RPJosh
/
authelia
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

refactor: single quote yaml strings 

Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
refactor-yaml-commenting
James Elliott 2023-05-07 16:41:41 +10:00
parent fb5c285c25
commit 5013952bae
No known key found for this signature in database
GPG Key ID: 0F1C4A096E857E49
102 changed files with 2254 additions and 2227 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
.buildkite/pipeline.yml
View File

@ -4,44 +4,44 @@
# secret leaks.
steps:
# Blocking pipeline for master branch deployments (concurrency_group).
- label: ":pipeline: Setup Pipeline"
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
concurrency: 1
concurrency_group: "deployments"
if: build.branch == "master"
concurrency_group: 'deployments'
if: 'build.branch == "master"'
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
- label: ":pipeline: Setup Pipeline"
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
if: build.branch != "master"
- label: ':pipeline: Setup Pipeline'
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
if: 'build.branch != "master"'
- wait: # yamllint disable-line rule:empty-values
if: build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ # yamllint disable-line rule:line-length
if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
- block: "Public fork needs approval"
if: build.pull_request.repository.fork == true
- block: 'Public fork needs approval'
if: 'build.pull_request.repository.fork == true'
# Blocking deployment for master branch deployments (concurrency_group).
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
concurrency: 1
concurrency_group: "deployments"
depends_on: ~
if: build.branch == "master" && build.message !~ /^docs/
concurrency_group: 'deployments'
depends_on: '~'
if: 'build.branch == "master" && build.message !~ /^docs/'
# Non-blocking deployment for all others (tagged commits/local branches).
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
depends_on: ~
if: build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true # yamllint disable-line rule:line-length
if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
# Removed dependency optimisation for forked PRs to enforce block step.
- label: ":rocket: Setup Deployment"
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
if: build.message !~ /^docs/ && build.pull_request.repository.fork == true
- label: ':rocket: Setup Deployment'
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
notify:
- webhook: "<REDACTED WEBHOOK_URL>"
if: build.state == "blocked"
- webhook: '<REDACTED WEBHOOK_URL>'
if: 'build.state == "blocked"'
...

34
.codecov.yml
View File

@ -3,42 +3,42 @@ codecov:
require_ci_to_pass: true
comment:
layout: "reach, diff, flags, files"
behavior: default
layout: 'reach, diff, flags, files'
behavior: 'default'
require_changes: false
coverage:
precision: 2
round: down
range: "70...100"
round: 'down'
range: '70...100'
status:
project:
default: false
backend:
base: auto
threshold: 0.15%
base: 'auto'
threshold: '0.15%'
flags:
- backend
- 'backend'
frontend:
base: auto
threshold: 0.15%
base: 'auto'
threshold: '0.15%'
flags:
- frontend
- 'frontend'
flags:
backend:
paths:
- "cmd/authelia/"
- "internal/"
- "!internal/suites/"
- 'cmd/authelia/'
- 'internal/'
- '!internal/suites/'
frontend:
paths:
- "web/"
- "!web/coverage/"
- 'web/'
- '!web/coverage/'
ignore:
- "web/src/serviceWorker.ts"
- "**/coverage.txt"
- 'web/src/serviceWorker.ts'
- '**/coverage.txt'
parsers:
gcov:

254
.github/ISSUE_TEMPLATE/bug-report.yml vendored
View File

@ -1,12 +1,12 @@
---
name: Bug Report
description: Report a bug
name: 'Bug Report'
description: 'Report a bug'
labels:
- type/bug/unconfirmed
- status/needs-triage
- priority/4/normal
- 'type/bug/unconfirmed'
- 'status/needs-triage'
- 'priority/4/normal'
body:
- type: markdown
- type: 'markdown'
attributes:
value: |
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
@ -25,160 +25,190 @@ body:
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
- type: dropdown
id: version
- type: 'dropdown'
id: 'version'
attributes:
label: Version
description: What version(s) of Authelia can you reproduce this bug on?
label: |
Version
description: |
What version(s) of Authelia can you reproduce this bug on?
multiple: true
options:
- v4.37.5
- v4.37.4
- v4.37.3
- v4.37.2
- v4.37.1
- v4.37.0
- v4.36.9
- v4.36.8
- v4.36.7
- v4.36.6
- v4.36.5
- v4.36.4
- v4.36.3
- v4.36.2
- v4.36.1
- v4.36.0
- v4.35.6
- v4.35.5
- v4.35.4
- v4.35.3
- v4.35.2
- v4.35.1
- v4.35.0
- v4.34.6
- v4.34.5
- v4.34.4
- v4.34.3
- v4.34.2
- v4.34.1
- v4.34.0
- v4.33.2
- v4.33.1
- v4.33.0
- v4.32.2
- v4.32.1
- v4.32.0
- 'v4.37.5'
- 'v4.37.4'
- 'v4.37.3'
- 'v4.37.2'
- 'v4.37.1'
- 'v4.37.0'
- 'v4.36.9'
- 'v4.36.8'
- 'v4.36.7'
- 'v4.36.6'
- 'v4.36.5'
- 'v4.36.4'
- 'v4.36.3'
- 'v4.36.2'
- 'v4.36.1'
- 'v4.36.0'
- 'v4.35.6'
- 'v4.35.5'
- 'v4.35.4'
- 'v4.35.3'
- 'v4.35.2'
- 'v4.35.1'
- 'v4.35.0'
- 'v4.34.6'
- 'v4.34.5'
- 'v4.34.4'
- 'v4.34.3'
- 'v4.34.2'
- 'v4.34.1'
- 'v4.34.0'
- 'v4.33.2'
- 'v4.33.1'
- 'v4.33.0'
- 'v4.32.2'
- 'v4.32.1'
- 'v4.32.0'
validations:
required: true
- type: dropdown
id: deployment
- type: 'dropdown'
id: 'deployment'
attributes:
label: Deployment Method
description: How are you deploying Authelia?
label: |
Deployment Method
description: |
How are you deploying Authelia?
options:
- Docker
- Kubernetes
- Bare-metal
- Other
- 'Docker'
- 'Kubernetes'
- 'Bare-metal'
- 'Other'
validations:
required: true
- type: dropdown
id: proxy
- type: 'dropdown'
id: 'proxy'
attributes:
label: Reverse Proxy
description: What reverse proxy are you using?
label: |
Reverse Proxy
description: |
What reverse proxy are you using?
options:
- Caddy
- Traefik
- Envoy
- Istio
- NGINX
- SWAG
- NGINX Proxy Manager
- HAProxy
- 'Caddy'
- 'Traefik'
- 'Envoy'
- 'Istio'
- 'NGINX'
- 'SWAG'
- 'NGINX Proxy Manager'
- 'HAProxy'
validations:
required: true
- type: input
id: proxy-version
- type: 'input'
id: 'proxy-version'
attributes:
label: Reverse Proxy Version
description: What is the version of your reverse proxy?
placeholder: x.x.x
label: |
Reverse Proxy Version
description: |
What is the version of your reverse proxy?
placeholder: 'x.x.x'
validations:
required: false
- type: textarea
id: description
- type: 'textarea'
id: 'description'
attributes:
label: Description
description: Describe the bug.
label: |
Description
description: |
Describe the bug.
validations:
required: true
- type: textarea
id: reproduction
- type: 'textarea'
id: 'reproduction'
attributes:
label: Reproduction
description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
label: |
Reproduction
description: |
Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
validations:
required: true
- type: textarea
id: expectations
- type: 'textarea'
id: 'expectations'
attributes:
label: Expectations
description: Describe the desired or expected results.
label: |
Expectations
description: |
Describe the desired or expected results.
validations:
required: false
- type: textarea
id: configuration
- type: 'textarea'
id: 'configuration'
attributes:
label: Configuration (Authelia)
description: Provide a complete configuration file (the template will automatically put this content in a code block).
render: yaml
label: |
Configuration (Authelia)
description: |
Provide a complete configuration file (the template will automatically put this content in a code block).
render: 'yaml'
validations:
required: false
- type: textarea
id: logs
- type: 'textarea'
id: 'logs'
attributes:
label: Logs (Authelia)
label: |
Logs (Authelia)
description: |
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
The template will automatically put this content in a code block so you can just paste it.
render: shell
render: 'shell'
validations:
required: true
- type: textarea
id: logs-other
- type: 'textarea'
id: 'logs-other'
attributes:
label: Logs (Proxy / Application)
description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
render: shell
label: |
Logs (Proxy / Application)
description: |
Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
render: 'shell'
validations:
required: false
- type: textarea
id: documentation
- type: 'textarea'
id: 'documentation'
attributes:
label: Documentation
description: Provide any relevant specification or other documentation if applicable.
label: |
Documentation
description: |
Provide any relevant specification or other documentation if applicable.
validations:
required: false
- type: checkboxes
id: checklist
- type: 'checkboxes'
id: 'checklist'
attributes:
label: Pre-Submission Checklist
description: By submitting this issue confirm all of the following.
label: |
Pre-Submission Checklist
description: |
By submitting this issue confirm all of the following.
options:
- label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
- label: |
I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
required: true
- label: This is a bug report and not a support request
- label: |
This is a bug report and not a support request
required: true
- label: I have read the security policy and this bug report is not a security issue or security related issue
- label: |
I have read the security policy and this bug report is not a security issue or security related issue
required: true
- label: I have either included the complete configuration file or I am sure it's unrelated to the configuration
- label: |
I have either included the complete configuration file or I am sure it's unrelated to the configuration
required: true
- label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
- label: |
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
required: true
- label: I have checked for related proxy or application logs and included them if available
- label: |
I have checked for related proxy or application logs and included them if available
required: true
- label: I have checked for related issues and checked the documentation
- label: |
I have checked for related issues and checked the documentation
required: true
...

