vttc08 · October 16, 2024 04:50
diff --git a/configuration.yml b/configuration.yml
 theme: "auto"

 log:
  level: "debug"

 totp:
  disable: false
  algorithm: "SHA1"
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

 webauthn:
  disable: false

 ntp:
  version: 4
  disable_startup_check: false
  disable_failure: false

 authentication_backend:
  ldap:
    url: "ldap://lldap:3890"
    implementation: "custom"
    timeout: "5s"
    start_tls: false
    additional_users_dn: "ou=people"
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: "ou=groups"
    groups_filter: "(member={dn})"
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName

 password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true
  zxcvbn:
    enabled: false
    min_score: 3

 access_control:
  default_policy: "deny"
  networks:
    - name: "internal"
      networks:
        - '10.10.0.0/16'
  rules:
    ## Authentication Portal
    - domain:
        - 'auth.{{ env "DOMAIN_NAME" }}'
      policy: bypass
    - domain:
        - 'files.{{ env "DOMAIN_NAME" }}'
      resources:
        - "^.*/api/public/.*"
        - "^.*/share/*"
        - "^.*/static/(js|css|img|themes|fonts|assets)/*"
      policy: bypass
      # Minecraft Admins Allowed
    - domain:
        - 'files.{{ env "DOMAIN_NAME" }}'
      policy: one_factor
      subject:
        - 'group:minecraft'
        - 'user:admin'
      # Admin Only
    - domain:
        - 'web.{{ env "DOMAIN_NAME" }}'
        - 'dg.{{ env "DOMAIN_NAME" }}'
      policy: one_factor
      subject:
        - 'group:admin'
    

 session:
  name: "authelia_session"
  same_site: "lax"
  inactivity: "5m"
  expiration: "1h"
  remember_me: "2M"

 regulation:
  max_retries: 5
  find_time: "2m"
  ban_time: "5m"

 storage:
  local:
    path: "/config/db.sqlite3"

 notifier:
  disable_startup_check: false
  # filesystem:
  #   filename: "/config/notification.txt"
  smtp:
    address: "smtp://smtp.gmail.com:587"
    sender: '{{ env "MAILUSER" }}@gmail.com'
    username: '{{ env "MAILUSER" }}@gmail.com'

 identity_providers:
  oidc:
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    jwks:
      - key: {{ secret "/config/private.pem" | mindent 10 "|" | msquote }}
    authorization_policies:
      admin_only:
        default_policy: 'deny'
        rules:
          - policy: 'one_factor'
            subject: 
            - 'group:admin'
      minecraft:
        default_policy: 'deny'
        rules:
          - policy: 'one_factor'
            subject: 
            - 'group:minecraft'
            - 'group:admin'
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
        - userinfo
      allowed_origins:
        - https://auth.{{ env "DOMAIN_NAME" }} #Enter Domain Name
      allowed_origins_from_client_redirect_uris: false
    clients:
      - id: portainer
        client_name: Portainer
        client_secret: '$plaintext${{ env "PORTAINER_SECRET" }}'
        public: false
        authorization_policy: 'admin_only'
        redirect_uris:
          - 'https://portainer.{{ env "DOMAIN_NAME"}}'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        userinfo_signed_response_alg: 'none'
      - id: audiobookshelf
        client_name: Audiobookshelf
        client_secret: '$plaintext${{ env "AUDIOBOOKSHELF_SECRET" }}'
        public: false
        authorization_policy: 'one_factor'
        redirect_uris:
          - 'https://abs.{{ env "DOMAIN_NAME"}}/auth/openid/callback'
          - 'https://abs.{{ env "DOMAIN_NAME"}}/auth/openid/mobile-redirect'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
	theme: "auto"

	log:
	level: "debug"

	totp:
	disable: false
	algorithm: "SHA1"
	digits: 6
	period: 30
	skew: 1
	secret_size: 32

