118 lines
3.1 KiB
YAML
118 lines
3.1 KiB
YAML
# authelia/configuration.yml
|
|
# Authelia v4 for: auth.gate.3launchpad.com
|
|
# Behind Traefik (forward-auth), Redis sessions, SQLite storage.
|
|
|
|
#########################################################
|
|
# Server & Logging
|
|
#########################################################
|
|
server:
|
|
address: "tcp://0.0.0.0:9091"
|
|
buffers:
|
|
read: 4096
|
|
write: 4096
|
|
|
|
log:
|
|
level: info
|
|
|
|
theme: auto
|
|
|
|
# Where to send users if they hit a protected resource without a Referer
|
|
default_redirection_url: "https://traefik.gate.3launchpad.com/"
|
|
|
|
#########################################################
|
|
# Secrets (use env vars in production)
|
|
#########################################################
|
|
# Prefer env vars:
|
|
# AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
|
|
jwt_secret: "changeme_jwt_secret"
|
|
|
|
#########################################################
|
|
# Authentication Backend (local file)
|
|
#########################################################
|
|
authentication_backend:
|
|
file:
|
|
path: /config/users_database.yml
|
|
password:
|
|
algorithm: argon2id
|
|
iterations: 3
|
|
memory: 64
|
|
parallelism: 4
|
|
salt_length: 16
|
|
key_length: 32
|
|
|
|
#########################################################
|
|
# Access Control
|
|
#########################################################
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
- domain: "status.gate.3launchpad.com"
|
|
policy: bypass
|
|
|
|
- domain: "traefik.gate.3launchpad.com"
|
|
subject: ["group:admins"]
|
|
policy: two_factor
|
|
|
|
- domain: "portainer.gate.3launchpad.com"
|
|
subject: ["group:admins"]
|
|
policy: two_factor
|
|
|
|
- domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
|
|
subject:
|
|
- "group:admins"
|
|
- "group:devs"
|
|
policy: one_factor
|
|
|
|
- domain: "*.gate.3launchpad.com"
|
|
subject:
|
|
- "group:users"
|
|
- "group:admins"
|
|
- "group:devs"
|
|
policy: one_factor
|
|
|
|
#########################################################
|
|
# Session (cookies + Redis)
|
|
#########################################################
|
|
session:
|
|
name: authelia_session
|
|
domain: "gate.3launchpad.com"
|
|
same_site: lax # <- fixed (was 'Lax')
|
|
expiration: 1h
|
|
inactivity: 30m
|
|
remember_me_duration: 1M # deprecated but auto-mapped; safe to keep
|
|
secret: "changeme_session_secret"
|
|
redis:
|
|
host: redis
|
|
port: 6379
|
|
|
|
#########################################################
|
|
# Regulation (anti-bruteforce)
|
|
#########################################################
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 10m
|
|
|
|
#########################################################
|
|
# Storage (SQLite on persistent volume)
|
|
#########################################################
|
|
storage:
|
|
encryption_key: "changeme_storage_key"
|
|
local:
|
|
path: /config/db.sqlite3
|
|
|
|
#########################################################
|
|
# Notifier
|
|
#########################################################
|
|
notifier:
|
|
filesystem:
|
|
filename: /config/notification.txt
|
|
|
|
#########################################################
|
|
# 2FA: TOTP
|
|
#########################################################
|
|
totp:
|
|
issuer: "3launchpad.com"
|
|
period: 30
|
|
skew: 1
|