36
.github/workflows/codeql-analysis.yml vendored
View File

@ -10,14 +10,14 @@
# the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages.
#
name: "CodeQL"
name: 'CodeQL'
# yamllint disable-line rule:truthy
on:
push:
branches:
- master
- gh-pages
- 'master'
- 'gh-pages'
paths:
- 'go.mod'
- 'go.sum'
@ -29,7 +29,7 @@ on:
pull_request:
# The branches below must be a subset of the branches above
branches:
- master
- 'master'
paths:
- 'go.mod'
- 'go.sum'
@ -43,12 +43,12 @@ on:
jobs:
analyze:
name: Analyze
runs-on: ubuntu-latest
name: 'Analyze'
runs-on: 'ubuntu-latest'
permissions:
actions: read
contents: read
security-events: write
actions: 'read'
contents: 'read'
security-events: 'write'
strategy:
fail-fast: false
@ -59,23 +59,23 @@ jobs:
- 'javascript'
steps:
- name: Checkout repository
uses: actions/checkout@v3
- name: 'Checkout repository'
uses: 'actions/checkout@v3'
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@v1
- name: 'Initialize CodeQL'
uses: 'github/codeql-action/init@v1'
with:
# If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main
languages: ${{ matrix.language }}
languages: '${{ matrix.language }}'
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild
uses: github/codeql-action/autobuild@v1
- name: 'Autobuild'
uses: 'github/codeql-action/autobuild@v1'
# Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl
@ -88,6 +88,6 @@ jobs:
# make bootstrap
# make release
- name: Perform CodeQL Analysis
uses: github/codeql-action/analyze@v1
- name: 'Perform CodeQL Analysis'
uses: 'github/codeql-action/analyze@v1'
...

54
.golangci.yml
View File

@ -1,6 +1,6 @@
---
run:
timeout: 3m
timeout: '3m'
linters-settings:
goconst:
@ -11,40 +11,40 @@ linters-settings:
godot:
check-all: true
goimports:
local-prefixes: github.com/authelia/authelia
local-prefixes: 'github.com/authelia/authelia'
revive:
confidence: 0.8
linters:
enable:
- asciicheck
- goconst
- gocritic
- gocyclo
- godot
- gofmt
- goimports
- gosec
- misspell
- nolintlint
- prealloc
- revive
- unconvert
- unparam
- whitespace
- wsl
- 'asciicheck'
- 'goconst'
- 'gocritic'
- 'gocyclo'
- 'godot'
- 'gofmt'
- 'goimports'
- 'gosec'
- 'misspell'
- 'nolintlint'
- 'prealloc'
- 'revive'
- 'unconvert'
- 'unparam'
- 'whitespace'
- 'wsl'
issues:
exclude:
- Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked # yamllint disable-line rule:line-length
- func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
- (possible misuse of unsafe.Pointer|should have signature)
- ineffective break statement. Did you mean to break out of the outer loop
- Use of unsafe calls should be audited
- Subprocess launch(ed with variable|ing should be audited)
- (G104|G307)
- (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
- Potential file inclusion via variable
- 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked' # yamllint disable-line rule:line-length
- 'func name will be used as test\.Test.* by other packages, and that stutters; consider calling this'
- '(possible misuse of unsafe.Pointer|should have signature)'
- 'ineffective break statement. Did you mean to break out of the outer loop'
- 'Use of unsafe calls should be audited'
- 'Subprocess launch(ed with variable|ing should be audited)'
- '(G104|G307)'
- '(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)'
- 'Potential file inclusion via variable'
exclude-use-default: false
max-issues-per-linter: 0
max-same-issues: 0

14
.reviewdog.yml
View File

@ -1,19 +1,19 @@
---
runner:
golangci:
cmd: golangci-lint run
cmd: 'golangci-lint run'
errorformat:
- '%E%f:%l:%c: %m'
- '%E%f:%l: %m'
- '%C%.%#'
level: error
level: 'error'
eslint:
cmd: cd web && eslint -f rdjson '*/**/*.{js,ts,tsx}'
format: rdjson
level: error
cmd: 'cd web && eslint -f rdjson "*/**/*.{js,ts,tsx}"'
format: 'rdjson'
level: 'error'
yamllint:
cmd: yamllint --format parsable .
cmd: 'yamllint --format parsable .'
errorformat:
- '%f:%l:%c: %m'
level: warning
level: 'warning'
...

10
.yamllint.yml
View File

@ -1,7 +1,7 @@
---
extends: default
extends: 'default'
locale: en_US.UTF-8
locale: 'en_US.UTF-8'
yaml-files:
- '*.yaml'
@ -19,13 +19,13 @@ ignore: |
.github/ISSUE_TEMPLATE/bug-report.yml
rules:
document-end:
level: warning
level: 'warning'
empty-values:
level: warning
level: 'warning'
indentation:
spaces: 2
check-multi-line-strings: true
line-length:
max: 120
octal-values: enable
octal-values: 'enable'
...

59
examples/compose/lite/authelia/configuration.yml
View File

@ -4,71 +4,70 @@
###############################################################
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_very_important_secret
default_redirection_url: https://public.example.com
jwt_secret: 'a_very_important_secret'
default_redirection_url: 'https://public.example.com'
server:
address: 'tcp://:9091'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# hostname: 'api-123456789.example.com'
# integration_key: 'ABCDEF'
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users_database.yml
path: '/config/users_database.yml'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: public.example.com
policy: bypass
- domain: traefik.example.com
policy: one_factor
- domain: secure.example.com
policy: two_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'traefik.example.com'
policy: 'one_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
session:
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret
secret: 'unsecure_session_secret'
cookies:
- name: authelia_session
domain: example.com # Should match whatever your root protected domain is
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
- name: 'authelia_session'
domain: 'example.com' # Should match whatever your root protected domain is
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
redis:
host: redis
host: 'redis'
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia
# password: 'authelia'
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
local:
path: /config/db.sqlite3
path: '/config/db.sqlite3'
notifier:
smtp:
username: test
address: 'smtp://mail.example.com:25'
username: 'test'
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
password: password
host: mail.example.com
port: 25
sender: admin@example.com
password: 'password'
sender: 'admin@example.com'
...

10
examples/compose/lite/authelia/users_database.yml
View File

@ -9,11 +9,11 @@
users:
authelia:
disabled: false
displayname: "Authelia User"
displayname: 'Authelia User'
# Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
email: authelia@authelia.com
password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/' # yamllint disable-line rule:line-length
email: 'authelia@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
...

54
examples/compose/lite/docker-compose.yml
View File

@ -1,18 +1,18 @@
---
version: '3.3'
version: '3.8'
networks:
net:
driver: bridge
driver: 'bridge'
services:
authelia:
image: authelia/authelia
container_name: authelia
image: 'authelia/authelia'
container_name: 'authelia'
volumes:
- ./authelia:/config
- './authelia:/config'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
@ -24,34 +24,34 @@ services:
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
expose:
- 9091
restart: unless-stopped
restart: 'unless-stopped'
healthcheck:
## In production the healthcheck section should be commented.
disable: true
environment:
- TZ=Australia/Melbourne
TZ: 'Australia/Melbourne'
redis:
image: redis:alpine
container_name: redis
image: 'redis:alpine'
container_name: 'redis'
volumes:
- ./redis:/data
- './redis:/data'
networks:
- net
- 'net'
expose:
- 6379
restart: unless-stopped
restart: 'unless-stopped'
environment:
- TZ=Australia/Melbourne
TZ: 'Australia/Melbourne'
traefik:
image: traefik:v2.10.1
container_name: traefik
image: 'traefik:v2.10.1'
container_name: 'traefik'
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
- './traefik:/etc/traefik'
- '/var/run/docker.sock:/var/run/docker.sock'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
@ -80,10 +80,10 @@ services:
- '--log.level=DEBUG'
secure:
image: traefik/whoami
container_name: secure
image: 'traefik/whoami'
container_name: 'secure'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
@ -93,13 +93,13 @@ services:
- 'traefik.http.routers.secure.middlewares=authelia@docker'
expose:
- 80
restart: unless-stopped
restart: 'unless-stopped'
public:
image: traefik/whoami
container_name: public
image: 'traefik/whoami'
container_name: 'public'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
@ -109,5 +109,5 @@ services:
- 'traefik.http.routers.public.middlewares=authelia@docker'
expose:
- 80
restart: unless-stopped
restart: 'unless-stopped'
...

44
examples/compose/local/authelia/configuration.yml
View File

@ -3,52 +3,52 @@
# Authelia configuration #
###############################################################
jwt_secret: a_very_important_secret
default_redirection_url: https://public.example.com
jwt_secret: 'a_very_important_secret'
default_redirection_url: 'https://public.example.com'
server:
address: 'tcp://:9091'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
authentication_backend:
file:
path: /config/users_database.yml
path: '/config/users_database.yml'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: public.example.com
policy: bypass
- domain: traefik.example.com
policy: one_factor
- domain: secure.example.com
policy: two_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'traefik.example.com'
policy: 'one_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
session:
secret: unsecure_session_secret
secret: 'unsecure_session_secret'
cookies:
- name: authelia_session
domain: example.com # Should match whatever your root protected domain is
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
- name: 'authelia_session'
domain: 'example.com' # Should match whatever your root protected domain is
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
local:
path: /config/db.sqlite3
path: '/config/db.sqlite3'
notifier:
filesystem:
filename: /config/notification.txt
filename: '/config/notification.txt'
...

