From f704e3f3f2a2b8a7298563be61f92af6346f1729 Mon Sep 17 00:00:00 2001 From: "Trez.One" Date: Wed, 12 Mar 2025 18:47:23 -0400 Subject: [PATCH] Adding Authelia config for Ansible. --- .../app-configs/authelia_configuration.yml.j2 | 137 ++++++++++++++++++ 1 file changed, 137 insertions(+) create mode 100644 ansible/app-configs/authelia_configuration.yml.j2 diff --git a/ansible/app-configs/authelia_configuration.yml.j2 b/ansible/app-configs/authelia_configuration.yml.j2 new file mode 100644 index 00000000..1628d560 --- /dev/null +++ b/ansible/app-configs/authelia_configuration.yml.j2 @@ -0,0 +1,137 @@ +--- +theme: auto +default_2fa_method: "totp" +server: + address: '0.0.0.0:9091' + endpoints: + enable_pprof: false + enable_expvars: false + disable_healthcheck: false + tls: + key: "" + certificate: "" + client_certificates: [] + headers: + csp_template: "" +log: + level: debug +telemetry: + metrics: + enabled: true + address: tcp://0.0.0.0:9959 +totp: + disable: false + issuer: authelia.com + algorithm: sha256 + digits: 6 + period: 30 + skew: 1 + secret_size: 32 +webauthn: + disable: false + timeout: 60s + display_name: Authelia + attestation_conveyance_preference: indirect + user_verification: preferred +ntp: + address: "time.cloudflare.com:123" + version: 4 + max_desync: 3s + disable_startup_check: false + disable_failure: false +authentication_backend: + password_reset: + disable: false + custom_url: "" + ldap: + implementation: custom + address: ldap://lldap:3890 + timeout: 5s + start_tls: false + base_dn: dc=trez,dc=wtf + additional_users_dn: ou=people + users_filter: "(&({username_attribute}={input})(objectClass=person))" + additional_groups_dn: ou=groups + groups_filter: "(member={dn})" + attributes: + username: uid + group_name: cn + mail: mail + display_name: displayName + user: uid=authelia,ou=people,dc=trez,dc=wtf + password: '{{ env AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD }}' + refresh_interval: 5m +identity_validation: + reset_password: + jwt_secret: '{{ env AUTHELIA_JWT_SECRET }}' +password_policy: + standard: + enabled: true + min_length: 8 + max_length: 0 + require_uppercase: true + require_lowercase: true + require_number: true + require_special: false + zxcvbn: + enabled: false + min_score: 3 +access_control: + default_policy: deny + networks: + - name: 'internal' + networks: + - '172.17.0.0/16' + - '172.18.0.0/16' + - '192.168.1.0/24' + rules: + - domain_regex: + - '^trez.wtf$' + - ^www.trez.wtf$'' + policy: bypass + - domain: '*.trez.wtf' + policy: bypass + networks: + - 'internal' + - domain: '*.trez.wtf' + policy: one_factor + subject: + - ['user:the.trezured.one'] +session: + name: authelia_session + secret: '{{ env AUTHELIA_SESSION_SECRET }}' + expiration: 1h + inactivity: 5m + remember_me: 1M + cookies: + - domain: 'trez.wtf' + authelia_url: 'https://auth.trez.wtf' + redis: + host: redis + port: 6379 +storage: + encryption_key: '{{ env AUTHELIA_STORAGE_ENCRYPTION_KEY }}' + postgres: + address: 'tcp://authelia-pg:5432' + database: authelia + username: authelia + password: '{{ env AUTHELIA_STORAGE_POSTGRES_PASSWORD }}' + timeout: '5s' +regulation: + max_retries: 3 + find_time: 2m + ban_time: 5m +notifier: + disable_startup_check: true + smtp: + address: 'smtp://postal-smtp:25' + timeout: '5s' + username: '{{ env AUTHELIA_NOTIFIER_SMTP_USERNAME }}' + password: '{{ env AUTHELIA_NOTIFIER_SMTP_PASSWORD }}' + sender: "Authelia " + identifier: 'localhost' + subject: "[Authelia] {title}" + startup_check_address: 'test@authelia.com' + disable_require_tls: true + disable_starttls: true + disable_html_emails: false \ No newline at end of file