diff --git a/authelia/configuration.yml b/authelia/configuration.yml index f4d86c0..2d62617 100644 --- a/authelia/configuration.yml +++ b/authelia/configuration.yml @@ -1,33 +1,23 @@ --- -# Authelia Configuration File +# Minimal validated Authelia configuration -## Server Configuration server: - ## Server options address: 'tcp://:9091' - # asset_path removed (directory didn't exist). Re-add if you mount custom portal assets. - - ## Endpoints endpoints: authz: forward-auth: implementation: 'ForwardAuth' -## Log Configuration log: level: 'info' format: 'text' -## Theme Configuration theme: 'light' -## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret) identity_validation: reset_password: jwt_secret: '${AUTHELIA_JWT_SECRET}' - # Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail. -## TOTP Configuration totp: disable_reuse_security_policy: false issuer: 'Authelia' @@ -37,51 +27,19 @@ totp: skew: 1 secret_size: 32 -## WebAuthn Configuration webauthn: disable: false display_name: 'Authelia' attestation_conveyance_preference: 'indirect' selection_criteria: - user_verification: 'preferred' # migrated from deprecated webauthn.user_verification + user_verification: 'preferred' timeout: '60s' -## Duo Push API Configuration (optional) -# duo_api: -# hostname: 'api-123456789.duosecurity.com' -# integration_key: 'ABCDEF' -# secret_key: 'GHIJKLMNOPQRSTUVWXYZ' - -## Authentication Backend Configuration authentication_backend: - ## Password Reset password_reset: disable: false custom_url: '' - - ## Refresh Interval refresh_interval: '5m' - - ## LDAP Configuration (uncomment and configure if using LDAP) - # ldap: - # implementation: 'custom' - # address: 'ldap://127.0.0.1:389' - # timeout: '5s' - # start_tls: false - # skip_verify: false - # base_dn: 'dc=example,dc=com' - # username_attribute: 'uid' - # additional_users_dn: 'ou=users' - # users_filter: '(&({username_attribute}={input})(objectClass=person))' - # additional_groups_dn: 'ou=groups' - # groups_filter: '(&(member={dn})(objectclass=groupOfNames))' - # group_name_attribute: 'cn' - # mail_attribute: 'mail' - # display_name_attribute: 'displayName' - # user: 'cn=admin,dc=example,dc=com' - # password: 'password' - - ## File Configuration file: path: '/config/users_database.yml' watch: false @@ -98,150 +56,48 @@ authentication_backend: key_length: 32 salt_length: 16 -## Access Control Configuration access_control: - ## Default Policy - # Baseline policy when no rule matches. Choose two_factor for stronger default. default_policy: 'two_factor' - - ## Networks (optional, for IP-based rules) networks: - name: 'internal' networks: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' - - ## Rules rules: - # Authelia portal itself is bypassed so users can reach the login UI - domain: 'auth.gate.3launchpad.com' policy: 'bypass' - - # Admin-only services require 2FA and membership in admins group - domain: - 'traefik.gate.3launchpad.com' - 'portainer.gate.3launchpad.com' policy: 'two_factor' subject: - 'group:admins' - - # All other subdomains require at least one factor - domain: '*.gate.3launchpad.com' policy: 'one_factor' -## Session Configuration session: - ## Session Name name: 'authelia_session' - - ## Session Secret (do not hardcode; provided via env var) secret: '${AUTHELIA_SESSION_SECRET}' - - ## Session Expiration / Activity expiration: 1h inactivity: 5m - - ## Remember Me (replaces deprecated remember_me_duration) remember_me: 1M - - ## Cookie-based configuration (domain key removed to avoid conflict) cookies: - domain: 'gate.3launchpad.com' authelia_url: 'https://auth.gate.3launchpad.com' default_redirection_url: 'https://gate.3launchpad.com' - ## Redis Configuration (uncomment if using Redis) - # redis: - # host: 'redis' - # port: 6379 - # password: '' - # database_index: 0 - # maximum_active_connections: 8 - # minimum_idle_connections: 0 - -## Regulation Configuration regulation: max_retries: 3 find_time: '2m' ban_time: '5m' -## Storage Configuration storage: - ## Encryption key is required (newer versions). Provide via env var. - encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts + encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' local: path: '/config/db.sqlite3' - ## MySQL Configuration (alternative to local) - # mysql: - # address: 'tcp://mysql:3306' - # database: 'authelia' - # username: 'authelia' - # password: 'password' - # timeout: '5s' - - ## PostgreSQL Configuration (alternative to local) - # postgres: - # address: 'tcp://postgres:5432' - # database: 'authelia' - # schema: 'public' - # username: 'authelia' - # password: 'password' - # timeout: '5s' - # ssl: - # mode: 'disable' - -## Notification Configuration notifier: - ## Disable Startup Check disable_startup_check: false - - ## File System Notifier (for development/testing) filesystem: filename: '/config/notification.txt' - - ## SMTP Configuration (for production) - # smtp: - # address: 'smtp://mail.example.com:587' - # username: 'authelia@example.com' - # password: 'password' - # sender: 'Authelia ' - # identifier: 'authelia' - # subject: '[Authelia] {title}' - # startup_check_address: 'test@authelia.com' - # disable_require_tls: false - # disable_html_emails: false - # disable_starttls: false - # tls: - # skip_verify: false - # minimum_version: 'TLS1.2' - # maximum_version: 'TLS1.3' - -## Identity Providers Configuration (optional) -# identity_providers: -# oidc: -# hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET' -# issuer_private_key: | -# -----BEGIN RSA PRIVATE KEY----- -# ... -# -----END RSA PRIVATE KEY----- -# access_token_lifespan: '1h' -# authorize_code_lifespan: '1m' -# id_token_lifespan: '1h' -# refresh_token_lifespan: '90m' -# enable_client_debug_messages: false -# clients: -# - id: 'myapp' -# description: 'My Application' -# secret: '$pbkdf2-sha512$310000$...' -# public: false -# authorization_policy: 'two_factor' -# redirect_uris: -# - 'https://myapp.example.com/callback' -# scopes: -# - 'openid' -# - 'profile' -# - 'email' -# - 'groups' -# userinfo_signing_algorithm: 'none'