# Authelia Configuration # Full reference: https://www.authelia.com/configuration/ server: address: tcp://0.0.0.0:9091 endpoints: enable_pprof: false enable_expvars: false disable_healthcheck: false tls: key: '' certificate: '' log: level: info format: text file_path: /config/authelia.log keep_stdout: true telemetry: metrics: enabled: false totp: issuer: lemonlink.eu algorithm: sha1 digits: 6 period: 30 skew: 1 secret_size: 32 webauthn: disable: false display_name: LemonLink attestation_conveyance_preference: indirect user_verification: preferred timeout: 60s ntp: address: "time.cloudflare.com:123" version: 4 max_desync: 3s disable_startup_check: false disable_failure: false authentication_backend: password_reset: disable: false custom_url: '' # File-based user database (for small deployments) # For LDAP/Active Directory, see: https://www.authelia.com/configuration/authentication/ldap/ file: path: /users_database.yml watch: true search: email: true case_insensitive: false password: algorithm: argon2id argon2id: variant: argon2id iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 password_policy: standard: enabled: false min_length: 8 max_length: 0 require_uppercase: true require_lowercase: true require_number: true require_special: true zxcvbn: enabled: true min_score: 3 access_control: default_policy: two_factor networks: - name: internal networks: - 100.64.0.0/10 # Tailscale - 10.0.0.0/8 # Private - 172.16.0.0/12 # Private - 192.168.0.0/16 # Private - fc00::/7 # IPv6 ULA rules: # Public endpoints (no auth) - domain: - "auth.lemonlink.eu" policy: bypass # External services - strict 2FA - domain: - "*.lemonlink.eu" policy: two_factor # Internal services - can use one_factor on trusted networks - domain: - "*.local.lemonlink.eu" policy: one_factor networks: - internal # Internal services from external - require 2FA - domain: - "*.local.lemonlink.eu" policy: two_factor session: name: authelia_session domain: lemonlink.eu same_site: lax secret: ${AUTHELIA_SESSION_SECRET} # Set via environment variable expiration: 1h inactivity: 5m remember_me_duration: 1M redis: host: redis port: 6379 database_index: 0 maximum_active_connections: 8 minimum_idle_connections: 0 tls: enabled: false regulation: max_retries: 3 find_time: 2m ban_time: 5m # CrowdSec integration # crowdsec: # enabled: true # host: crowdsec # port: 8080 # key: ${CROWDSEC_API_KEY} storage: encryption_key: ${AUTHELIA_STORAGE_KEY} # Set via environment variable local: path: /config/db.sqlite3 notifier: disable_startup_check: false # SMTP configuration for email notifications # smtp: # address: smtp.gmail.com:587 # timeout: 5s # username: your-email@gmail.com # password: your-app-password # sender: "Authelia " # identifier: lemonlink.eu # subject: "[Authelia] {title}" # startup_check_address: test@authelia.com # disable_require_tls: false # disable_html_emails: false # tls: # skip_verify: false # minimum_version: TLS1.2 identity_providers: oidc: cors: endpoints: - authorization - token - revocation - introspection allowed_origins: [] allowed_origins_from_client_redirect_uris: false # Clients configuration clients: # Grafana OAuth - client_id: grafana client_name: Grafana client_secret: ${GRAFANA_OAUTH_SECRET} public: false authorization_policy: two_factor require_pkce: true pkce_challenge_method: S256 redirect_uris: - https://grafana.local.lemonlink.eu/login/generic_oauth scopes: - openid - profile - groups - email userinfo_signed_response_alg: none # Add more clients as needed # - client_id: nextcloud # client_name: Nextcloud # ...