	webauthn:
	disable: false

	ntp:
	version: 4
	disable_startup_check: false
	disable_failure: false

	authentication_backend:
	ldap:
	url: "ldap://lldap:3890"
	implementation: "custom"
	timeout: "5s"
	start_tls: false
	additional_users_dn: "ou=people"
	users_filter: "(&({username_attribute}={input})(objectClass=person))"
	additional_groups_dn: "ou=groups"
	groups_filter: "(member={dn})"
	group_name_attribute: cn
	mail_attribute: mail
	display_name_attribute: displayName

	password_policy:
	standard:
	enabled: false
	min_length: 8
	max_length: 0
	require_uppercase: true
	require_lowercase: true
	require_number: true
	require_special: true
	zxcvbn:
	enabled: false
	min_score: 3

	access_control:
	default_policy: "deny"
	networks:
	- name: "internal"
	networks:
	- '10.10.0.0/16'
	rules:
	## Authentication Portal
	- domain:
	- 'auth.{{ env "DOMAIN_NAME" }}'
	policy: bypass
	- domain:
	- 'files.{{ env "DOMAIN_NAME" }}'
	resources:
	- "^./api/public/."
	- "^./share/"
	- "^./static/(js\|css\|img\|themes\|fonts\|assets)/"
	policy: bypass
	# Minecraft Admins Allowed
	- domain:
	- 'files.{{ env "DOMAIN_NAME" }}'
	policy: one_factor
	subject:
	- 'group:minecraft'
	- 'user:admin'
	# Admin Only
	- domain:
	- 'web.{{ env "DOMAIN_NAME" }}'
	- 'dg.{{ env "DOMAIN_NAME" }}'
	policy: one_factor
	subject:
	- 'group:admin'


	session:
	name: "authelia_session"
	same_site: "lax"
	inactivity: "5m"
	expiration: "1h"
	remember_me: "2M"

	regulation:
	max_retries: 5
	find_time: "2m"
	ban_time: "5m"

	storage:
	local:
	path: "/config/db.sqlite3"

	notifier:
	disable_startup_check: false
	# filesystem:
	# filename: "/config/notification.txt"
	smtp:
	address: "smtp://smtp.gmail.com:587"
	sender: '{{ env "MAILUSER" }}@gmail.com'
	username: '{{ env "MAILUSER" }}@gmail.com'

	identity_providers:
	oidc:
	access_token_lifespan: 1h
	authorize_code_lifespan: 1m
	id_token_lifespan: 1h
	refresh_token_lifespan: 90m
	enable_client_debug_messages: false
	enforce_pkce: public_clients_only
	jwks:
	- key: {{ secret "/config/private.pem" \| mindent 10 "\|" \| msquote }}
	authorization_policies:
	admin_only:
	default_policy: 'deny'
	rules:
	- policy: 'one_factor'
	subject:
	- 'group:admin'
	minecraft:
	default_policy: 'deny'
	rules:
	- policy: 'one_factor'
	subject:
	- 'group:minecraft'
	- 'group:admin'
	cors:
	endpoints:
	- authorization
	- token
	- revocation
	- introspection
	- userinfo
	allowed_origins:
	- https://auth.{{ env "DOMAIN_NAME" }} #Enter Domain Name
	allowed_origins_from_client_redirect_uris: false
	clients:
	- id: portainer
	client_name: Portainer
	client_secret: '$plaintext${{ env "PORTAINER_SECRET" }}'
	public: false
	authorization_policy: 'admin_only'
	redirect_uris:
	- 'https://portainer.{{ env "DOMAIN_NAME"}}'
	scopes:
	- 'openid'
	- 'profile'
	- 'groups'
	- 'email'
	userinfo_signed_response_alg: 'none'
	- id: audiobookshelf
	client_name: Audiobookshelf
	client_secret: '$plaintext${{ env "AUDIOBOOKSHELF_SECRET" }}'
	public: false
	authorization_policy: 'one_factor'
	redirect_uris:
	- 'https://abs.{{ env "DOMAIN_NAME"}}/auth/openid/callback'
	- 'https://abs.{{ env "DOMAIN_NAME"}}/auth/openid/mobile-redirect'
	scopes:
	- 'openid'
	- 'profile'
	- 'email'