145 lines
3.2 KiB
YAML
145 lines
3.2 KiB
YAML
---
|
|
###############################################################
|
|
# Authelia configuration #
|
|
###############################################################
|
|
|
|
theme: 'dark'
|
|
|
|
server:
|
|
address: 'tcp://:9091'
|
|
|
|
log:
|
|
level: 'info'
|
|
|
|
telemetry:
|
|
metrics:
|
|
enabled: false
|
|
|
|
totp:
|
|
disable: false
|
|
issuer: 'akanealw.com'
|
|
algorithm: 'sha1'
|
|
digits: 6
|
|
period: 30
|
|
skew: 1
|
|
secret_size: 32
|
|
allowed_algorithms:
|
|
- 'SHA1'
|
|
allowed_digits:
|
|
- 6
|
|
allowed_periods:
|
|
- 30
|
|
disable_reuse_security_policy: false
|
|
|
|
|
|
identity_validation:
|
|
reset_password:
|
|
jwt_secret: 'qVwp0m2FE/zrXvSxxehRJXg2Nl0Y7FW9XuxYPpzEQEM='
|
|
|
|
webauthn:
|
|
disable: false
|
|
enable_passkey_login: false
|
|
display_name: 'Authelia'
|
|
attestation_conveyance_preference: 'indirect'
|
|
timeout: '60 seconds'
|
|
filtering:
|
|
permitted_aaguids: []
|
|
prohibited_aaguids: []
|
|
prohibit_backup_eligibility: false
|
|
selection_criteria:
|
|
attachment: ''
|
|
discoverability: 'preferred'
|
|
user_verification: 'preferred'
|
|
metadata:
|
|
enabled: false
|
|
cache_policy: strict
|
|
validate_trust_anchor: true
|
|
validate_entry: true
|
|
validate_entry_permit_zero_aaguid: false
|
|
validate_status: true
|
|
validate_status_permitted: []
|
|
validate_status_prohibited:
|
|
- 'REVOKED'
|
|
- 'USER_KEY_PHYSICAL_COMPROMISE'
|
|
- 'USER_KEY_REMOTE_COMPROMISE'
|
|
- 'USER_VERIFICATION_BYPASS'
|
|
- 'ATTESTATION_KEY_COMPROMISE'
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: '/config/users_database.yml'
|
|
|
|
access_control:
|
|
default_policy: 'deny'
|
|
networks:
|
|
- name: internal
|
|
networks:
|
|
- '10.0.0.0/8'
|
|
- '192.168.0.0/16'
|
|
- '172.16.0.0/12'
|
|
rules:
|
|
## bypass all domains and subdomains from local ips
|
|
- domain:
|
|
- aknlw.com
|
|
- '*.aknlw.com'
|
|
- akanealw.com
|
|
- '*.akanealw.com'
|
|
networks:
|
|
- 'internal'
|
|
policy: 'bypass'
|
|
## bypass api paths
|
|
- domain:
|
|
- '*.akanealw.com'
|
|
resources:
|
|
- "^/api([/?].*)?$"
|
|
- "^/add([/?].*)?$"
|
|
- "^/public([/?].*)?$"
|
|
policy: 'bypass'
|
|
## bypass domains with own 2fa
|
|
- domain:
|
|
- aknlw.com
|
|
- bitwarden.akanealw.com
|
|
- gitea.akanealw.com
|
|
- gitea-docker.akanealw.com
|
|
- jellyfin.akanealw.com
|
|
- nextcloud.akanealw.com
|
|
policy: 'bypass'
|
|
## all other domains
|
|
- domain:
|
|
- akanealw.com
|
|
- '*.akanealw.com'
|
|
policy: 'two_factor'
|
|
|
|
session:
|
|
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
|
secret: 'm4fHZHAtR3KTmnwvY9NnI2uu8OjnxYkuQjNHtcaozCI='
|
|
|
|
cookies:
|
|
- name: 'authelia_session'
|
|
domain: 'akanealw.com' # Should match whatever your root protected domain is
|
|
authelia_url: 'https://auth.akanealw.com'
|
|
expiration: '1 hour'
|
|
inactivity: '5 minutes'
|
|
|
|
redis:
|
|
host: 'redis'
|
|
port: 6379
|
|
password: 'IKjU1KidPjRmUrT5yp2G9ud+6'
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: '2 minutes'
|
|
ban_time: '5 minutes'
|
|
|
|
storage:
|
|
encryption_key: 'cF/hDHPpp3ab7vOGgniKsQ9zYPl9n5zIihL/DzLaMAk='
|
|
local:
|
|
path: '/config/db.sqlite3'
|
|
|
|
notifier:
|
|
smtp:
|
|
username: 'notify.akanealw@gmail.com'
|
|
password: 'xlgektpntvirzavi'
|
|
address: 'smtp://smtp.gmail.com:587'
|
|
sender: 'notify.akanealw@gmail.com'
|