--- # Copyright 2025-2026 Thomas Hintz # This file is part of Nassella. # Nassella is free software: you can redistribute it and/or modify it under the # terms of the GNU Affero General Public License as published by the Free # Software Foundation, either version 3 of the License, or (at your option) any # later version. # Nassella is distributed in the hope that it will be useful, but WITHOUT ANY # WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS # FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. # You should have received a copy of the GNU Affero General Public License # along with Nassella. If not, see . ############################################################### # Authelia configuration # ############################################################### server: address: 'tcp://:9091/authelia' endpoints: authz: forward-auth: implementation: 'ForwardAuth' log: level: 'debug' totp: issuer: 'authelia.com' identity_validation: reset_password: jwt_secret: '$AUTHELIA_JWT_SECRET' # lldap service account user should instead # use an account with lldap_password_manager group # since that can't be used to change an admin password authentication_backend: ldap: address: 'ldap://lldap:3890' implementation: 'lldap' timeout: '5s' pooling: enable: false count: 5 retries: 2 timeout: '10 seconds' base_dn: 'DC=nassella,DC=org' # additional_users_dn: 'OU=users' # additional_groups_dn: 'OU=groups' # group_search_mode: 'filter' # permit_referrals: false permit_unauthenticated_bind: false permit_feature_detection_failure: false user: 'uid=admin,ou=people,dc=nassella,dc=org' password: '$LLDAP_ADMIN_PASSWORD' # attributes: # distinguished_name: 'distinguishedName' # username: 'uid' # display_name: 'displayName' # family_name: 'sn' # given_name: 'givenName' # middle_name: 'middleName' # nickname: '' # gender: '' # birthdate: '' # website: 'wWWHomePage' # profile: '' # picture: '' # zoneinfo: '' # locale: '' # phone_number: 'telephoneNumber' # phone_extension: '' # street_address: 'streetAddress' # locality: 'l' # region: 'st' # postal_code: 'postalCode' # country: 'c' # mail: 'mail' # member_of: 'memberOf' # group_name: 'cn' # extra: # extra_example: # name: '' # multi_valued: false # value_type: 'string' access_control: default_policy: 'deny' rules: # - domain: 'public.x.localhost' # policy: 'bypass' # - domain: 'app.nassella.org' # policy: 'one_factor' - domain: '$DOZZLE_FULL_DOMAIN' policy: 'two_factor' session: secret: '$AUTHELIA_SESSION_SECRET' cookies: - name: 'authelia_session' domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is authelia_url: 'https://$AUTHELIA_FULL_DOMAIN' expiration: '1 hour' # 1 hour inactivity: '5 minutes' # 5 minutes regulation: max_retries: 3 find_time: '2 minutes' ban_time: '5 minutes' storage: encryption_key: '$AUTHELIA_ENCRYPTION_KEY' postgres: address: 'tcp://authelia_db:5432' servers: [] database: '$AUTHELIA_POSTGRES_DB' schema: 'public' username: '$AUTHELIA_POSTGRES_USER' password: '$AUTHELIA_POSTGRES_PASSWORD' timeout: '5s' notifier: smtp: address: 'submission://$SMTP_HOST:$SMTP_PORT' username: '$SMTP_AUTH_USER' password: '$SMTP_AUTH_PASSWORD' sender: '$SMTP_FROM' ...