elfateh/launchpad-gateway
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Refactor Authelia configuration for clarity and remove deprecated comments

Browse Source
This commit is contained in:
Mohmmed Elfateh Sabry
2025-08-11 13:50:27 +03:00
parent 6e192128b9
commit e77f5f4caa
1 changed files with 3 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

150
authelia/configuration.yml
View File

@@ -1,33 +1,23 @@
--- ---
# Authelia Configuration File # Minimal validated Authelia configuration
## Server Configuration
server: server:
## Server options
address: 'tcp://:9091' address: 'tcp://:9091'
# asset_path removed (directory didn't exist). Re-add if you mount custom portal assets.
## Endpoints
endpoints: endpoints:
authz: authz:
forward-auth: forward-auth:
implementation: 'ForwardAuth' implementation: 'ForwardAuth'
## Log Configuration
log: log:
level: 'info' level: 'info'
format: 'text' format: 'text'
## Theme Configuration
theme: 'light' theme: 'light'
## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret)
identity_validation: identity_validation:
reset_password: reset_password:
jwt_secret: '${AUTHELIA_JWT_SECRET}' jwt_secret: '${AUTHELIA_JWT_SECRET}'
# Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail.
## TOTP Configuration
totp: totp:
disable_reuse_security_policy: false disable_reuse_security_policy: false
issuer: 'Authelia' issuer: 'Authelia'
@@ -37,51 +27,19 @@ totp:
skew: 1 skew: 1
secret_size: 32 secret_size: 32
## WebAuthn Configuration
webauthn: webauthn:
disable: false disable: false
display_name: 'Authelia' display_name: 'Authelia'
attestation_conveyance_preference: 'indirect' attestation_conveyance_preference: 'indirect'
selection_criteria: selection_criteria:
user_verification: 'preferred' # migrated from deprecated webauthn.user_verification user_verification: 'preferred'
timeout: '60s' timeout: '60s'
## Duo Push API Configuration (optional)
# duo_api:
# hostname: 'api-123456789.duosecurity.com'
# integration_key: 'ABCDEF'
# secret_key: 'GHIJKLMNOPQRSTUVWXYZ'
## Authentication Backend Configuration
authentication_backend: authentication_backend:
## Password Reset
password_reset: password_reset:
disable: false disable: false
custom_url: '' custom_url: ''
## Refresh Interval
refresh_interval: '5m' refresh_interval: '5m'
## LDAP Configuration (uncomment and configure if using LDAP)
# ldap:
# implementation: 'custom'
# address: 'ldap://127.0.0.1:389'
# timeout: '5s'
# start_tls: false
# skip_verify: false
# base_dn: 'dc=example,dc=com'
# username_attribute: 'uid'
# additional_users_dn: 'ou=users'
# users_filter: '(&({username_attribute}={input})(objectClass=person))'
# additional_groups_dn: 'ou=groups'
# groups_filter: '(&(member={dn})(objectclass=groupOfNames))'
# group_name_attribute: 'cn'
# mail_attribute: 'mail'
# display_name_attribute: 'displayName'
# user: 'cn=admin,dc=example,dc=com'
# password: 'password'
## File Configuration
file: file:
path: '/config/users_database.yml' path: '/config/users_database.yml'
watch: false watch: false
@@ -98,150 +56,48 @@ authentication_backend:
key_length: 32 key_length: 32
salt_length: 16 salt_length: 16
## Access Control Configuration
access_control: access_control:
## Default Policy
# Baseline policy when no rule matches. Choose two_factor for stronger default.
default_policy: 'two_factor' default_policy: 'two_factor'
## Networks (optional, for IP-based rules)
networks: networks:
- name: 'internal' - name: 'internal'
networks: networks:
- '10.0.0.0/8' - '10.0.0.0/8'
- '172.16.0.0/12' - '172.16.0.0/12'
- '192.168.0.0/16' - '192.168.0.0/16'
## Rules
rules: rules:
# Authelia portal itself is bypassed so users can reach the login UI
- domain: 'auth.gate.3launchpad.com' - domain: 'auth.gate.3launchpad.com'
