--- ############################################################### # Authelia configuration # ############################################################### theme: 'dark' server: address: 'tcp://:9091' log: level: 'info' telemetry: metrics: enabled: false totp: disable: false issuer: 'akanealw.com' algorithm: 'sha1' digits: 6 period: 30 skew: 1 secret_size: 32 allowed_algorithms: - 'SHA1' allowed_digits: - 6 allowed_periods: - 30 disable_reuse_security_policy: false identity_validation: reset_password: jwt_secret: 'qVwp0m2FE/zrXvSxxehRJXg2Nl0Y7FW9XuxYPpzEQEM=' webauthn: disable: false enable_passkey_login: false display_name: 'Authelia' attestation_conveyance_preference: 'indirect' timeout: '60 seconds' filtering: permitted_aaguids: [] prohibited_aaguids: [] prohibit_backup_eligibility: false selection_criteria: attachment: '' discoverability: 'preferred' user_verification: 'preferred' metadata: enabled: false cache_policy: strict validate_trust_anchor: true validate_entry: true validate_entry_permit_zero_aaguid: false validate_status: true validate_status_permitted: [] validate_status_prohibited: - 'REVOKED' - 'USER_KEY_PHYSICAL_COMPROMISE' - 'USER_KEY_REMOTE_COMPROMISE' - 'USER_VERIFICATION_BYPASS' - 'ATTESTATION_KEY_COMPROMISE' identity_providers: oidc: ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc jwks: - key_id: 'authelia' algorithm: 'RS256' use: 'sig' key: | -----BEGIN PRIVATE KEY----- MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDJynH/TZjqPtTy wDSieMFtFvfnnMO0ZSQ7tdwRN2362iDJQvmtv4iIAkplUz6wWXpPZhI5lcI0BeQ5 WB+aX3SLAVNnENTZPuBkMUH1F+fhxA+VbunC3gvC1sBVjMGo6HkviKXt8qCEHPlK 62wUrxYw6Nir7qqTWp6gXVwzbzuuyvw1zRL42jcU4j7XnVZAx5wUnLXM9mxHB9O8 Fn0o9DqusN7uSAzcB6dLRBHfcR2p4e+Z1cR0tPhbkNpSuQHbaiet7IrTlI5ejN2/ tPeaCoJ6WaLof2lx8zbNfD3YKcthYGYslGowl2aoz3i9ozKAUoy0FttOhCNiMmqb +j0WNaFzAgMBAAECggEAOiPQrZjrdo5s55ZWc/tr66UC/2ItBvRfOK8AvZslXnHr oWFhM9zsFxfl3ITcGo5lTawgkyPhhQCvjZAk5uMa3pQetiLk2MUjfOquUNI29tb5 EHqY8pLse5JJbzyzbZmxlO7/s+vEsNvyPdJP3TPHJodoKj2FOxiQfK75ij5ByW3i rXu4mT2hQsyl6r3NGjhP2SW8XwSQopMYY5G1CefPyWXJnm53v9a/8Rc66Brnw1LT mJWeUcF44TSgAksWBnNFKbmn1nAKdqHZ3N39Zzm+HlB8Jm26nkBoqil8HL0keYUB 7iC8j16hfzn8ccTxXMa2eWwtZT6BtFnMibRXZqglPQKBgQDqVJ/bMdBwqosFFLeZ pygI2e+znTAeNfYT5EIYq0G2t3ruRgLMUulQGV5HaT3v7Z3dZakDOkxP3cqKBIhu wld+skKxb2UrySPxXYrgXDSCEaLm6ASRMz4UtwW29xjEL4rKyH1oheVXFHUUDjyV mh82gNC5R/nUXKGFJeS3ZFwP9wKBgQDcc39jkZ5Rba8TUgjp8WVbsPwDyHCle9Ts jbdUnRXEfWisD14YA8l68QXELhcI9tw969euwD6pcdgOvgm91K2NpPVx8jckLsnm gpUcOJSWsYXqCaIBRu4JBNfMZHE4/vy1JEP7JqSEyUgrb17C5Cb++CXES/FMk5g4 CkT8V+wTZQKBgE7fewsBgmJZ1P850O6kB+Kq0HbJgse4bAKYAvNguXax3WvUHt79 TVDLqSMqNlHKzicWL8RJXCRJyAGasv1s5pxbjf1BPHF3e2Sjkrof7wCUxRspn1fs QoogbIkANNLcGcBVqXiEEQS1ew7sF9JXFQh4ZUjoBBxJrYgukAR2gFJTAoGAcILh +UdQre509D9iHUP+nxVtCeE63LqeqTyK3LxvZ6E50tblBwynv/9TGhUL3J9hOJkt sxqa4JAh3SRQhHoPOcN/IXClg+n9UZBD2etmqqJf3lqcPFqfEitOmBqLTrOU9j5U E9JdFQhFtSVaD82xuV+cptq7hIGvpqpXGxMkgaECgYEAtQLHG7vONJTkhVmBlF0q +Be21fKTyy+dAN57EIIqIVcLQZXzqZcWr3bqkwbBUYUXmHPCEdW58NamCI1u3aIr Pm4BbOL6vuiKcvspuD8htfYXlHj3Z2Ouho8kAcq7+JT4j2uOAb9+k17BFm3bFZJ1 aWGVCmzxlb2sDvRVwGD4G10= -----END PRIVATE KEY----- cors: allowed_origins_from_client_redirect_uris: true endpoints: - 'userinfo' - 'authorization' - 'token' - 'revocation' - 'introspection' clients: - client_id: 'wWXrRkVCMDkwNHTm2.d-A4yWyXjxwmvYv~jb9XxlVx5Cb_SfEb.ma3x1.KFZyDbxuE2aS3Iy' client_name: 'NetBird' client_secret: '$pbkdf2-sha512$310000$HcYlWJDCNyqCkcW8Zc9.yQ$4EGMr6nOkEeuFLLbCNVKLjbfVquMvA0eP9vQAI6lS9Uzq2CVG0qezS3liaquhaE0wSUcBCix/LlI5LbCR5EJsg' # The digest of 'insecure_secret'. public: false authorization_policy: 'two_factor' require_pkce: false pkce_challenge_method: '' redirect_uris: - 'https://netbird.akanealw.com/peers' - 'https://netbird.akanealw.com/add-peers' - 'https://netbird.akanealw.com/oauth2/callback' scopes: - 'openid' - 'email' - 'profile' response_types: - 'code' grant_types: - 'authorization_code' access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' authentication_backend: file: path: '/config/users_database.yml' access_control: default_policy: 'deny' networks: - name: internal networks: - '10.0.0.0/8' - '192.168.0.0/16' - '172.16.0.0/12' rules: ## bypass all domains and subdomains from local ips - domain: - aknlw.com - '*.aknlw.com' - akanealw.com - '*.akanealw.com' networks: - 'internal' policy: 'bypass' ## bypass api paths - domain: - '*.akanealw.com' resources: - "^/api([/?].*)?$" - "^/add([/?].*)?$" - "^/public([/?].*)?$" policy: 'bypass' ## bypass domains with own 2fa - domain: - aknlw.com - bitwarden.akanealw.com - gitea.akanealw.com - gitea-docker.akanealw.com - jellyfin.akanealw.com - nextcloud.akanealw.com policy: 'bypass' ## all other domains - domain: - akanealw.com - '*.akanealw.com' policy: 'two_factor' session: # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE secret: 'm4fHZHAtR3KTmnwvY9NnI2uu8OjnxYkuQjNHtcaozCI=' cookies: - name: 'authelia_session' domain: 'akanealw.com' # Should match whatever your root protected domain is authelia_url: 'https://auth.akanealw.com' expiration: '1 hour' inactivity: '5 minutes' redis: host: 'redis' port: 6379 password: 'IKjU1KidPjRmUrT5yp2G9ud+6' regulation: max_retries: 3 find_time: '2 minutes' ban_time: '5 minutes' storage: encryption_key: 'cF/hDHPpp3ab7vOGgniKsQ9zYPl9n5zIihL/DzLaMAk=' local: path: '/config/db.sqlite3' notifier: smtp: username: 'notify.akanealw@gmail.com' password: 'xlgektpntvirzavi' address: 'smtp://smtp.gmail.com:587' sender: 'notify.akanealw@gmail.com'