10
examples/compose/local/authelia/users_database.yml
View File

@ -9,10 +9,10 @@
users:
<USERNAME>:
disabled: false
displayname: "<DISPLAYNAME>"
password: "<PASSWORD>"
email: <USERNAME>@example.com
displayname: '<DISPLAYNAME>'
password: '<PASSWORD>'
email: '<USERNAME>@example.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
...

40
examples/compose/local/docker-compose.yml
View File

@ -3,16 +3,16 @@ version: '3.3'
networks:
net:
driver: bridge
driver: 'bridge'
services:
authelia:
image: authelia/authelia
container_name: authelia
image: 'authelia/authelia'
container_name: 'authelia'
volumes:
- ./authelia:/config
- './authelia:/config'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
@ -24,21 +24,21 @@ services:
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
expose:
- 9091
restart: unless-stopped
restart: 'unless-stopped'
healthcheck:
## In production the healthcheck section should be commented.
disable: true
environment:
- TZ=Australia/Melbourne
TZ: 'Australia/Melbourne'
traefik:
image: traefik:v2.10.1
container_name: traefik
image: 'traefik:v2.10.1'
container_name: 'traefik'
volumes:
- ./traefik:/etc/traefik
- /var/run/docker.sock:/var/run/docker.sock
- './traefik:/etc/traefik'
- '/var/run/docker.sock:/var/run/docker.sock'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
@ -65,10 +65,10 @@ services:
- '--log.level=DEBUG'
secure:
image: traefik/whoami
container_name: secure
image: 'traefik/whoami'
container_name: 'secure'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
@ -78,13 +78,13 @@ services:
- 'traefik.http.routers.secure.middlewares=authelia@docker'
expose:
- 80
restart: unless-stopped
restart: 'unless-stopped'
public:
image: traefik/whoami
container_name: public
image: 'traefik/whoami'
container_name: 'public'
networks:
- net
- 'net'
labels:
- 'traefik.enable=true'
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
@ -94,5 +94,5 @@ services:
- 'traefik.http.routers.public.middlewares=authelia@docker'
expose:
- 80
restart: unless-stopped
restart: 'unless-stopped'
...

4
examples/compose/local/traefik/certificates.yml
View File

@ -1,6 +1,6 @@
---
tls:
certificates:
- certFile: /etc/traefik/certs/cert.pem
keyFile: /etc/traefik/certs/key.pem
- certFile: '/etc/traefik/certs/cert.pem'
keyFile: '/etc/traefik/certs/key.pem'
...

10
internal/authentication/users_database.template.yml
View File

@ -9,11 +9,11 @@
users:
authelia:
disabled: false
displayname: "Test User"
password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia'
email: authelia@authelia.com
displayname: 'Test User'
password: '$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk' # Password is 'authelia'
email: 'authelia@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
...
# yamllint enable rule:line-length

156
internal/configuration/test_resources/config.deprecated.alt.yml
View File

@ -1,37 +1,37 @@
---
default_redirection_url: https://home.example.com:8080/
default_redirection_url: 'https://home.example.com:8080/'
server:
address: "tcp://127.0.0.1:9091"
address: 'tcp://127.0.0.1:9091'
endpoints:
authz:
forward-auth:
implementation: ForwardAuth
implementation: 'ForwardAuth'
authn_strategies:
- name: HeaderProxyAuthorization
- name: CookieSession
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
ext-authz:
implementation: ExtAuthz
implementation: 'ExtAuthz'
authn_strategies:
- name: HeaderProxyAuthorization
- name: CookieSession
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
auth-request:
implementation: AuthRequest
implementation: 'AuthRequest'
authn_strategies:
- name: HeaderAuthRequestProxyAuthorization
- name: CookieSession
- name: 'HeaderAuthRequestProxyAuthorization'
- name: 'CookieSession'
legacy:
implementation: Legacy
implementation: 'Legacy'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
duo_api:
hostname: api-123456789.example.com
integration_key: ABCDEF
hostname: 'api-123456789.example.com'
integration_key: 'ABCDEF'
authentication_backend:
ldap:
@ -65,109 +65,109 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
user: cn=admin,dc=example,dc=com
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
user: 'cn=admin,dc=example,dc=com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: one_factor
- domain: 'secure.example.com'
policy: 'one_factor'
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24
- domain: secure.example.com
policy: two_factor
- '192.168.1.0/24'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: [singlefactor.example.com, onefactor.example.com]
policy: one_factor
- domain: ['singlefactor.example.com', 'onefactor.example.com']
policy: 'one_factor'
# Rules applied to 'admins' group
- domain: "mx2.mail.example.com"
subject: "group:admins"
policy: deny
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: 'deny'
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
# Rules applied to 'dev' group
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/groups/dev/.*$"
subject: "group:dev"
policy: two_factor
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: 'two_factor'
# Rules applied to user 'john'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
# Rules applied to 'dev' group and user 'john'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/deny-all.*$"
subject: ["group:dev", "user:john"]
policy: deny
- '^/deny-all.*$'
subject: ['group:dev', 'user:john']
policy: 'deny'
# Rules applied to user 'harry'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
# Rules applied to user 'bob'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: "dev.example.com"
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
session:
name: authelia_session
expiration: 3600000 # 1 hour
inactivity: 300000 # 5 minutes
domain: example.com
name: 'authelia_session'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
domain: 'example.com'
redis:
host: 127.0.0.1
host: '127.0.0.1'
port: 6379
high_availability:
sentinel_name: test
sentinel_name: 'test'
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
postgres:
host: 127.0.0.1
host: '127.0.0.1'
port: 5432
database: authelia
username: authelia
database: 'authelia'
username: 'authelia'
notifier:
smtp:
username: test
host: 127.0.0.1
username: 'test'
host: '127.0.0.1'
port: 1025
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

156
internal/configuration/test_resources/config.deprecated.yml
View File

@ -1,37 +1,37 @@
---
default_redirection_url: https://home.example.com:8080/
default_redirection_url: 'https://home.example.com:8080/'
server:
address: "tcp://127.0.0.1:9091"
address: 'tcp://127.0.0.1:9091'
endpoints:
authz:
forward-auth:
implementation: ForwardAuth
implementation: 'ForwardAuth'
authn_strategies:
- name: HeaderProxyAuthorization
- name: CookieSession
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
ext-authz:
implementation: ExtAuthz
implementation: 'ExtAuthz'
authn_strategies:
- name: HeaderProxyAuthorization
- name: CookieSession
- name: 'HeaderProxyAuthorization'
- name: 'CookieSession'
auth-request:
implementation: AuthRequest
implementation: 'AuthRequest'
authn_strategies:
- name: HeaderAuthRequestProxyAuthorization
- name: CookieSession
- name: 'HeaderAuthRequestProxyAuthorization'
- name: 'CookieSession'
legacy:
implementation: Legacy
implementation: 'Legacy'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
duo_api:
hostname: api-123456789.example.com
integration_key: ABCDEF
hostname: 'api-123456789.example.com'
integration_key: 'ABCDEF'
authentication_backend:
ldap:
@ -65,109 +65,109 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
user: cn=admin,dc=example,dc=com
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
user: 'cn=admin,dc=example,dc=com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: one_factor
- domain: 'secure.example.com'
policy: 'one_factor'
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24
- domain: secure.example.com
policy: two_factor
- '192.168.1.0/24'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: [singlefactor.example.com, onefactor.example.com]
policy: one_factor
- domain: ['singlefactor.example.com', 'onefactor.example.com']
policy: 'one_factor'
# Rules applied to 'admins' group
- domain: "mx2.mail.example.com"
subject: "group:admins"
policy: deny
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: 'deny'
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
# Rules applied to 'dev' group
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/groups/dev/.*$"
subject: "group:dev"
policy: two_factor
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: 'two_factor'
# Rules applied to user 'john'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
# Rules applied to 'dev' group and user 'john'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/deny-all.*$"
subject: ["group:dev", "user:john"]
policy: deny
- '^/deny-all.*$'
subject: ['group:dev', 'user:john']
policy: 'deny'
# Rules applied to user 'harry'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
# Rules applied to user 'bob'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: "dev.example.com"
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
session:
name: authelia_session
expiration: 3600000 # 1 hour
inactivity: 300000 # 5 minutes
domain: example.com
name: 'authelia_session'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
domain: 'example.com'
redis:
host: 127.0.0.1
host: '127.0.0.1'
port: 6379
high_availability:
sentinel_name: test
sentinel_name: 'test'
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
mysql:
host: 127.0.0.1
host: '127.0.0.1'
port: 3306
database: authelia
username: authelia
database: 'authelia'
username: 'authelia'
notifier:
smtp:
username: test
host: 127.0.0.1
username: 'test'
host: '127.0.0.1'
port: 1025
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

