
# hmac_secret: this_is_a_secret_abc123abc123abc
|
|
|
|
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
|
|
## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
|
|
# issuer_private_key: |
|
|
# --- KEY START
|
|
# --- KEY END
|
|
|
|
## The lifespans configure the expiration for these token types.
|
|
# access_token_lifespan: 1h
|
|
# authorize_code_lifespan: 1m
|
|
# id_token_lifespan: 1h
|
|
# refresh_token_lifespan: 90m
|
|
|
|
## Enables additional debug messages.
|
|
# enable_client_debug_messages: false
|
|
|
|
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
|
|
## security reasons.
|
|
# minimum_parameter_entropy: 8
|
|
|
|
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
|
|
## for security reasons.
|
|
# enforce_pkce: public_clients_only
|
|
|
|
## Cross-Origin Resource Sharing (CORS) settings.
|
|
# cors:
|
|
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
|
|
# endpoints:
|
|
# - authorization
|
|
# - token
|
|
# - revocation
|
|
# - introspection
|
|
# - userinfo
|
|
|
|
## List of allowed origins.
|
|
## Any origin with https is permitted unless this option is configured or the
|
|
## allowed_origins_from_client_redirect_uris option is enabled.
|
|
# allowed_origins:
|
|
# - https://example.com
|
|
|
|
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
|
|
## provided they have the scheme http or https and do not have the hostname of localhost.
|
|
# allowed_origins_from_client_redirect_uris: false
|
|
|
|
## Clients is a list of known clients and their configuration.
|
|
# clients:
|
|
# -
|
|
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
|
|
# id: myapp
|
|
|
|
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
|
|
# description: My Application
|
|
|
|
## The client secret is a shared secret between Authelia and the consumer of this client.
|
|
# secret: this_is_a_secret
|
|
|
|
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
|
|
## necessary. Read the documentation for more information.
|
|
## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
|
|
# sector_identifier: example.com
|
|
|
|
## Sets the client to public. This should typically not be set, please see the documentation for usage.
|
|
# public: false
|
|
|
|
## The policy to require for this client; one_factor or two_factor.
|
|
# authorization_policy: two_factor
|
|
|
|
## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
|
|
## duration notation will enable users to remember consent for this client. The time configured is the amount
|
|
## of time the pre-configured consent is valid for granting new authorizations to the user.
|
|
# pre_configured_consent_duration:
|
|
|
|
## Audience this client is allowed to request.
|
|
# audience: []
|
|
|
|
## Scopes this client is allowed to request.
|
|
# scopes:
|
|
# - openid
|
|
# - groups
|
|
# - email
|
|
# - profile
|
|
|
|
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
|
|
# redirect_uris:
|
|
# - https://oidc.example.com:8080/oauth2/callback
|
|
|
|
## Grant Types configures which grants this client can obtain.
|
|
## It's not recommended to define this unless you know what you're doing.
|
|
# grant_types:
|
|
# - refresh_token
|
|
# - authorization_code
|
|
|
|
## Response Types configures which responses this client can be sent.
|
|
## It's not recommended to define this unless you know what you're doing.
|
|
# response_types:
|
|
# - code
|
|
|
|
## Response Modes configures which response modes this client supports.
|
|
# response_modes:
|
|
# - form_post
|
|
# - query
|
|
# - fragment
|
|
|
|
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
|
|
# userinfo_signing_algorithm: none
|