launchpad-gateway/authelia/configuration.yml

---
# Authelia Configuration File

## Server Configuration
server:
  ## Server options
  address: 'tcp://:9091'
  # asset_path removed (directory didn't exist). Re-add if you mount custom portal assets.
  
  ## Endpoints
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

## Log Configuration
log:
  level: 'info'
  format: 'text'

## Theme Configuration
theme: 'light'

## Identity Validation / Password Reset JWT (replaces deprecated jwt_secret)
identity_validation:
  reset_password:
    jwt_secret: '${AUTHELIA_JWT_SECRET}'
  # Ensure AUTHELIA_JWT_SECRET is defined in environment (.env/Secrets) or startup will fail.

## TOTP Configuration
totp:
  disable_reuse_security_policy: false
  issuer: 'Authelia'
  algorithm: 'sha1'
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

## WebAuthn Configuration
webauthn:
  disable: false
  display_name: 'Authelia'
  attestation_conveyance_preference: 'indirect'
  selection_criteria:
    user_verification: 'preferred'  # migrated from deprecated webauthn.user_verification
  timeout: '60s'

## Duo Push API Configuration (optional)
# duo_api:
#   hostname: 'api-123456789.duosecurity.com'
#   integration_key: 'ABCDEF'
#   secret_key: 'GHIJKLMNOPQRSTUVWXYZ'

## Authentication Backend Configuration
authentication_backend:
  ## Password Reset
  password_reset:
    disable: false
    custom_url: ''

  ## Refresh Interval
  refresh_interval: '5m'

  ## LDAP Configuration (uncomment and configure if using LDAP)
  # ldap:
  #   implementation: 'custom'
  #   address: 'ldap://127.0.0.1:389'
  #   timeout: '5s'
  #   start_tls: false
  #   skip_verify: false
  #   base_dn: 'dc=example,dc=com'
  #   username_attribute: 'uid'
  #   additional_users_dn: 'ou=users'
  #   users_filter: '(&({username_attribute}={input})(objectClass=person))'
  #   additional_groups_dn: 'ou=groups'
  #   groups_filter: '(&(member={dn})(objectclass=groupOfNames))'
  #   group_name_attribute: 'cn'
  #   mail_attribute: 'mail'
  #   display_name_attribute: 'displayName'
  #   user: 'cn=admin,dc=example,dc=com'
  #   password: 'password'

  ## File Configuration
  file:
    path: '/config/users_database.yml'
    watch: false
    search:
      email: false
      case_insensitive: false
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 3
        memory: 65536
        parallelism: 4
        key_length: 32
        salt_length: 16

## Access Control Configuration
access_control:
  ## Default Policy
  # Baseline policy when no rule matches. Choose two_factor for stronger default.
  default_policy: 'two_factor'

  ## Networks (optional, for IP-based rules)
  networks:
    - name: 'internal'
      networks:
        - '10.0.0.0/8'
        - '172.16.0.0/12'
        - '192.168.0.0/16'

  ## Rules
  rules:
    # Authelia portal itself is bypassed so users can reach the login UI
    - domain: 'auth.gate.3launchpad.com'
      policy: 'bypass'

    # Admin-only services require 2FA and membership in admins group
    - domain:
        - 'traefik.gate.3launchpad.com'
        - 'portainer.gate.3launchpad.com'
      policy: 'two_factor'
      subject:
        - 'group:admins'

    # All other subdomains require at least one factor
    - domain: '*.gate.3launchpad.com'
      policy: 'one_factor'

## Session Configuration
session:
  ## Session Name
  name: 'authelia_session'

  ## Session Secret (do not hardcode; provided via env var)
  secret: '${AUTHELIA_SESSION_SECRET}'

  ## Session Expiration / Activity
  expiration: 1h
  inactivity: 5m

  ## Remember Me (replaces deprecated remember_me_duration)
  remember_me: 1M

  ## Cookie-based configuration (domain key removed to avoid conflict)
  cookies:
    - domain: 'gate.3launchpad.com'
      authelia_url: 'https://auth.gate.3launchpad.com'
      default_redirection_url: 'https://gate.3launchpad.com'

  ## Redis Configuration (uncomment if using Redis)
  # redis:
  #   host: 'redis'
  #   port: 6379
  #   password: ''
  #   database_index: 0
  #   maximum_active_connections: 8
  #   minimum_idle_connections: 0

## Regulation Configuration
regulation:
  max_retries: 3
  find_time: '2m'
  ban_time: '5m'

## Storage Configuration
storage:
  ## Encryption key is required (newer versions). Provide via env var.
  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}' # must be 32+ chars, consistent across restarts
  local:
    path: '/config/db.sqlite3'

  ## MySQL Configuration (alternative to local)
  # mysql:
  #   address: 'tcp://mysql:3306'
  #   database: 'authelia'
  #   username: 'authelia'
  #   password: 'password'
  #   timeout: '5s'

  ## PostgreSQL Configuration (alternative to local)
  # postgres:
  #   address: 'tcp://postgres:5432'
  #   database: 'authelia'
  #   schema: 'public'
  #   username: 'authelia'
  #   password: 'password'
  #   timeout: '5s'
  #   ssl:
  #     mode: 'disable'

## Notification Configuration
notifier:
  ## Disable Startup Check
  disable_startup_check: false

  ## File System Notifier (for development/testing)
  filesystem:
    filename: '/config/notification.txt'

  ## SMTP Configuration (for production)
  # smtp:
  #   address: 'smtp://mail.example.com:587'
  #   username: 'authelia@example.com'
  #   password: 'password'
  #   sender: 'Authelia <authelia@example.com>'
  #   identifier: 'authelia'
  #   subject: '[Authelia] {title}'
  #   startup_check_address: 'test@authelia.com'
  #   disable_require_tls: false
  #   disable_html_emails: false
  #   disable_starttls: false
  #   tls:
  #     skip_verify: false
  #     minimum_version: 'TLS1.2'
  #     maximum_version: 'TLS1.3'

## Identity Providers Configuration (optional)
# identity_providers:
#   oidc:
#     hmac_secret: 'GENERATE_RANDOM_HMAC_SECRET'
#     issuer_private_key: |
#       -----BEGIN RSA PRIVATE KEY-----
#       ...
#       -----END RSA PRIVATE KEY-----
#     access_token_lifespan: '1h'
#     authorize_code_lifespan: '1m'
#     id_token_lifespan: '1h'
#     refresh_token_lifespan: '90m'
#     enable_client_debug_messages: false
#     clients:
#       - id: 'myapp'
#         description: 'My Application'
#         secret: '$pbkdf2-sha512$310000$...'
#         public: false
#         authorization_policy: 'two_factor'
#         redirect_uris:
#           - 'https://myapp.example.com/callback'
#         scopes:
#           - 'openid'
#           - 'profile'
#           - 'email'
#           - 'groups'
#         userinfo_signing_algorithm: 'none'