90
internal/configuration/test_resources/config.filtered.yml
View File

@ -5,14 +5,14 @@ server:
address: 'tcp://{{ env "SERVICES_SERVER" }}:9091'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
duo_api:
hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}'
integration_key: ABCDEF
integration_key: 'ABCDEF'
authentication_backend:
ldap:
@ -46,51 +46,51 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
user: cn=admin,dc=example,dc=com
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
user: 'cn=admin,dc=example,dc=com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain:
- 'public.{{ env "ROOT_DOMAIN" }}'
policy: bypass
policy: 'bypass'
- domain:
- 'secure.{{ env "ROOT_DOMAIN" }}'
policy: one_factor
policy: 'one_factor'
# Network based rule, if not provided any network matches.
networks:
- 192.168.1.0/24
- '192.168.1.0/24'
- domain:
- 'secure.{{ env "ROOT_DOMAIN" }}'
policy: two_factor
policy: 'two_factor'
- domain:
- 'singlefactor.{{ env "ROOT_DOMAIN" }}'
- 'onefactor.{{ env "ROOT_DOMAIN" }}'
policy: one_factor
policy: 'one_factor'
# Rules applied to 'admins' group
- domain:
- 'mx2.mail.{{ env "ROOT_DOMAIN" }}'
subject:
- 'group:admins'
policy: deny
policy: 'deny'
- domain:
- '*.{{ env "ROOT_DOMAIN" }}'
subject:
- ['group:admins']
policy: two_factor
policy: 'two_factor'
# Rules applied to 'dev' group
- domain:
@ -99,7 +99,7 @@ access_control:
- '^/groups/dev/.*$'
subject:
- ['group:dev']
policy: two_factor
policy: 'two_factor'
# Rules applied to user 'john'
- domain:
@ -108,17 +108,17 @@ access_control:
- '^/users/john/.*$'
subject:
- ['user:john']
policy: two_factor
policy: 'two_factor'
# Rules applied to 'dev' group and user 'john'
- domain:
- 'dev.{{ env "ROOT_DOMAIN" }}'
resources:
- "^/deny-all.*$"
- '^/deny-all.*$'
subject:
- ['group:dev']
- ['user:john']
policy: deny
policy: 'deny'
# Rules applied to user 'harry'
- domain:
@ -127,47 +127,47 @@ access_control:
- '^/users/harry/.*$'
subject:
- ['user:harry']
policy: two_factor
policy: 'two_factor'
# Rules applied to user 'bob'
- domain:
- '*.mail.{{ env "ROOT_DOMAIN" }}'
subject:
- ['user:bob']
policy: two_factor
policy: 'two_factor'
- domain:
- 'dev.{{ env "ROOT_DOMAIN" }}'
resources:
- '^/users/bob/.*$'
subject:
- ['user:bob']
policy: two_factor
policy: 'two_factor'
session:
name: authelia_session
expiration: 3600000 # 1 hour
inactivity: 300000 # 5 minutes
name: 'authelia_session'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
domain: '{{ env "ROOT_DOMAIN" }}'
redis:
host: ${SERVICES_SERVER}
host: '${SERVICES_SERVER}'
port: 6379
high_availability:
sentinel_name: test
sentinel_name: 'test'
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
mysql:
address: 'tcp://{{ env "SERVICES_SERVER" }}:3306'
database: authelia
username: authelia
database: 'authelia'
username: 'authelia'
notifier:
smtp:
username: test
username: 'test'
address: 'smtp://{{ env "SERVICES_SERVER" }}:1025'
sender: 'admin@{{ env "ROOT_DOMAIN" }}'
disable_require_tls: true
@ -176,16 +176,16 @@ identity_providers:
oidc:
cors:
allowed_origins:
- https://google.com
- https://example.com
- 'https://google.com'
- 'https://example.com'
clients:
- id: abc
- id: 'abc'
secret: '${ABC_CLIENT_SECRET}'
consent_mode: explicit
- id: xyz
consent_mode: 'explicit'
- id: 'xyz'
secret: '$XYZ_CLIENT_SECRET'
consent_mode: explicit
consent_mode: 'explicit'
- id: '123'
secret: $ANOTHER_CLIENT_SECRET
consent_mode: explicit
secret: '$ANOTHER_CLIENT_SECRET'
consent_mode: 'explicit'
...

62
internal/suites/ActiveDirectory/configuration.yml
View File

@ -3,69 +3,69 @@
# Authelia minimal configuration #
###############################################################
theme: grey
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
theme: 'grey'
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
ldap:
address: 'ldap://sambaldap'
implementation: activedirectory
implementation: 'activedirectory'
tls:
skip_verify: true
start_tls: true
base_dn: DC=example,DC=com
additional_users_dn: OU=Users
additional_groups_dn: OU=Groups
user: CN=Administrator,CN=Users,DC=example,DC=com
password: password
base_dn: 'DC=example,DC=com'
additional_users_dn: 'OU=Users'
additional_groups_dn: 'OU=Groups'
user: 'CN=Administrator,CN=Users,DC=example,DC=com'
password: 'password'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite3
path: '/config/db.sqlite3'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
regulation:
max_retries: 3
find_time: 300
ban_time: 900
find_time: '5m'
ban_time: '15m'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

42
internal/suites/BypassAll/configuration.yml
View File

@ -6,49 +6,49 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
# The Duo Push Notification API configuration
duo_api:
hostname: duo.example.com
integration_key: ABCDEFGHIJKL
secret_key: abcdefghijklmnopqrstuvwxyz123456789
hostname: 'duo.example.com'
integration_key: 'ABCDEFGHIJKL'
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "secure.example.com"
policy: two_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'secure.example.com'
policy: 'two_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
sender: 'admin@example.com'
disable_require_tls: 'true'
...

30
internal/suites/BypassAll/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

72
internal/suites/CLI/configuration.yml
View File

@ -6,61 +6,61 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
secret: 'unsecure_session_secret'
cookies:
- name: 'authelia_session'
domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /tmp/db.sqlite
path: '/tmp/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: "resources.example.com"
policy: one_factor
resources: ["^/resources"]
- domain: "method.example.com"
policy: one_factor
methods: ["POST"]
- domain: "network.example.com"
policy: one_factor
networks: ["192.168.1.0/24"]
- domain: "group.example.com"
policy: one_factor
subject: ["group:basic"]
- domain: "user.example.com"
policy: one_factor
subject: ["user:john"]
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: 'resources.example.com'
policy: 'one_factor'
resources: ['^/resources']
- domain: 'method.example.com'
policy: 'one_factor'
methods: ['POST']
- domain: 'network.example.com'
policy: 'one_factor'
networks: ['192.168.1.0/24']
- domain: 'group.example.com'
policy: 'one_factor'
subject: ['group:basic']
- domain: 'user.example.com'
policy: 'one_factor'
subject: ['user:john']
notifier:
filesystem:
filename: /tmp/notification.txt
filename: '/tmp/notification.txt'
...

2
internal/suites/CLI/docker-compose.yml
View File

@ -8,5 +8,5 @@ services:
- './CLI/users.yml:/config/users.yml'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
user: '${USER_ID}:${GROUP_ID}'
...

4
internal/suites/CLI/storage.yml
View File

@ -1,6 +1,6 @@
---
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /tmp/db.sqlite3
path: '/tmp/db.sqlite3'
...

30
internal/suites/CLI/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

44
internal/suites/Caddy/configuration.yml
View File

@ -3,56 +3,56 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
asset_path: '/config/assets/'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
endpoints:
authz:
caddy:
implementation: ForwardAuth
implementation: 'ForwardAuth'
authn_strategies: []
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/Caddy/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

82
internal/suites/Docker/configuration.yml
View File

@ -3,89 +3,89 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite3
path: '/config/db.sqlite3'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: singlefactor.example.com
policy: one_factor
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: two_factor
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
regulation:
# Set it to 0 to disable max_retries.
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
find_time: '5m'
# The length of time before a banned user can login again.
ban_time: 900
ban_time: '15m'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/Docker/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

90
internal/suites/DuoPush/configuration.yml
View File

@ -3,49 +3,49 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: trace
level: 'trace'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /tmp/db.sqlite3
path: '/tmp/db.sqlite3'
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
# See: 'https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names'
totp:
issuer: example.com
issuer: 'example.com'
# The Duo Push Notification API configuration
duo_api:
hostname: duo.example.com
integration_key: ABCDEFGHIJKL
secret_key: abcdefghijklmnopqrstuvwxyz123456789
hostname: 'duo.example.com'
integration_key: 'ABCDEFGHIJKL'
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
enable_self_enrollment: true
# Access Control
@ -54,43 +54,43 @@ duo_api:
# resources.
access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
default_policy: two_factor
default_policy: 'two_factor'
rules:
- domain: singlefactor.example.com
policy: one_factor
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: two_factor
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
# Configuration of the authentication regulation mechanism.
regulation:
@ -98,12 +98,12 @@ regulation:
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
find_time: '5m'
# The length of time before a banned user can login again.
ban_time: 900
ban_time: '15m'
notifier:
filesystem:
filename: /tmp/notifier.html
filename: '/tmp/notifier.html'
...

2
internal/suites/DuoPush/docker-compose.yml
View File

@ -7,5 +7,5 @@ services:
- './DuoPush/users.yml:/config/users.yml'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
user: '${USER_ID}:${GROUP_ID}'
...

