impulsivefps
/
LemonSec
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
LemonSec/authelia/configuration.yml

204 lines
4.3 KiB
YAML
Raw Permalink Blame History

# Authelia Configuration
# Full reference: https://www.authelia.com/configuration/
server:
address: tcp://0.0.0.0:9091
endpoints:
enable_pprof: false
enable_expvars: false
disable_healthcheck: false
tls:
key: ''
certificate: ''
log:
level: info
format: text
file_path: /config/authelia.log
keep_stdout: true
telemetry:
metrics:
enabled: false
totp:
issuer: lemonlink.eu
algorithm: sha1
digits: 6
period: 30
skew: 1
secret_size: 32
webauthn:
disable: false
display_name: LemonLink
attestation_conveyance_preference: indirect
user_verification: preferred
timeout: 60s
ntp:
address: "time.cloudflare.com:123"
version: 4
max_desync: 3s
disable_startup_check: false
disable_failure: false
authentication_backend:
password_reset:
disable: false
custom_url: ''
# File-based user database (for small deployments)
# For LDAP/Active Directory, see: https://www.authelia.com/configuration/authentication/ldap/
file:
path: /users_database.yml
watch: true
search:
email: true
case_insensitive: false
password:
algorithm: argon2id
argon2id:
variant: argon2id
iterations: 3
memory: 65536
parallelism: 4
key_length: 32
salt_length: 16
password_policy:
standard:
enabled: false
min_length: 8
max_length: 0
require_uppercase: true
require_lowercase: true
require_number: true
require_special: true
zxcvbn:
enabled: true
min_score: 3
access_control:
default_policy: two_factor
networks:
- name: internal
networks:
- 100.64.0.0/10 # Tailscale
- 10.0.0.0/8 # Private
- 172.16.0.0/12 # Private
- 192.168.0.0/16 # Private
- fc00::/7 # IPv6 ULA
rules:
# Public endpoints (no auth)
- domain:
- "auth.lemonlink.eu"
policy: bypass
# External services - strict 2FA
- domain:
- "*.lemonlink.eu"
policy: two_factor
# Internal services - can use one_factor on trusted networks
- domain:
- "*.local.lemonlink.eu"
policy: one_factor
networks:
- internal
# Internal services from external - require 2FA
- domain:
- "*.local.lemonlink.eu"
policy: two_factor
session:
name: authelia_session
domain: lemonlink.eu
same_site: lax
secret: ${AUTHELIA_SESSION_SECRET} # Set via environment variable
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
redis:
host: redis
port: 6379
database_index: 0
maximum_active_connections: 8
minimum_idle_connections: 0
tls:
enabled: false
regulation:
max_retries: 3
find_time: 2m
ban_time: 5m
# CrowdSec integration
# crowdsec:
# enabled: true
# host: crowdsec
# port: 8080
# key: ${CROWDSEC_API_KEY}
storage:
encryption_key: ${AUTHELIA_STORAGE_KEY} # Set via environment variable
local:
path: /config/db.sqlite3
notifier:
disable_startup_check: false
# SMTP configuration for email notifications
# smtp:
# address: smtp.gmail.com:587
# timeout: 5s
# username: your-email@gmail.com
# password: your-app-password
# sender: "Authelia <auth@lemonlink.eu>"
# identifier: lemonlink.eu
# subject: "[Authelia] {title}"
# startup_check_address: test@authelia.com
# disable_require_tls: false
# disable_html_emails: false
# tls:
# skip_verify: false
# minimum_version: TLS1.2
identity_providers:
oidc:
cors:
endpoints:
- authorization
- token
- revocation
- introspection
allowed_origins: []
allowed_origins_from_client_redirect_uris: false
# Clients configuration
clients:
# Grafana OAuth
- client_id: grafana
client_name: Grafana
client_secret: ${GRAFANA_OAUTH_SECRET}
public: false
authorization_policy: two_factor
require_pkce: true
pkce_challenge_method: S256
redirect_uris:
- https://grafana.local.lemonlink.eu/login/generic_oauth
scopes:
- openid
- profile
- groups
- email
userinfo_signed_response_alg: none
# Add more clients as needed
# - client_id: nextcloud
# client_name: Nextcloud
# ...
Reference in New Issue View Git Blame Copy Permalink