stacks/auth/authelia/configuration.yml

3.0 KB · 130 lines · 2024-12-29 · 0b1c6a3
# stacks/auth/authelia/configuration.yml
# Authelia v4 config. Secrets are not in here - they come from env vars
# ending in _FILE that point at /run/secrets/*.

theme: dark
default_2fa_method: totp
log:
  level: info
  format: json

server:
  address: tcp://0.0.0.0:9091
  buffers:
    read: 8192
    write: 8192
  endpoints:
    authz:
      forward-auth:
        implementation: ForwardAuth

totp:
  issuer: home.arpa
  algorithm: sha1
  digits: 6
  period: 30
  skew: 1

webauthn:
  disable: false
  display_name: homelab
  attestation_conveyance_preference: indirect
  user_verification: preferred
  timeout: 60s

authentication_backend:
  password_reset:
    disable: false
  refresh_interval: 5m
  ldap:
    implementation: lldap
    address: ldap://lldap:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=home,dc=arpa
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    user: uid=admin,ou=people,dc=home,dc=arpa

access_control:
  default_policy: deny
  rules: !include access_control.yml

session: !include session.yml

regulation:
  max_retries: 4
  find_time: 2m
  ban_time: 10m

storage:
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: false
  smtp: !include notifier.yml

password_policy:
  standard:
    enabled: true
    min_length: 12
    max_length: 128
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true

identity_providers:
  oidc:
    cors:
      endpoints: [authorization, token, revocation, introspection]
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: gitea
        description: Gitea (home)
        public: false
        secret: "$pbkdf2-sha512$310000$REPLACE$REPLACE"
        authorization_policy: two_factor
        redirect_uris:
          - https://gitea.home.arpa/user/oauth2/authelia/callback
        scopes: [openid, profile, email, groups]
        userinfo_signed_response_alg: none

      - id: grafana
        description: Grafana (home)
        public: false
        secret: "$pbkdf2-sha512$310000$REPLACE$REPLACE"
        authorization_policy: one_factor
        redirect_uris:
          - https://grafana.home.arpa/login/generic_oauth
        scopes: [openid, profile, email, groups]

ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false

telemetry:
  metrics:
    enabled: true
    address: tcp://0.0.0.0:9959