30
internal/suites/DuoPush/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

48
internal/suites/Envoy/configuration.yml
View File

@ -3,59 +3,59 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
asset_path: '/config/assets/'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
endpoints:
authz:
ext-authz:
implementation: ExtAuthz
implementation: 'ExtAuthz'
authn_strategies: []
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- name: 'authelia_session'
domain: 'example.com'
authelia_url: 'https://login.example.com:8080/'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "login.example.com"
policy: bypass
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'login.example.com'
policy: 'bypass'
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/Envoy/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

42
internal/suites/HAProxy/configuration.yml
View File

@ -3,50 +3,50 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/HAProxy/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

130
internal/suites/HighAvailability/configuration.yml
View File

@ -3,125 +3,125 @@
# Authelia configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
totp:
issuer: authelia.com
issuer: 'authelia.com'
authentication_backend:
ldap:
address: 'ldap://openldap'
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=person))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: cn=admin,dc=example,dc=com
password: password
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&({username_attribute}={input})(objectClass=person))'
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
display_name_attribute: 'displayName'
user: 'cn=admin,dc=example,dc=com'
password: 'password'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: public.example.com
policy: bypass
- domain: secure.example.com
policy: two_factor
- domain: singlefactor.example.com
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
# Rules applied to 'admins' group
- domain: mx2.mail.example.com
subject: "group:admins"
policy: deny
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: 'deny'
# Rules applied to user 'john'
- domain: "*.example.com"
subject: "user:john"
policy: two_factor
- domain: '*.example.com'
subject: 'user:john'
policy: 'two_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
# Rules applied to 'dev' group
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/groups/dev/.*$"
subject: "group:dev"
policy: two_factor
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: 'two_factor'
# Rules applied to user 'harry'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
# Rules applied to user 'bob'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: "dev.example.com"
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
session:
name: authelia_session
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
name: 'authelia_session'
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
redis:
username: authelia
password: redis-user-password
username: 'authelia'
password: 'redis-user-password'
high_availability:
sentinel_name: authelia
sentinel_password: sentinel-server-password
sentinel_name: 'authelia'
sentinel_password: 'sentinel-server-password'
nodes:
- host: redis-sentinel-0
- host: 'redis-sentinel-0'
port: 26379
- host: redis-sentinel-1
- host: 'redis-sentinel-1'
port: 26379
- host: redis-sentinel-2
- host: 'redis-sentinel-2'
port: 26379
remember_me: 1y
remember_me: '1y'
regulation:
max_retries: 3
find_time: 8
find_time: '8s'
ban_time: 10
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
mysql:
address: 'tcp://mariadb:3306'
database: authelia
username: admin
password: password
database: 'authelia'
username: 'admin'
password: 'password'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

74
internal/suites/LDAP/configuration.yml
View File

@ -3,73 +3,73 @@
# Authelia minimal configuration #
###############################################################
theme: dark
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
theme: 'dark'
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
ldap:
address: 'ldaps://openldap'
tls:
skip_verify: true
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: cn=pwmanager,dc=example,dc=com
password: password
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson))' # yamllint disable-line rule:line-length
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
display_name_attribute: 'displayName'
user: 'cn=pwmanager,dc=example,dc=com'
password: 'password'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite3
path: '/config/db.sqlite3'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
regulation:
max_retries: 3
find_time: 300
ban_time: 900
find_time: '5m'
ban_time: '15m'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
sender: 'admin@example.com'
disable_require_tls: 'true'
...

52
internal/suites/MariaDB/configuration.yml
View File

@ -3,58 +3,58 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
mysql:
address: 'tcp://mariadb:3306'
database: authelia
username: admin
password: password
database: 'authelia'
username: 'admin'
password: 'password'
# TOTP Issuer Name
#
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
# Configuration of the authentication regulation mechanism.
regulation:
@ -62,7 +62,7 @@ regulation:
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8
find_time: '8s'
# The length of time before a banned user can login again.
ban_time: 10
@ -71,6 +71,6 @@ notifier:
# Use a SMTP server for sending notifications
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/MariaDB/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

198
internal/suites/MultiCookieDomain/configuration.yml
View File

@ -3,14 +3,14 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
theme: auto
jwt_secret: 'unsecure_secret'
theme: 'auto'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
telemetry:
metrics:
@ -18,17 +18,17 @@ telemetry:
address: 'tcp://:9959'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600
inactivity: 300
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h'
inactivity: '5m'
remember_me: '1y'
cookies:
- name: 'authelia_session'
domain: 'example.com'
@ -42,153 +42,153 @@ session:
authelia_url: 'https://login.example3.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# First cookie domain
- domain: singlefactor.example.com
policy: one_factor
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: bypass
- domain: 'secure.example.com'
policy: 'bypass'
methods:
- OPTIONS
- 'OPTIONS'
- domain: secure.example.com
policy: two_factor
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
# Second cookie domain
- domain: singlefactor.example2.com
policy: one_factor
- domain: 'singlefactor.example2.com'
policy: 'one_factor'
- domain: public.example2.com
policy: bypass
- domain: 'public.example2.com'
policy: 'bypass'
- domain: secure.example2.com
policy: bypass
- domain: 'secure.example2.com'
policy: 'bypass'
methods:
- OPTIONS
- 'OPTIONS'
- domain: secure.example2.com
policy: two_factor
- domain: 'secure.example2.com'
policy: 'two_factor'
- domain: "*.example2.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example2.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example2.com
- domain: 'dev.example2.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example2.com
- domain: 'dev.example2.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example2.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example2.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example2.com
- domain: 'dev.example2.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
# Third cookie domain
- domain: singlefactor.example3.com
policy: one_factor
- domain: 'singlefactor.example3.com'
policy: 'one_factor'
- domain: public.example3.com
policy: bypass
- domain: 'public.example3.com'
policy: 'bypass'
- domain: secure.example3.com
policy: bypass
- domain: 'secure.example3.com'
policy: 'bypass'
methods:
- OPTIONS
- 'OPTIONS'
- domain: secure.example3.com
policy: two_factor
- domain: 'secure.example3.com'
policy: 'two_factor'
- domain: "*.example3.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example3.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example3.com
- domain: 'dev.example3.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example3.com
- domain: 'dev.example3.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example3.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example3.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example3.com
- domain: 'dev.example3.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
regulation:
# Set it to 0 to disable max_retries.
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
find_time: '5m'
# The length of time before a banned user can login again.
ban_time: 900
ban_time: '15m'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
ntp:
## NTP server address
@ -196,7 +196,7 @@ ntp:
## ntp version
version: 4
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
max_desync: 3s
max_desync: '3s'
## You can enable or disable the NTP synchronization check on startup
disable_startup_check: false

30
internal/suites/MultiCookieDomain/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

48
internal/suites/MySQL/configuration.yml
View File

@ -6,32 +6,32 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
default_redirection_url: https://home.example.com:8080/
default_redirection_url: 'https://home.example.com:8080/'
jwt_secret: very_important_secret
jwt_secret: 'very_important_secret'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
mysql:
address: 'tcp://mysql:3306'
database: 'authelia'
@ -43,19 +43,19 @@ storage:
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
# Configuration of the authentication regulation mechanism.
regulation:
@ -63,7 +63,7 @@ regulation:
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8
find_time: '8s'
# The length of time before a banned user can login again.
ban_time: 10
@ -72,6 +72,6 @@ notifier:
# Use a SMTP server for sending notifications
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
sender: 'admin@example.com'
disable_require_tls: 'true'
...

32
internal/suites/MySQL/users.yml
View File

@ -8,28 +8,26 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

46
internal/suites/NetworkACL/configuration.yml
View File

@ -6,71 +6,71 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
jwt_secret: unsecure_password
jwt_secret: 'unsecure_password'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
access_control:
default_policy: deny
default_policy: 'deny'
networks:
- name: Clients
- name: 'Clients'
networks:
- 192.168.240.202/32
- 192.168.240.203/32
rules:
- domain: secure.example.com
policy: one_factor
- domain: 'secure.example.com'
policy: 'one_factor'
networks:
- 192.168.240.201/32
- domain: secure.example.com
policy: bypass
- domain: 'secure.example.com'
policy: 'bypass'
networks:
- Clients
- 'Clients'
- domain: secure.example.com
policy: two_factor
- domain: 'secure.example.com'
policy: 'two_factor'
# Configuration of the authentication regulation mechanism.
regulation:
# Set it to 0 to disable max_retries.
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
find_time: '5m'
# The length of time before a banned user can login again.
ban_time: 900
ban_time: '15m'
notifier:
# Use a SMTP server for sending notifications
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/NetworkACL/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

70
internal/suites/OIDC/configuration.yml
View File

@ -2,78 +2,78 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
secret: 'unsecure_session_secret'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
# We use redis here to keep the users authenticated when Authelia restarts
# It eases development.
redis:
host: redis
host: 'redis'
port: 6379
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "home.example.com"
policy: bypass
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: "oidc.example.com"
policy: two_factor
- domain: "oidc-public.example.com"
policy: bypass
- domain: 'home.example.com'
policy: 'bypass'
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: 'oidc.example.com'
policy: 'two_factor'
- domain: 'oidc-public.example.com'
policy: 'bypass'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
identity_providers:
oidc:
enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
clients:
- id: oidc-tester-app
secret: foobar
authorization_policy: two_factor
- id: 'oidc-tester-app'
secret: 'foobar'
authorization_policy: 'two_factor'
redirect_uris:
- https://oidc.example.com:8080/oauth2/callback
# This client is used for testing purpose. As of now, the app must be protected by ACLs
# otherwise it won't work properly.
- id: oidc-tester-app-public
secret: foobar
authorization_policy: one_factor
- id: 'oidc-tester-app-public'
secret: 'foobar'
authorization_policy: 'one_factor'
redirect_uris:
- https://oidc-public.example.com:8080/oauth2/callback
...

4
internal/suites/OIDC/docker-compose.yml
View File

@ -3,8 +3,8 @@ version: '3'
services:
authelia-backend:
environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
volumes:
- './OIDC/configuration.yml:/config/configuration.yml:ro'
- './OIDC/users.yml:/config/users.yml'

30
internal/suites/OIDC/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

74
internal/suites/OIDCTraefik/configuration.yml
View File

@ -2,23 +2,23 @@
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
@ -26,55 +26,55 @@ session:
# We use redis here to keep the users authenticated when Authelia restarts
# It eases development.
redis:
host: redis
host: 'redis'
port: 6379
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "home.example.com"
policy: bypass
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: "oidc.example.com"
policy: two_factor
- domain: "oidc-public.example.com"
policy: bypass
- domain: "traefik.example.com"
policy: bypass
- domain: 'home.example.com'
policy: 'bypass'
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: 'oidc.example.com'
policy: 'two_factor'
- domain: 'oidc-public.example.com'
policy: 'bypass'
- domain: 'traefik.example.com'
policy: 'bypass'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
identity_providers:
oidc:
enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
clients:
- id: oidc-tester-app
secret: foobar
authorization_policy: two_factor
- id: 'oidc-tester-app'
secret: 'foobar'
authorization_policy: 'two_factor'
redirect_uris:
- https://oidc.example.com:8080/oauth2/callback
# This client is used for testing purpose. As of now, the app must be protected by ACLs
# otherwise it won't work properly.
- id: oidc-tester-app-public
secret: foobar
authorization_policy: one_factor
- id: 'oidc-tester-app-public'
secret: 'foobar'
authorization_policy: 'one_factor'
redirect_uris:
- https://oidc-public.example.com:8080/oauth2/callback
...

