183 lines
4.6 KiB
YAML
183 lines
4.6 KiB
YAML
---
|
|
###############################################################
|
|
# Authelia configuration #
|
|
###############################################################
|
|
|
|
theme: 'dark'
|
|
|
|
server:
|
|
address: 'tcp://:9091'
|
|
|
|
log:
|
|
level: 'info'
|
|
|
|
telemetry:
|
|
metrics:
|
|
enabled: false
|
|
|
|
totp:
|
|
disable: false
|
|
issuer: 'akanealw.com'
|
|
algorithm: 'sha1'
|
|
digits: 6
|
|
period: 30
|
|
skew: 1
|
|
secret_size: 32
|
|
allowed_algorithms:
|
|
- 'SHA1'
|
|
allowed_digits:
|
|
- 6
|
|
allowed_periods:
|
|
- 30
|
|
disable_reuse_security_policy: false
|
|
|
|
|
|
identity_validation:
|
|
reset_password:
|
|
jwt_secret: 'qVwp0m2FE/zrXvSxxehRJXg2Nl0Y7FW9XuxYPpzEQEM='
|
|
|
|
webauthn:
|
|
disable: false
|
|
enable_passkey_login: false
|
|
display_name: 'Authelia'
|
|
attestation_conveyance_preference: 'indirect'
|
|
timeout: '60 seconds'
|
|
filtering:
|
|
permitted_aaguids: []
|
|
prohibited_aaguids: []
|
|
prohibit_backup_eligibility: false
|
|
selection_criteria:
|
|
attachment: ''
|
|
discoverability: 'preferred'
|
|
user_verification: 'preferred'
|
|
metadata:
|
|
enabled: false
|
|
cache_policy: strict
|
|
validate_trust_anchor: true
|
|
validate_entry: true
|
|
validate_entry_permit_zero_aaguid: false
|
|
validate_status: true
|
|
validate_status_permitted: []
|
|
validate_status_prohibited:
|
|
- 'REVOKED'
|
|
- 'USER_KEY_PHYSICAL_COMPROMISE'
|
|
- 'USER_KEY_REMOTE_COMPROMISE'
|
|
- 'USER_VERIFICATION_BYPASS'
|
|
- 'ATTESTATION_KEY_COMPROMISE'
|
|
|
|
identity_providers:
|
|
oidc:
|
|
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
|
|
## See: https://www.authelia.com/c/oidc
|
|
jwks:
|
|
- key: {{ secret "/config/keys/private.pem" | mindent 10 "|" | msquote }}
|
|
cors:
|
|
allowed_origins_from_client_redirect_uris: true
|
|
endpoints:
|
|
- 'userinfo'
|
|
- 'authorization'
|
|
- 'token'
|
|
- 'revocation'
|
|
- 'introspection'
|
|
clients:
|
|
- client_id: 'wWXrRkVCMDkwNHTm2.d-A4yWyXjxwmvYv~jb9XxlVx5Cb_SfEb.ma3x1.KFZyDbxuE2aS3Iy'
|
|
client_name: 'NetBird'
|
|
client_secret: '$pbkdf2-sha512$310000$HcYlWJDCNyqCkcW8Zc9.yQ$4EGMr6nOkEeuFLLbCNVKLjbfVquMvA0eP9vQAI6lS9Uzq2CVG0qezS3liaquhaE0wSUcBCix/LlI5LbCR5EJsg' # The digest of 'insecure_secret'.
|
|
public: false
|
|
authorization_policy: 'two_factor'
|
|
require_pkce: false
|
|
pkce_challenge_method: ''
|
|
redirect_uris:
|
|
- 'https://netbird.akanealw.com/peers'
|
|
- 'https://netbird.akanealw.com/add-peers'
|
|
- 'http://localhost'
|
|
scopes:
|
|
- 'openid'
|
|
- 'email'
|
|
- 'profile'
|
|
response_types:
|
|
- 'code'
|
|
grant_types:
|
|
- 'authorization_code'
|
|
access_token_signed_response_alg: 'none'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: '/config/users_database.yml'
|
|
|
|
access_control:
|
|
default_policy: 'deny'
|
|
networks:
|
|
- name: internal
|
|
networks:
|
|
- '10.0.0.0/8'
|
|
- '192.168.0.0/16'
|
|
- '172.16.0.0/12'
|
|
rules:
|
|
## bypass all domains and subdomains from local ips
|
|
- domain:
|
|
- aknlw.com
|
|
- '*.aknlw.com'
|
|
- akanealw.com
|
|
- '*.akanealw.com'
|
|
networks:
|
|
- 'internal'
|
|
policy: 'bypass'
|
|
## bypass api paths
|
|
- domain:
|
|
- '*.akanealw.com'
|
|
resources:
|
|
- "^/api([/?].*)?$"
|
|
- "^/add([/?].*)?$"
|
|
- "^/public([/?].*)?$"
|
|
policy: 'bypass'
|
|
## bypass domains with own 2fa
|
|
- domain:
|
|
- aknlw.com
|
|
- bitwarden.akanealw.com
|
|
- gitea.akanealw.com
|
|
- gitea-docker.akanealw.com
|
|
- jellyfin.akanealw.com
|
|
- nextcloud.akanealw.com
|
|
policy: 'bypass'
|
|
## all other domains
|
|
- domain:
|
|
- akanealw.com
|
|
- '*.akanealw.com'
|
|
policy: 'two_factor'
|
|
|
|
session:
|
|
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
|
secret: 'm4fHZHAtR3KTmnwvY9NnI2uu8OjnxYkuQjNHtcaozCI='
|
|
|
|
cookies:
|
|
- name: 'authelia_session'
|
|
domain: 'akanealw.com' # Should match whatever your root protected domain is
|
|
authelia_url: 'https://auth.akanealw.com'
|
|
expiration: '1 hour'
|
|
inactivity: '5 minutes'
|
|
|
|
redis:
|
|
host: 'redis'
|
|
port: 6379
|
|
password: 'IKjU1KidPjRmUrT5yp2G9ud+6'
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: '2 minutes'
|
|
ban_time: '5 minutes'
|
|
|
|
storage:
|
|
encryption_key: 'cF/hDHPpp3ab7vOGgniKsQ9zYPl9n5zIihL/DzLaMAk='
|
|
local:
|
|
path: '/config/db.sqlite3'
|
|
|
|
notifier:
|
|
smtp:
|
|
username: 'notify.akanealw@gmail.com'
|
|
password: 'xlgektpntvirzavi'
|
|
address: 'smtp://smtp.gmail.com:587'
|
|
sender: 'notify.akanealw@gmail.com'
|