policy: 'bypass' policy: 'bypass'
# Admin-only services require 2FA and membership in admins group
- domain: - domain:
- 'traefik.gate.3launchpad.com' - 'traefik.gate.3launchpad.com'
- 'portainer.gate.3launchpad.com' - 'portainer.gate.3launchpad.com'
policy: 'two_factor' policy: 'two_factor'
subject: subject:
- 'group:admins' - 'group:admins'
# All other subdomains require at least one factor
- domain: '*.gate.3launchpad.com' - domain: '*.gate.3launchpad.com'
policy: 'one_factor' policy: 'one_factor'
## Session Configuration
session: session:
## Session Name
name: 'authelia_session' name: 'authelia_session'
## Session Secret (do not hardcode; provided via env var)
secret: '${AUTHELIA_SESSION_SECRET}' secret: '${AUTHELIA_SESSION_SECRET}'
## Session Expiration / Activity
expiration: 1h expiration: 1h
inactivity: 5m inactivity: 5m
## Remember Me (replaces deprecated remember_me_duration)
remember_me: 1M remember_me: 1M
## Cookie-based configuration (domain key removed to avoid conflict)
cookies: cookies:
- domain: 'gate.3launchpad.com' - domain: 'gate.3launchpad.com'
authelia_url: 'https://auth.gate.3launchpad.com' authelia_url: 'https://auth.gate.3launchpad.com'
default_redirection_url: 'https://gate.3launchpad.com' default_redirection_url: 'https://gate.3launchpad.com'
## Redis Configuration (uncomment if using Redis)
# redis:
# host: 'redis'
# port: 6379
# password: ''
# database_index: 0
# maximum_active_connections: 8
# minimum_idle_connections: 0
## Regulation Configuration
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: '2m' find_time: '2m'
ban_time: '5m' ban_time: '5m'
## Storage Configuration
storage: storage:
## Encryption key is required (newer versions). Provide via env var. encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts
local: local:
path: '/config/db.sqlite3' path: '/config/db.sqlite3'
## MySQL Configuration (alternative to local)
# mysql:
# address: 'tcp://mysql:3306'
# database: 'authelia'
# username: 'authelia'
# password: 'password'
# timeout: '5s'
## PostgreSQL Configuration (alternative to local)
# postgres:
# address: 'tcp://postgres:5432'
# database: 'authelia'
# schema: 'public'
# username: 'authelia'
# password: 'password'
# timeout: '5s'
# ssl:
# mode: 'disable'
## Notification Configuration
notifier: notifier:
## Disable Startup Check
disable_startup_check: false disable_startup_check: false
## File System Notifier (for development/testing)
filesystem: filesystem:
filename: '/config/notification.txt' filename: '/config/notification.txt'
## SMTP Configuration (for production)
# smtp:
# address: 'smtp://mail.example.com:587'
# username: 'authelia@example.com'
# password: 'password'
# sender: 'Authelia <authelia@example.com>'
# identifier: 'authelia'
# subject: '[Authelia] {title}'
# startup_check_address: 'test@authelia.com'
# disable_require_tls: false
# disable_html_emails: false
# disable_starttls: false
# tls:
# skip_verify: false
# minimum_version: 'TLS1.2'
# maximum_version: 'TLS1.3'
## Identity Providers Configuration (optional)
# identity_providers:
# oidc:
# hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET'
# issuer_private_key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----
# access_token_lifespan: '1h'
# authorize_code_lifespan: '1m'
# id_token_lifespan: '1h'
# refresh_token_lifespan: '90m'
# enable_client_debug_messages: false
# clients:
# - id: 'myapp'
# description: 'My Application'
# secret: '$pbkdf2-sha512$310000$...'
# public: false
# authorization_policy: 'two_factor'
# redirect_uris:
# - 'https://myapp.example.com/callback'
# scopes:
# - 'openid'
# - 'profile'
# - 'email'
# - 'groups'
# userinfo_signing_algorithm: 'none'