4
internal/suites/OIDCTraefik/docker-compose.yml
View File

@ -3,8 +3,8 @@ version: '3'
services:
authelia-backend:
environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
volumes:
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
- './OIDCTraefik/users.yml:/config/users.yml'

30
internal/suites/OIDCTraefik/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

44
internal/suites/OneFactorOnly/configuration.yml
View File

@ -3,49 +3,49 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'unsecure_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: singlefactor.example.com
policy: one_factor
- domain: public.example.com
policy: bypass
- domain: home.example.com
policy: bypass
- domain: unsafe.local
policy: bypass
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'home.example.com'
policy: 'bypass'
- domain: 'unsafe.local'
policy: 'bypass'
notifier:
filesystem:
filename: /config/notifier.html
filename: '/config/notifier.html'
...

30
internal/suites/OneFactorOnly/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

44
internal/suites/PathPrefix/configuration.yml
View File

@ -3,51 +3,51 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
path: 'auth'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080/auth/'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
sender: 'admin@example.com'
disable_require_tls: 'true'
...

30
internal/suites/PathPrefix/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

48
internal/suites/Postgres/configuration.yml
View File

@ -3,34 +3,34 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: very_important_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'very_important_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
postgres:
address: 'tcp://postgres:5432'
database: 'authelia'
@ -42,19 +42,19 @@ storage:
# This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
# Configuration of the authentication regulation mechanism.
regulation:
@ -62,7 +62,7 @@ regulation:
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8
find_time: '8s'
# The length of time before a banned user can login again.
ban_time: 10
@ -71,6 +71,6 @@ notifier:
# Use a SMTP server for sending notifications
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
disable_require_tls: true
sender: 'admin@example.com'
disable_require_tls: 'true'
...

30
internal/suites/Postgres/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

70
internal/suites/ShortTimeouts/configuration.yml
View File

@ -3,81 +3,81 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
default_redirection_url: https://home.example.com:8080/
jwt_secret: 'unsecure_secret'
default_redirection_url: 'https://home.example.com:8080/'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
secret: 'unsecure_session_secret'
cookies:
- name: 'authelia_sessin'
domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
inactivity: 5
expiration: 8
remember_me: 1y
expiration: '8s'
remember_me: '1y'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: singlefactor.example.com
policy: one_factor
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
regulation:
max_retries: 3
find_time: 5
find_time: '5s'
ban_time: 10
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/ShortTimeouts/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

88
internal/suites/Standalone/configuration.yml
View File

@ -3,103 +3,103 @@
# Authelia minimal configuration #
###############################################################
theme: auto
theme: 'auto'
server:
address: 'tcp://:9091'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
telemetry:
metrics:
enabled: true
address: tcp://0.0.0.0:9959
address: 'tcp://:9959'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
expiration: 3600
inactivity: 300
remember_me: 1y
expiration: '1h'
inactivity: '5m'
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /tmp/db.sqlite3
path: '/tmp/db.sqlite3'
totp:
issuer: example.com
issuer: 'example.com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
- domain: singlefactor.example.com
policy: one_factor
- domain: 'singlefactor.example.com'
policy: 'one_factor'
- domain: public.example.com
policy: bypass
- domain: 'public.example.com'
policy: 'bypass'
- domain: secure.example.com
policy: bypass
- domain: 'secure.example.com'
policy: 'bypass'
methods:
- OPTIONS
- 'OPTIONS'
- domain: secure.example.com
policy: two_factor
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
regulation:
# Set it to 0 to disable max_retries.
max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300
find_time: '5m'
# The length of time before a banned user can login again.
ban_time: 900
ban_time: '15m'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
ntp:
## NTP server address
address: "time.cloudflare.com:123"
address: 'time.cloudflare.com:123'
## ntp version
version: 4
## "maximum desynchronization" is the allowed offset time between the host and the ntp server

6
internal/suites/Standalone/docker-compose.yml
View File

@ -3,12 +3,12 @@ version: '3'
services:
authelia-backend:
environment:
- AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt
- AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session
- 'AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt'
- 'AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session'
volumes:
- './Standalone/configuration.yml:/config/configuration.yml:ro'
- './Standalone/users.yml:/config/users.yml'
- './common/pki:/pki:ro'
- '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID}
user: '${USER_ID}:${GROUP_ID}'
...

30
internal/suites/Standalone/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

42
internal/suites/Traefik/configuration.yml
View File

@ -3,51 +3,51 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
asset_path: '/config/assets/'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/Traefik/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

50
internal/suites/Traefik2/configuration.yml
View File

@ -3,58 +3,58 @@
# Authelia minimal configuration #
###############################################################
jwt_secret: unsecure_secret
jwt_secret: 'unsecure_secret'
server:
address: 'tcp://:9091'
asset_path: '/config/assets/'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
endpoints:
authz:
forward-auth:
implementation: ForwardAuth
implementation: 'ForwardAuth'
authn_strategies: []
log:
level: debug
level: 'debug'
authentication_backend:
file:
path: /config/users.yml
path: '/config/users.yml'
session:
secret: unsecure_session_secret
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
secret: 'unsecure_session_secret'
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
redis:
host: redis
host: 'redis'
port: 6379
username: authelia
password: redis-user-password
username: 'authelia'
password: 'redis-user-password'
storage:
encryption_key: a_not_so_secure_encryption_key
encryption_key: 'a_not_so_secure_encryption_key'
local:
path: /config/db.sqlite
path: '/config/db.sqlite'
access_control:
default_policy: bypass
default_policy: 'bypass'
rules:
- domain: "public.example.com"
policy: bypass
- domain: "admin.example.com"
policy: two_factor
- domain: "secure.example.com"
policy: two_factor
- domain: "singlefactor.example.com"
policy: one_factor
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'admin.example.com'
policy: 'two_factor'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
ntp:
version: 3
@ -62,6 +62,6 @@ ntp:
notifier:
smtp:
address: 'smtp://smtp:1025'
sender: admin@example.com
sender: 'admin@example.com'
disable_require_tls: true
...

30
internal/suites/Traefik2/users.yml
View File

@ -8,28 +8,28 @@
# List of users
users:
john:
displayname: "John Doe"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: john.doe@authelia.com
displayname: 'John Doe'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'john.doe@authelia.com'
groups:
- admins
- dev
- 'admins'
- 'dev'
harry:
displayname: "Harry Potter"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: harry.potter@authelia.com
displayname: 'Harry Potter'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'harry.potter@authelia.com'
groups: []
bob:
displayname: "Bob Dylan"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com
displayname: 'Bob Dylan'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'bob.dylan@authelia.com'
groups:
- dev
- 'dev'
james:
displayname: "James Dean"
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
email: james.dean@authelia.com
displayname: 'James Dean'
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: 'james.dean@authelia.com'
...

2
internal/suites/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
networks:
authelianet:
driver: bridge
driver: 'bridge'
ipam:
config:
- subnet: 192.168.240.0/24

16
internal/suites/example/compose/authelia/docker-compose.backend.dev.yml
View File

@ -3,18 +3,18 @@ version: '3'
services:
authelia-backend:
build:
context: example/compose/authelia
dockerfile: Dockerfile.backend
context: 'example/compose/authelia'
dockerfile: 'Dockerfile.backend'
args:
USER_ID: ${USER_ID}
GROUP_ID: ${GROUP_ID}
USER_ID: '${USER_ID}'
GROUP_ID: '${GROUP_ID}'
security_opt:
- seccomp:unconfined
- apparmor:unconfined
command: /resources/entrypoint-backend.sh
working_dir: /app
command: '/resources/entrypoint-backend.sh'
working_dir: '/app'
cap_add:
- SYS_PTRACE
- 'SYS_PTRACE'
volumes:
- './example/compose/authelia/resources/:/resources'
- '../..:/app'
@ -30,7 +30,7 @@ services:
- 'traefik.http.routers.authelia_backend.tls=true'
- 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
environment:
- ENVIRONMENT=dev
ENVIRONMENT: 'dev'
networks:
authelianet:
ipv4_address: 192.168.240.50

6
internal/suites/example/compose/authelia/docker-compose.backend.dist.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
authelia-backend:
image: authelia:dist
image: 'authelia:dist'
labels:
# Traefik 1.x
- 'traefik.frontend.rule=Host:login.example.com'
@ -18,8 +18,8 @@ services:
volumes:
- '../..:/authelia'
environment:
- ENVIRONMENT=dev
restart: always
ENVIRONMENT: 'dev'
restart: 'always'
networks:
authelianet:
ipv4_address: 192.168.240.50

14
internal/suites/example/compose/authelia/docker-compose.frontend.dev.yml
View File

@ -3,13 +3,13 @@ version: '3'
services:
authelia-frontend:
build:
context: example/compose/authelia
dockerfile: Dockerfile.frontend
context: 'example/compose/authelia'
dockerfile: 'Dockerfile.frontend'
args:
USER_ID: ${USER_ID}
GROUP_ID: ${GROUP_ID}
USER_ID: '${USER_ID}'
GROUP_ID: '${GROUP_ID}'
command: '/resources/entrypoint-frontend.sh'
working_dir: /app
working_dir: '/app'
stdin_open: true
volumes:
- './example/compose/authelia/resources/:/resources'
@ -24,7 +24,7 @@ services:
- 'traefik.http.routers.authelia_frontend.entrypoints=https'
- 'traefik.http.routers.authelia_frontend.tls=true'
environment:
- VITE_BASEPATH=${PathPrefix}
VITE_BASEPATH: '${PathPrefix}'
networks:
- authelianet
- 'authelianet'
...

