Add Authelia configuration and user database; remove Prometheus and Grafana services

authelia/configuration.yml

@@ -0,0 +1,247 @@
+---
+# Authelia Configuration File
+
+## Server Configuration
+server:
+  ## Server options
+  address: 'tcp://:9091'
+  asset_path: '/config/assets/'
+  
+  ## Endpoints
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+## Log Configuration
+log:
+  level: 'info'
+  format: 'text'
+
+## Theme Configuration
+theme: 'light'
+
+## JWT Secret
+jwt_secret: '5812e26c776947f2fae8a9cc80605e59a895b7b6df573af284a4c3db9115411c'
+
+## Default Redirection URL
+default_redirection_url: 'https://3launchpad.com'
+
+## TOTP Configuration
+totp:
+  disable_reuse_security_policy: false
+  issuer: 'Authelia'
+  algorithm: 'sha1'
+  digits: 6
+  period: 30
+  skew: 1
+  secret_size: 32
+
+## WebAuthn Configuration
+webauthn:
+  disable: false
+  display_name: 'Authelia'
+  attestation_conveyance_preference: 'indirect'
+  user_verification: 'preferred'
+  timeout: '60s'
+
+## Duo Push API Configuration (optional)
+# duo_api:
+#   hostname: 'api-123456789.duosecurity.com'
+#   integration_key: 'ABCDEF'
+#   secret_key: 'GHIJKLMNOPQRSTUVWXYZ'
+
+## Authentication Backend Configuration
+authentication_backend:
+  ## Password Reset
+  password_reset:
+    disable: false
+    custom_url: ''
+
+  ## Refresh Interval
+  refresh_interval: '5m'
+
+  ## LDAP Configuration (uncomment and configure if using LDAP)
+  # ldap:
+  #   implementation: 'custom'
+  #   address: 'ldap://127.0.0.1:389'
+  #   timeout: '5s'
+  #   start_tls: false
+  #   skip_verify: false
+  #   base_dn: 'dc=example,dc=com'
+  #   username_attribute: 'uid'
+  #   additional_users_dn: 'ou=users'
+  #   users_filter: '(&({username_attribute}={input})(objectClass=person))'
+  #   additional_groups_dn: 'ou=groups'
+  #   groups_filter: '(&(member={dn})(objectclass=groupOfNames))'
+  #   group_name_attribute: 'cn'
+  #   mail_attribute: 'mail'
+  #   display_name_attribute: 'displayName'
+  #   user: 'cn=admin,dc=example,dc=com'
+  #   password: 'password'
+
+  ## File Configuration
+  file:
+    path: '/config/users_database.yml'
+    watch: false
+    search:
+      email: false
+      case_insensitive: false
+    password:
+      algorithm: 'argon2'
+      argon2:
+        variant: 'argon2id'
+        iterations: 3
+        memory: 65536
+        parallelism: 4
+        key_length: 32
+        salt_length: 16
+
+## Access Control Configuration
+access_control:
+  ## Default Policy
+  default_policy: 'deny'
+
+  ## Networks (optional, for IP-based rules)
+  networks:
+    - name: 'internal'
+      networks:
+        - '10.0.0.0/8'
+        - '172.16.0.0/12'
+        - '192.168.0.0/16'
+
+  ## Rules
+  rules:
+    ## Authelia itself
+    - domain: 'auth.gate.3la'
+      policy: 'bypass'
+
+    ## Admin access
+    - domain:
+        - 'traefik.gate.3launchpad.com'
+        - 'portainer.gate.3launchpad.com'
+      policy: 'two_factor'
+      subject:
+        - 'group:admins'
+
+    ## General protected services
+    - domain: '*.gate.3launchpad.com'
+      policy: 'one_factor'
+
+## Session Configuration
+session:
+  ## Session Name
+  name: 'authelia_session'
+
+  ## Session Domain
+  domain: 'gate.3launchpad.com'
+
+  ## Session Secret
+  secret: 'dcc8a066488b44cf185777f12a56bc0540bce2b3034e0b77c6118a9545dac831'
+
+  ## Session Expiration
+  expiration: '1h'
+  inactivity: '5m'
+
+  ## Remember Me
+  remember_me_duration: '1M'
+
+  ## Cookies Configuration
+  cookies:
+    - domain: 'gate.3launchpad.com'
+      authelia_url: 'https://auth.gate.3launchpad.com'
+      default_redirection_url: 'https://gate.3launchpad.com'
+
+  ## Redis Configuration (uncomment if using Redis)
+  # redis:
+  #   host: 'redis'
+  #   port: 6379
+  #   password: ''
+  #   database_index: 0
+  #   maximum_active_connections: 8
+  #   minimum_idle_connections: 0
+
+## Regulation Configuration
+regulation:
+  max_retries: 3
+  find_time: '2m'
+  ban_time: '5m'
+
+## Storage Configuration
+storage:
+  ## Database Engine
+  local:
+    path: '/config/db.sqlite3'
+
+  ## MySQL Configuration (alternative to local)
+  # mysql:
+  #   address: 'tcp://mysql:3306'
+  #   database: 'authelia'
+  #   username: 'authelia'
+  #   password: 'password'
+  #   timeout: '5s'
+
+  ## PostgreSQL Configuration (alternative to local)
+  # postgres:
+  #   address: 'tcp://postgres:5432'
+  #   database: 'authelia'
+  #   schema: 'public'
+  #   username: 'authelia'
+  #   password: 'password'
+  #   timeout: '5s'
+  #   ssl:
+  #     mode: 'disable'
+
+## Notification Configuration
+notifier:
+  ## Disable Startup Check
+  disable_startup_check: false
+
+  ## File System Notifier (for development/testing)
+  filesystem:
+    filename: '/config/notification.txt'
+
+  ## SMTP Configuration (for production)
+  # smtp:
+  #   address: 'smtp://mail.example.com:587'
+  #   username: 'authelia@example.com'
+  #   password: 'password'
+  #   sender: 'Authelia <authelia@example.com>'
+  #   identifier: 'authelia'
+  #   subject: '[Authelia] {title}'
+  #   startup_check_address: 'test@authelia.com'
+  #   disable_require_tls: false
+  #   disable_html_emails: false
+  #   disable_starttls: false
+  #   tls:
+  #     skip_verify: false
+  #     minimum_version: 'TLS1.2'
+  #     maximum_version: 'TLS1.3'
+
+## Identity Providers Configuration (optional)
+# identity_providers:
+#   oidc:
+#     hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET'
+#     issuer_private_key: |
+#       -----BEGIN RSA PRIVATE KEY-----
+#       ...
+#       -----END RSA PRIVATE KEY-----
+#     access_token_lifespan: '1h'
+#     authorize_code_lifespan: '1m'
+#     id_token_lifespan: '1h'
+#     refresh_token_lifespan: '90m'
+#     enable_client_debug_messages: false
+#     clients:
+#       - id: 'myapp'
+#         description: 'My Application'
+#         secret: '$pbkdf2-sha512$310000$...'
+#         public: false
+#         authorization_policy: 'two_factor'
+#         redirect_uris:
+#           - 'https://myapp.example.com/callback'
+#         scopes:
+#           - 'openid'
+#           - 'profile'
+#           - 'email'
+#           - 'groups'
+#         userinfo_signing_algorithm: 'none'