134 lines
3.6 KiB
Cheetah
134 lines
3.6 KiB
Cheetah
---
|
|
# Copyright 2025-2026 Thomas Hintz
|
|
|
|
# This file is part of Nassella.
|
|
|
|
# Nassella is free software: you can redistribute it and/or modify it under the
|
|
# terms of the GNU Affero General Public License as published by the Free
|
|
# Software Foundation, either version 3 of the License, or (at your option) any
|
|
# later version.
|
|
|
|
# Nassella is distributed in the hope that it will be useful, but WITHOUT ANY
|
|
# WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
|
|
# FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
|
|
|
|
# You should have received a copy of the GNU Affero General Public License
|
|
# along with Nassella. If not, see <https://www.gnu.org/licenses/>.
|
|
###############################################################
|
|
# Authelia configuration #
|
|
###############################################################
|
|
|
|
server:
|
|
address: 'tcp://:9091/authelia'
|
|
endpoints:
|
|
authz:
|
|
forward-auth:
|
|
implementation: 'ForwardAuth'
|
|
|
|
log:
|
|
level: 'debug'
|
|
|
|
totp:
|
|
issuer: 'authelia.com'
|
|
|
|
identity_validation:
|
|
reset_password:
|
|
jwt_secret: '$AUTHELIA_JWT_SECRET'
|
|
|
|
# lldap service account user should instead
|
|
# use an account with lldap_password_manager group
|
|
# since that can't be used to change an admin password
|
|
authentication_backend:
|
|
ldap:
|
|
address: 'ldap://lldap:3890'
|
|
implementation: 'lldap'
|
|
timeout: '5s'
|
|
pooling:
|
|
enable: false
|
|
count: 5
|
|
retries: 2
|
|
timeout: '10 seconds'
|
|
base_dn: 'DC=nassella,DC=org'
|
|
# additional_users_dn: 'OU=users'
|
|
# additional_groups_dn: 'OU=groups'
|
|
# group_search_mode: 'filter'
|
|
# permit_referrals: false
|
|
permit_unauthenticated_bind: false
|
|
permit_feature_detection_failure: false
|
|
user: 'uid=admin,ou=people,dc=nassella,dc=org'
|
|
password: '$LLDAP_ADMIN_PASSWORD'
|
|
# attributes:
|
|
# distinguished_name: 'distinguishedName'
|
|
# username: 'uid'
|
|
# display_name: 'displayName'
|
|
# family_name: 'sn'
|
|
# given_name: 'givenName'
|
|
# middle_name: 'middleName'
|
|
# nickname: ''
|
|
# gender: ''
|
|
# birthdate: ''
|
|
# website: 'wWWHomePage'
|
|
# profile: ''
|
|
# picture: ''
|
|
# zoneinfo: ''
|
|
# locale: ''
|
|
# phone_number: 'telephoneNumber'
|
|
# phone_extension: ''
|
|
# street_address: 'streetAddress'
|
|
# locality: 'l'
|
|
# region: 'st'
|
|
# postal_code: 'postalCode'
|
|
# country: 'c'
|
|
# mail: 'mail'
|
|
# member_of: 'memberOf'
|
|
# group_name: 'cn'
|
|
# extra:
|
|
# extra_example:
|
|
# name: ''
|
|
# multi_valued: false
|
|
# value_type: 'string'
|
|
|
|
access_control:
|
|
default_policy: 'deny'
|
|
rules:
|
|
# - domain: 'public.x.localhost'
|
|
# policy: 'bypass'
|
|
# - domain: 'app.nassella.org'
|
|
# policy: 'one_factor'
|
|
- domain: '$DOZZLE_FULL_DOMAIN'
|
|
policy: 'two_factor'
|
|
|
|
session:
|
|
secret: '$AUTHELIA_SESSION_SECRET'
|
|
|
|
cookies:
|
|
- name: 'authelia_session'
|
|
domain: '$ROOT_DOMAIN' # Should match whatever your root protected domain is
|
|
authelia_url: 'https://$AUTHELIA_FULL_DOMAIN'
|
|
expiration: '1 hour' # 1 hour
|
|
inactivity: '5 minutes' # 5 minutes
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: '2 minutes'
|
|
ban_time: '5 minutes'
|
|
|
|
storage:
|
|
encryption_key: '$AUTHELIA_ENCRYPTION_KEY'
|
|
postgres:
|
|
address: 'tcp://authelia_db:5432'
|
|
servers: []
|
|
database: '$AUTHELIA_POSTGRES_DB'
|
|
schema: 'public'
|
|
username: '$AUTHELIA_POSTGRES_USER'
|
|
password: '$AUTHELIA_POSTGRES_PASSWORD'
|
|
timeout: '5s'
|
|
|
|
notifier:
|
|
smtp:
|
|
address: 'submission://$SMTP_HOST:$SMTP_PORT'
|
|
username: '$SMTP_AUTH_USER'
|
|
password: '$SMTP_AUTH_PASSWORD'
|
|
sender: '$SMTP_FROM'
|
|
...
|