4
internal/suites/example/compose/authelia/docker-compose.frontend.dist.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
authelia-frontend:
image: nginx:alpine
image: 'nginx:alpine'
volumes:
- './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
labels:
@ -15,7 +15,7 @@ services:
- 'traefik.http.routers.authelia_frontend.tls=true'
- 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
networks:
- authelianet
- 'authelianet'
expose:
- 3000
...

4
internal/suites/example/compose/caddy/docker-compose.yml
View File

@ -2,8 +2,8 @@
version: '3'
services:
caddy:
# build: ./example/compose/caddy/ # used for debugging
image: caddy:2.6.4-alpine
# build: './example/compose/caddy/ # used for debugging'
image: 'caddy:2.6.4-alpine'
volumes:
- ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile
networks:

4
internal/suites/example/compose/duo-api/docker-compose.yml
View File

@ -2,9 +2,9 @@
version: '3'
services:
duo-api:
image: authelia/integration-duo
image: 'authelia/integration-duo'
volumes:
- ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js
networks:
- authelianet
- 'authelianet'
...

2
internal/suites/example/compose/envoy/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
envoy:
image: envoyproxy/envoy:v1.26.1
image: 'envoyproxy/envoy:v1.26.1'
volumes:
- ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
- ./common/pki:/pki

2
internal/suites/example/compose/haproxy/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
haproxy:
image: authelia/integration-haproxy
image: 'authelia/integration-haproxy'
volumes:
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua

4
internal/suites/example/compose/httpbin/docker-compose.yml
View File

@ -2,9 +2,9 @@
version: '3'
services:
httpbin:
image: citizenstig/httpbin
image: 'citizenstig/httpbin'
networks:
- authelianet
- 'authelianet'
labels:
# Traefik 1.x
- 'traefik.frontend.rule=Host:public.example.com;Path:/headers'

20
internal/suites/example/compose/k3d/docker-compose.yml
View File

@ -2,25 +2,25 @@
version: '3'
services:
k3d:
image: ghcr.io/k3d-io/k3d:5.4.9-dind
image: 'ghcr.io/k3d-io/k3d:5.4.9-dind'
volumes:
- './example/kube:/authelia'
- './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml'
- './common/pki:/configmaps/authelia/ssl'
- './example/compose/ldap/ldif:/configmaps/ldap'
- './example/compose/nginx/backend:/configmaps/nginx-backend'
privileged: true
privileged: 'true'
networks:
authelianet:
aliases:
- public.example.com
- secure.example.com
- login.example.com
- admin.example.com
- dev.example.com
- mail.example.com
- kubernetes.example.com
- traefik.example.com
- 'public.example.com'
- 'secure.example.com'
- 'login.example.com'
- 'admin.example.com'
- 'dev.example.com'
- 'mail.example.com'
- 'kubernetes.example.com'
- 'traefik.example.com'
# Set the IP to be able to query on port 443
ipv4_address: 192.168.240.100
...

8
internal/suites/example/compose/ldap/docker-compose.admin.yml
View File

@ -2,12 +2,12 @@
version: '3'
services:
openldap-admin:
image: osixia/phpldapadmin:0.9.0
image: 'osixia/phpldapadmin:0.9.0'
ports:
- 9090:80
environment:
- PHPLDAPADMIN_LDAP_HOSTS=openldap
- PHPLDAPADMIN_HTTPS=false
PHPLDAPADMIN_LDAP_HOSTS: 'openldap'
PHPLDAPADMIN_HTTPS: 'false'
networks:
- authelianet
- 'authelianet'
...

22
internal/suites/example/compose/ldap/docker-compose.yml
View File

@ -2,17 +2,17 @@
version: '3'
services:
openldap:
image: osixia/openldap:1.5.0
hostname: ldap.example.com
image: 'osixia/openldap:1.5.0'
hostname: 'ldap.example.com'
environment:
- LDAP_ORGANISATION=MyCompany
- LDAP_DOMAIN=example.com
- LDAP_ADMIN_PASSWORD=password
- LDAP_CONFIG_PASSWORD=password
- LDAP_ADDITIONAL_MODULES=memberof
- LDAP_ADDITIONAL_SCHEMAS=openldap
- LDAP_FORCE_RECONFIGURE=true
- LDAP_TLS_VERIFY_CLIENT=try
LDAP_ORGANISATION: 'MyCompany'
LDAP_DOMAIN: 'example.com'
LDAP_ADMIN_PASSWORD: 'password'
LDAP_CONFIG_PASSWORD: 'password'
LDAP_ADDITIONAL_MODULES: 'memberof'
LDAP_ADDITIONAL_SCHEMAS: 'openldap'
LDAP_FORCE_RECONFIGURE: 'true'
LDAP_TLS_VERIFY_CLIENT: 'try'
volumes:
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
command:
@ -20,5 +20,5 @@ services:
- '--loglevel'
- 'debug'
networks:
- authelianet
- 'authelianet'
...

12
internal/suites/example/compose/mariadb/docker-compose.yml
View File

@ -2,12 +2,12 @@
version: '3'
services:
mariadb:
image: mariadb:10.11.2
image: 'mariadb:10.11.2'
environment:
- MYSQL_ROOT_PASSWORD=rootpassword
- MYSQL_USER=admin
- MYSQL_PASSWORD=password
- MYSQL_DATABASE=authelia
MYSQL_ROOT_PASSWORD: 'rootpassword'
MYSQL_USER: 'admin'
MYSQL_PASSWORD: 'password'
MYSQL_DATABASE: 'authelia'
networks:
- authelianet
- 'authelianet'
...

12
internal/suites/example/compose/mysql/docker-compose.yml
View File

@ -2,12 +2,12 @@
version: '3'
services:
mysql:
image: mysql:8.0
image: 'mysql:8.0'
environment:
- MYSQL_ROOT_PASSWORD=rootpassword
- MYSQL_USER=admin
- MYSQL_PASSWORD=password
- MYSQL_DATABASE=authelia
MYSQL_ROOT_PASSWORD: 'rootpassword'
MYSQL_USER: 'admin'
MYSQL_PASSWORD: 'password'
MYSQL_DATABASE: 'authelia'
networks:
- authelianet
- 'authelianet'
...

4
internal/suites/example/compose/nginx/backend/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
nginx-backend:
image: nginx:alpine
image: 'nginx:alpine'
labels:
# Traefik 1.x
- 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length
@ -20,5 +20,5 @@ services:
- ./example/compose/nginx/backend/html:/usr/share/nginx/html
- ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
networks:
- authelianet
- 'authelianet'
...

10
internal/suites/example/compose/nginx/portal/docker-compose.yml
View File

@ -2,17 +2,17 @@
version: '3'
services:
nginx-portal:
image: nginx:alpine
image: 'nginx:alpine'
volumes:
- ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
- ./common/pki:/pki
networks:
authelianet:
aliases:
- public.example.com
- secure.example.com
- login.example.com
- duo.example.com
- 'public.example.com'
- 'secure.example.com'
- 'login.example.com'
- 'duo.example.com'
# Set the IP to be able to query on port 443
ipv4_address: 192.168.240.100
...

8
internal/suites/example/compose/oidc-client/docker-compose.yml
View File

@ -2,10 +2,10 @@
version: '3'
services:
oidc-client:
image: ghcr.io/authelia/oidc-tester-app:master-aeac7f4
command: /entrypoint.sh
image: 'ghcr.io/authelia/oidc-tester-app:master-aeac7f4'
command: '/entrypoint.sh'
depends_on:
- authelia-backend
- 'authelia-backend'
volumes:
- ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh
expose:
@ -17,5 +17,5 @@ services:
- 'traefik.http.routers.oidc.tls=true'
- 'traefik.http.routers.oidc.middlewares=authelia@docker'
networks:
- authelianet
- 'authelianet'
...

12
internal/suites/example/compose/postgres/docker-compose.yml
View File

@ -1,12 +1,12 @@
---
version: "3"
version: '3'
services:
postgres:
image: postgres:15
image: 'postgres:15'
environment:
- POSTGRES_PASSWORD=password
- POSTGRES_USER=admin
- POSTGRES_DB=authelia
POSTGRES_PASSWORD: 'password'
POSTGRES_USER: 'admin'
POSTGRES_DB: 'authelia'
networks:
- authelianet
- 'authelianet'
...

