--- # Authelia Configuration File ## Server Configuration server: ## Server options address: 'tcp://:9091' # asset_path removed (directory didn't exist). Re-add if you mount custom portal assets. ## Endpoints endpoints: authz: forward-auth: implementation: 'ForwardAuth' ## Log Configuration log: level: 'info' format: 'text' ## Theme Configuration theme: 'light' ## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret) identity_validation: reset_password: jwt_secret: '${AUTHELIA_JWT_SECRET}' # Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail. ## TOTP Configuration totp: disable_reuse_security_policy: false issuer: 'Authelia' algorithm: 'sha1' digits: 6 period: 30 skew: 1 secret_size: 32 ## WebAuthn Configuration webauthn: disable: false display_name: 'Authelia' attestation_conveyance_preference: 'indirect' selection_criteria: user_verification: 'preferred' # migrated from deprecated webauthn.user_verification timeout: '60s' ## Duo Push API Configuration (optional) # duo_api: # hostname: 'api-123456789.duosecurity.com' # integration_key: 'ABCDEF' # secret_key: 'GHIJKLMNOPQRSTUVWXYZ' ## Authentication Backend Configuration authentication_backend: ## Password Reset password_reset: disable: false custom_url: '' ## Refresh Interval refresh_interval: '5m' ## LDAP Configuration (uncomment and configure if using LDAP) # ldap: # implementation: 'custom' # address: 'ldap://127.0.0.1:389' # timeout: '5s' # start_tls: false # skip_verify: false # base_dn: 'dc=example,dc=com' # username_attribute: 'uid' # additional_users_dn: 'ou=users' # users_filter: '(&({username_attribute}={input})(objectClass=person))' # additional_groups_dn: 'ou=groups' # groups_filter: '(&(member={dn})(objectclass=groupOfNames))' # group_name_attribute: 'cn' # mail_attribute: 'mail' # display_name_attribute: 'displayName' # user: 'cn=admin,dc=example,dc=com' # password: 'password' ## File Configuration file: path: '/config/users_database.yml' watch: false search: email: false case_insensitive: false password: algorithm: 'argon2' argon2: variant: 'argon2id' iterations: 3 memory: 65536 parallelism: 4 key_length: 32 salt_length: 16 ## Access Control Configuration access_control: ## Default Policy # Baseline policy when no rule matches. Choose two_factor for stronger default. default_policy: 'two_factor' ## Networks (optional, for IP-based rules) networks: - name: 'internal' networks: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/16' ## Rules rules: # Authelia portal itself is bypassed so users can reach the login UI - domain: 'auth.gate.3launchpad.com' policy: 'bypass' # Admin-only services require 2FA and membership in admins group - domain: - 'traefik.gate.3launchpad.com' - 'portainer.gate.3launchpad.com' policy: 'two_factor' subject: - 'group:admins' # All other subdomains require at least one factor - domain: '*.gate.3launchpad.com' policy: 'one_factor' ## Session Configuration session: ## Session Name name: 'authelia_session' ## Session Secret (do not hardcode; provided via env var) secret: '${AUTHELIA_SESSION_SECRET}' ## Session Expiration / Activity expiration: 1h inactivity: 5m ## Remember Me (replaces deprecated remember_me_duration) remember_me: 1M ## Cookie-based configuration (domain key removed to avoid conflict) cookies: - domain: 'gate.3launchpad.com' authelia_url: 'https://auth.gate.3launchpad.com' default_redirection_url: 'https://gate.3launchpad.com' ## Redis Configuration (uncomment if using Redis) # redis: # host: 'redis' # port: 6379 # password: '' # database_index: 0 # maximum_active_connections: 8 # minimum_idle_connections: 0 ## Regulation Configuration regulation: max_retries: 3 find_time: '2m' ban_time: '5m' ## Storage Configuration storage: ## Encryption key is required (newer versions). Provide via env var. encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts local: path: '/config/db.sqlite3' ## MySQL Configuration (alternative to local) # mysql: # address: 'tcp://mysql:3306' # database: 'authelia' # username: 'authelia' # password: 'password' # timeout: '5s' ## PostgreSQL Configuration (alternative to local) # postgres: # address: 'tcp://postgres:5432' # database: 'authelia' # schema: 'public' # username: 'authelia' # password: 'password' # timeout: '5s' # ssl: # mode: 'disable' ## Notification Configuration notifier: ## Disable Startup Check disable_startup_check: false ## File System Notifier (for development/testing) filesystem: filename: '/config/notification.txt' ## SMTP Configuration (for production) # smtp: # address: 'smtp://mail.example.com:587' # username: 'authelia@example.com' # password: 'password' # sender: 'Authelia ' # identifier: 'authelia' # subject: '[Authelia] {title}' # startup_check_address: 'test@authelia.com' # disable_require_tls: false # disable_html_emails: false # disable_starttls: false # tls: # skip_verify: false # minimum_version: 'TLS1.2' # maximum_version: 'TLS1.3' ## Identity Providers Configuration (optional) # identity_providers: # oidc: # hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET' # issuer_private_key: | # -----BEGIN RSA PRIVATE KEY----- # ... # -----END RSA PRIVATE KEY----- # access_token_lifespan: '1h' # authorize_code_lifespan: '1m' # id_token_lifespan: '1h' # refresh_token_lifespan: '90m' # enable_client_debug_messages: false # clients: # - id: 'myapp' # description: 'My Application' # secret: '$pbkdf2-sha512$310000$...' # public: false # authorization_policy: 'two_factor' # redirect_uris: # - 'https://myapp.example.com/callback' # scopes: # - 'openid' # - 'profile' # - 'email' # - 'groups' # userinfo_signing_algorithm: 'none'