153 lines
4.6 KiB
YAML
153 lines
4.6 KiB
YAML
# authelia/configuration.yml
|
|
# Authelia v4 configuration for: auth.gate.3launchpad.com
|
|
# Behind Traefik (forward-auth), Redis for sessions, SQLite storage.
|
|
# ⚠️ Replace all "changeme_*" values or (better) override via env vars:
|
|
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
|
|
|
#########################################################
|
|
# Server & Logging
|
|
#########################################################
|
|
server:
|
|
address: "tcp://0.0.0.0:9091" # Traefik talks to this
|
|
buffers:
|
|
read: 4096
|
|
write: 4096
|
|
log:
|
|
level: info
|
|
theme: auto
|
|
|
|
# Where to send users if they hit a protected resource without a Referer
|
|
default_redirection_url: "https://traefik.gate.3launchpad.com/"
|
|
|
|
#########################################################
|
|
# Secrets (use env vars in production)
|
|
#########################################################
|
|
# Prefer setting via Docker env:
|
|
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
|
jwt_secret: "changeme_jwt_secret"
|
|
|
|
#########################################################
|
|
# Authentication Backend (local file)
|
|
#########################################################
|
|
authentication_backend:
|
|
file:
|
|
path: /config/users_database.yml
|
|
# New hashes should be argon2id. Use: `authelia crypto hash generate argon2`
|
|
password:
|
|
algorithm: argon2id
|
|
iterations: 3
|
|
memory: 64
|
|
parallelism: 4
|
|
salt_length: 16
|
|
key_length: 32
|
|
|
|
#########################################################
|
|
# Access Control (who can access what)
|
|
#########################################################
|
|
access_control:
|
|
default_policy: deny
|
|
|
|
rules:
|
|
# Public status page
|
|
- domain: "status.gate.3launchpad.com"
|
|
policy: bypass
|
|
|
|
# Admin-only, require 2FA
|
|
- domain: "traefik.gate.3launchpad.com"
|
|
subject: ["group:admins"]
|
|
policy: two_factor
|
|
|
|
- domain: "portainer.gate.3launchpad.com"
|
|
subject: ["group:admins"]
|
|
policy: two_factor
|
|
|
|
# Admin/Devs with 1FA for these tools
|
|
- domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
|
|
subject:
|
|
- "group:admins"
|
|
- "group:devs"
|
|
policy: one_factor
|
|
|
|
# Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users
|
|
- domain: "*.gate.3launchpad.com"
|
|
subject:
|
|
- "group:users"
|
|
- "group:admins"
|
|
- "group:devs"
|
|
policy: one_factor
|
|
|
|
#########################################################
|
|
# Session (cookies + Redis)
|
|
#########################################################
|
|
session:
|
|
name: authelia_session
|
|
domain: "gate.3launchpad.com" # cookie scope (covers *.gate.3launchpad.com)
|
|
same_site: Lax
|
|
expiration: 1h
|
|
inactivity: 30m
|
|
remember_me_duration: 1M
|
|
# secret can be overridden by env AUTHELIA_SESSION_SECRET
|
|
secret: "changeme_session_secret"
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
# tls: false
|
|
|
|
#########################################################
|
|
# Regulation (anti-bruteforce)
|
|
#########################################################
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 10m
|
|
|
|
#########################################################
|
|
# Storage (SQLite on persistent volume)
|
|
#########################################################
|
|
storage:
|
|
encryption_key: "changeme_storage_key" # override via AUTHELIA_STORAGE_ENCRYPTION_KEY
|
|
local:
|
|
path: /config/db.sqlite3
|
|
|
|
#########################################################
|
|
# Notifier (choose one)
|
|
#########################################################
|
|
# For testing/dev: writes emails to a file
|
|
notifier:
|
|
filesystem:
|
|
filename: /config/notification.txt
|
|
|
|
# For production, comment the block above and use SMTP:
|
|
# notifier:
|
|
# smtp:
|
|
# address: "smtp.gmail.com:587"
|
|
# username: "no-reply@3launchpad.com"
|
|
# # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD
|
|
# sender: "3Launchpad Auth <no-reply@3launchpad.com>"
|
|
# subject: "[3Launchpad] {title}"
|
|
# startup_check_address: "you@3launchpad.com"
|
|
# disable_require_tls: false
|
|
# tls:
|
|
# server_name: "smtp.gmail.com"
|
|
# skip_verify: false
|
|
|
|
#########################################################
|
|
# TOTP / Duo / WebAuthn (2FA)
|
|
#########################################################
|
|
totp:
|
|
issuer: "3launchpad.com"
|
|
period: 30
|
|
skew: 1
|
|
|
|
webauthn:
|
|
disable: false
|
|
timeout: 60s
|
|
display_name: "3Launchpad Gateway"
|
|
relying_party_id: "gate.3launchpad.com"
|
|
|
|
# If you plan to use Duo Push in the future:
|
|
# duo_api:
|
|
# hostname: api-XXXXXXXX.duosecurity.com
|
|
# integration_key: YOUR_IKEY
|
|
# # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY
|