114 lines
4.8 KiB
YAML
114 lines
4.8 KiB
YAML
|
############
|
|||
|
|
# Authelia #
|
|||
|
|
############
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# General Configuration
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_version: latest # Authelia container image tag/version
|
|||
|
|
container_authelia_domain: authelia.example.com # Fully Qualified Domain Name (FQDN) for Authelia
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Server Settings
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_server_port: 9091 # Port on which Authelia will listen
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Logging
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_log_level: debug # Log level: trace, debug, info, warn, error
|
|||
|
|
container_authelia_log_file_path: /var/log/authelia/authelia.log # Path to log file
|
|||
|
|
container_authelia_log_keep_stdout: true # Also log to STDOUT (recommended for containers)
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Identity Validation / Password Reset
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_elevated_session_2fa: true # Require 2FA for elevated sessions
|
|||
|
|
container_authelia_jwt_lifespan: "5 minutes" # Expiration time for password reset links
|
|||
|
|
container_authelia_jwt_secret: "nyt4JDvuhU6SGp7H0vaEs0rfGETjI26fRQPJZzwdWPuXsmHdAun2hryiJDyDPRuC" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# TOTP (Two-Factor Authentication)
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_totp_disable: false # Disable TOTP (false = enabled)
|
|||
|
|
container_authelia_totp_issuer: example.com # Issuer name shown in authenticator apps
|
|||
|
|
container_authelia_totp_period: 30 # Time interval in seconds
|
|||
|
|
container_authelia_totp_skew: 1 # Allowed time drift (in periods)
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Password Policy (Zxcvbn)
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_zxcvbn_enabled: true # Enable password strength validation
|
|||
|
|
container_authelia_zxcvbn_min_score: 4 # Minimum strength score (0–4)
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Authentication Backend (File-based)
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_auth_file_path: /config/users.yml # Path to user configuration file
|
|||
|
|
container_authelia_auth_algorithm: argon2 # Password hashing algorithm
|
|||
|
|
container_authelia_auth_argon2_variant: argon2id
|
|||
|
|
container_authelia_auth_argon2_iterations: 3
|
|||
|
|
container_authelia_auth_argon2_memory: 65535
|
|||
|
|
container_authelia_auth_argon2_parallelism: 4
|
|||
|
|
container_authelia_auth_argon2_key_length: 32
|
|||
|
|
container_authelia_auth_argon2_salt_length: 16
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Access Control
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_access_default_policy: deny # Default access policy (deny/one_factor/two_factor)
|
|||
|
|
container_authelia_access_rules:
|
|||
|
|
- domain: "traefik.example.com"
|
|||
|
|
policy: "one_factor"
|
|||
|
|
- domain: "whoami-secure.example.com"
|
|||
|
|
policy: "two_factor"
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Session Configuration
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_session_name: authelia_session # Name of the session cookie
|
|||
|
|
container_authelia_session_key: "zB3d7gTWVbhB5jFQVkjtxfhVZ4aEaFwKHWNa81jjqSL7JgV5HmqOAULDhlJA0muI" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
|
|||
|
|
container_authelia_session_cookies:
|
|||
|
|
- domain: "example.com"
|
|||
|
|
authelia_url: "https://auth.example.com"
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Security Regulation (Brute Force Protection)
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_regulation_max_retries: 4 # Max failed login attempts before ban
|
|||
|
|
container_authelia_regulation_find_time: 120 # Time window to count failed attempts (in seconds)
|
|||
|
|
container_authelia_regulation_ban_time: 300 # Ban duration after reaching retry limit (in seconds)
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Storage
|
|||
|
|
# ---------------------
|
|||
|
|
|
|||
|
|
container_authelia_storage_encryption_key: "B4g3XlMfiBJPUXqrZmxfE1CccUASi1r2Cxpr8q9QbmQ3Rvx1RDJvZ1J3DTqkR2a5" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
|
|||
|
|
container_authelia_storage_path: /config/db.sqlite3 # Path to SQLite storage file
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# Notifications
|
|||
|
|
# ---------------------
|
|||
|
|
container_authelia_notifier_disable_startup_check: false # Disable notifier startup check (recommended: false)
|
|||
|
|
container_authelia_notifier_file: /config/notification.txt # File path used for file-based notifications
|
|||
|
|
|
|||
|
|
# ---------------------
|
|||
|
|
# User Configuration (for file-based backend)
|
|||
|
|
# ---------------------
|
|||
|
|
# !! SECURITY WARNING !!:
|
|||
|
|
# Passwords must always be hashed (argon2, bcrypt, sha512, etc.).
|
|||
|
|
# Never store plain-text passwords in production.
|
|||
|
|
# Use this guide to generate secure hashes:
|
|||
|
|
# https://www.authelia.com/reference/guides/passwords/#passwords
|
|||
|
|
|
|||
|
|
container_authelia_users:
|
|||
|
|
- username: authelia
|
|||
|
|
displayname: 'Authelia User'
|
|||
|
|
# docker run --rm -it authelia/authelia:latest authelia crypto hash generate argon2
|
|||
|
|
# !! Replace the password with a secure hashed password
|
|||
|
|
password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/'
|
|||
|
|
email: 'authelia@authelia.com'
|
|||
|
|
groups:
|
|||
|
|
- 'admin'
|
|||
|
|
- 'dev'
|