Files
app/all-apps/authelia/4/authelia-config/configuration.yml.tmpl

134 lines
3.6 KiB
Cheetah

---
# Copyright 2025-2026 Thomas Hintz
# This file is part of Nassella.
# Nassella is free software: you can redistribute it and/or modify it under the
# terms of the GNU Affero General Public License as published by the Free
# Software Foundation, either version 3 of the License, or (at your option) any
# later version.
# Nassella is distributed in the hope that it will be useful, but WITHOUT ANY
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
# You should have received a copy of the GNU Affero General Public License
# along with Nassella. If not, see <https://www.gnu.org/licenses/>.
###############################################################
# Authelia configuration #
###############################################################
server:
address: 'tcp://:9091/authelia'
endpoints:
authz:
forward-auth:
implementation: 'ForwardAuth'
log:
level: 'debug'
totp:
issuer: 'authelia.com'
identity_validation:
reset_password:
jwt_secret: '$AUTHELIA_JWT_SECRET'
# lldap service account user should instead
# use an account with lldap_password_manager group
# since that can't be used to change an admin password
authentication_backend:
ldap:
address: 'ldap://lldap:3890'
implementation: 'lldap'
timeout: '5s'
pooling:
enable: false
count: 5
retries: 2
timeout: '10 seconds'
base_dn: 'DC=nassella,DC=org'
# additional_users_dn: 'OU=users'
# additional_groups_dn: 'OU=groups'
# group_search_mode: 'filter'
# permit_referrals: false
permit_unauthenticated_bind: false
permit_feature_detection_failure: false
user: 'uid=admin,ou=people,dc=nassella,dc=org'
password: '$LLDAP_ADMIN_PASSWORD'
# attributes:
# distinguished_name: 'distinguishedName'
# username: 'uid'
# display_name: 'displayName'
# family_name: 'sn'
# given_name: 'givenName'
# middle_name: 'middleName'
# nickname: ''
# gender: ''
# birthdate: ''
# website: 'wWWHomePage'
# profile: ''
# picture: ''
# zoneinfo: ''
# locale: ''
# phone_number: 'telephoneNumber'
# phone_extension: ''
# street_address: 'streetAddress'
# locality: 'l'
# region: 'st'
# postal_code: 'postalCode'
# country: 'c'
# mail: 'mail'
# member_of: 'memberOf'
# group_name: 'cn'
# extra:
# extra_example:
# name: ''
# multi_valued: false
# value_type: 'string'
access_control:
default_policy: 'deny'
rules:
# - domain: 'public.x.localhost'
# policy: 'bypass'
# - domain: 'app.nassella.org'
# policy: 'one_factor'
- domain: '$DOZZLE_FULL_DOMAIN'
policy: 'two_factor'
session:
secret: '$AUTHELIA_SESSION_SECRET'
cookies:
- name: 'authelia_session'
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
expiration: '1 hour' # 1 hour
inactivity: '5 minutes' # 5 minutes
regulation:
max_retries: 3
find_time: '2 minutes'
ban_time: '5 minutes'
storage:
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
postgres:
address: 'tcp://authelia_db:5432'
servers: []
database: '$AUTHELIA_POSTGRES_DB'
schema: 'public'
username: '$AUTHELIA_POSTGRES_USER'
password: '$AUTHELIA_POSTGRES_PASSWORD'
timeout: '5s'
notifier:
smtp:
address: 'submission://$SMTP_HOST:$SMTP_PORT'
username: '$SMTP_AUTH_USER'
password: '$SMTP_AUTH_PASSWORD'
sender: '$SMTP_FROM'
...