64
internal/suites/example/compose/redis-sentinel/docker-compose.yml
View File

@ -2,10 +2,10 @@
version: '3'
services:
redis-node-0:
image: redis:7.0-alpine
command: /entrypoint.sh master
image: 'redis:7.0-alpine'
command: '/entrypoint.sh master'
expose:
- "6379"
- '6379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl
@ -13,15 +13,15 @@ services:
networks:
authelianet:
aliases:
- redis-node-0.example.com
- 'redis-node-0.example.com'
ipv4_address: 192.168.240.110
redis-node-1:
image: redis:7.0-alpine
command: /entrypoint.sh slave
image: 'redis:7.0-alpine'
command: '/entrypoint.sh slave'
depends_on:
- redis-node-0
- 'redis-node-0'
expose:
- "6379"
- '6379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl
@ -29,15 +29,15 @@ services:
networks:
authelianet:
aliases:
- redis-node-1.example.com
- 'redis-node-1.example.com'
ipv4_address: 192.168.240.111
redis-node-2:
image: redis:7.0-alpine
command: /entrypoint.sh slave
image: 'redis:7.0-alpine'
command: '/entrypoint.sh slave'
depends_on:
- redis-node-0
- 'redis-node-0'
expose:
- "6379"
- '6379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl
@ -45,54 +45,54 @@ services:
networks:
authelianet:
aliases:
- redis-node-2.example.com
- 'redis-node-2.example.com'
ipv4_address: 192.168.240.112
redis-sentinel-0:
image: redis:7.0-alpine
command: /entrypoint.sh sentinel
image: 'redis:7.0-alpine'
command: '/entrypoint.sh sentinel'
depends_on:
- redis-node-1
- redis-node-2
- 'redis-node-1'
- 'redis-node-2'
expose:
- "26379"
- '26379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks:
authelianet:
aliases:
- redis-sentinel-0.example.com
- 'redis-sentinel-0.example.com'
ipv4_address: 192.168.240.120
redis-sentinel-1:
image: redis:7.0-alpine
command: /entrypoint.sh sentinel
image: 'redis:7.0-alpine'
command: '/entrypoint.sh sentinel'
depends_on:
- redis-node-1
- redis-node-2
- 'redis-node-1'
- 'redis-node-2'
expose:
- "26379"
- '26379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks:
authelianet:
aliases:
- redis-sentinel-1.example.com
- 'redis-sentinel-1.example.com'
ipv4_address: 192.168.240.121
redis-sentinel-2:
image: redis:7.0-alpine
command: /entrypoint.sh sentinel
image: 'redis:7.0-alpine'
command: '/entrypoint.sh sentinel'
depends_on:
- redis-node-1
- redis-node-2
- 'redis-node-1'
- 'redis-node-2'
expose:
- "26379"
- '26379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks:
authelianet:
aliases:
- redis-sentinel-2.example.com
- 'redis-sentinel-2.example.com'
ipv4_address: 192.168.240.122
...

8
internal/suites/example/compose/redis/docker-compose.yml
View File

@ -2,14 +2,14 @@
version: '3'
services:
redis:
image: redis:7.0-alpine
command: /entrypoint.sh master
image: 'redis:7.0-alpine'
command: '/entrypoint.sh master'
expose:
- "6379"
- '6379'
volumes:
- ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks:
- authelianet
- 'authelianet'
...

14
internal/suites/example/compose/samba/docker-compose.yml
View File

@ -2,16 +2,16 @@
version: '3'
services:
sambaldap:
image: authelia/integration-samba
image: 'authelia/integration-samba'
volumes:
- ./example/compose/samba/init.sh:/init.sh
cap_add:
- SYS_ADMIN
hostname: ldap.example.com
- 'SYS_ADMIN'
hostname: 'ldap.example.com'
environment:
- DOMAIN=example.com
- DOMAINPASS=Password1
- NOCOMPLEXITY=true
DOMAIN: 'example.com'
DOMAINPASS: 'Password1'
NOCOMPLEXITY: 'true'
networks:
- authelianet
- 'authelianet'
...

4
internal/suites/example/compose/smtp/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
smtp:
image: schickling/mailcatcher
image: 'schickling/mailcatcher'
ports:
- '1025:1025'
labels:
@ -14,5 +14,5 @@ services:
- 'traefik.http.routers.mail.tls=true'
- 'traefik.http.services.mail.loadbalancer.server.port=1080'
networks:
- authelianet
- 'authelianet'
...

4
internal/suites/example/compose/squid/docker-compose.yml
View File

@ -3,7 +3,7 @@ version: '3'
services:
# Simulates client 1.
client-1:
image: sameersbn/squid:3.5.27-1
image: 'sameersbn/squid:3.5.27-1'
volumes:
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
networks:
@ -11,7 +11,7 @@ services:
# Set the IP to be able to query on port 443
ipv4_address: 192.168.240.201
client-2:
image: sameersbn/squid:3.5.27-1
image: 'sameersbn/squid:3.5.27-1'
volumes:
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
networks:

2
internal/suites/example/compose/traefik/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
traefik:
image: traefik:v1.7.34-alpine
image: 'traefik:v1.7.34-alpine'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
labels:

8
internal/suites/example/compose/traefik2/docker-compose.yml
View File

@ -2,7 +2,7 @@
version: '3'
services:
traefik:
image: traefik:v2.10.1
image: 'traefik:v2.10.1'
volumes:
- '/var/run/docker.sock:/var/run/docker.sock'
labels:
@ -29,9 +29,9 @@ services:
networks:
authelianet:
aliases:
- public.example.com
- secure.example.com
- login.example.com
- 'public.example.com'
- 'secure.example.com'
- 'login.example.com'
# Set the IP to be able to query on port 8080
ipv4_address: 192.168.240.100
...

124
internal/suites/example/kube/apps/nginx.yml
View File

@ -1,138 +1,138 @@
---
apiVersion: apps/v1
kind: Deployment
apiVersion: 'apps/v1'
kind: 'Deployment'
metadata:
name: nginx-backend
namespace: authelia
name: 'nginx-backend'
namespace: 'authelia'
labels:
app: nginx-backend
app: 'nginx-backend'
spec:
replicas: 1
selector:
matchLabels:
app: nginx-backend
app: 'nginx-backend'
template:
metadata:
labels:
app: nginx-backend
app: 'nginx-backend'
spec:
containers:
- name: nginx-backend
image: nginx:alpine
- name: 'nginx-backend'
image: 'nginx:alpine'
ports:
- containerPort: 80
volumeMounts:
- name: nginx-config
mountPath: /etc/nginx/nginx.conf
- name: nginx-html
mountPath: /usr/share/nginx/html
- name: 'nginx-config'
mountPath: '/etc/nginx/nginx.conf'
- name: 'nginx-html'
mountPath: '/usr/share/nginx/html'
volumes:
- name: nginx-config
- name: 'nginx-config'
hostPath:
path: /configmaps/nginx-backend/nginx.conf
type: File
- name: nginx-html
path: '/configmaps/nginx-backend/nginx.conf'
type: 'File'
- name: 'nginx-html'
hostPath:
path: /configmaps/nginx-backend/html
type: Directory
path: '/configmaps/nginx-backend/html'
type: 'Directory'
...
---
apiVersion: v1
kind: Service
apiVersion: 'v1'
kind: 'Service'
metadata:
name: nginx-backend-service
namespace: authelia
name: 'nginx-backend-service'
namespace: 'authelia'
labels:
app: nginx-backend
app: 'nginx-backend'
spec:
selector:
app: nginx-backend
app: 'nginx-backend'
ports:
- port: 80
name: http
name: 'http'
- port: 443
name: https
name: 'https'
...
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: 'networking.k8s.io/v1'
kind: 'Ingress'
metadata:
name: nginx-backend-ingress
namespace: authelia
name: 'nginx-backend-ingress'
namespace: 'authelia'
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd
kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
traefik.ingress.kubernetes.io/router.middlewares: 'authelia-forwardauth-authelia@kubernetescrd'
spec:
rules:
- host: home.example.com
- host: 'home.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: public.example.com
- host: 'public.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: admin.example.com
- host: 'admin.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: dev.example.com
- host: 'dev.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: mx1.mail.example.com
- host: 'mx1.mail.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: mx2.mail.example.com
- host: 'mx2.mail.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
- host: singlefactor.example.com
- host: 'singlefactor.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: nginx-backend-service
name: 'nginx-backend-service'
port:
number: 80
...

162
internal/suites/example/kube/authelia/authelia.yml
View File

@ -1,145 +1,145 @@
---
apiVersion: apps/v1
kind: Deployment
apiVersion: 'apps/v1'
kind: 'Deployment'
metadata:
name: authelia
namespace: authelia
name: 'authelia'
namespace: 'authelia'
labels:
app: authelia
app: 'authelia'
spec:
replicas: 1
selector:
matchLabels:
app: authelia
app: 'authelia'
template:
metadata:
labels:
app: authelia
app: 'authelia'
spec:
containers:
- name: authelia
image: authelia:dist
- name: 'authelia'
image: 'authelia:dist'
ports:
- containerPort: 443
readinessProbe:
httpGet:
scheme: HTTPS
path: /api/health
scheme: 'HTTPS'
path: '/api/health'
port: 443
initialDelaySeconds: 3
periodSeconds: 3
volumeMounts:
- name: authelia-config
mountPath: /config/configuration.yml
- name: 'authelia-config'
mountPath: '/config/configuration.yml'
readOnly: true
- name: authelia-ssl
mountPath: /pki
- name: 'authelia-ssl'
mountPath: '/pki'
readOnly: true
- name: secrets
mountPath: /config/secrets
- name: 'secrets'
mountPath: '/config/secrets'
readOnly: true
env:
# We set secrets directly here for ease of deployment but all secrets
# should be stored in the Kube Vault in production.
- name: AUTHELIA_JWT_SECRET_FILE
value: /config/secrets/jwt_secret
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
value: /config/secrets/ldap_password
- name: AUTHELIA_SESSION_SECRET_FILE
value: /config/secrets/session
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
value: /config/secrets/sql_password
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
value: /config/secrets/encryption_key
- name: ENVIRONMENT
value: dev
- name: 'AUTHELIA_JWT_SECRET_FILE'
value: '/config/secrets/jwt_secret'
- name: 'AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE'
value: '/config/secrets/ldap_password'
- name: 'AUTHELIA_SESSION_SECRET_FILE'
value: '/config/secrets/session'
- name: 'AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE'
value: '/config/secrets/sql_password'
- name: 'AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE'
value: '/config/secrets/encryption_key'
- name: 'ENVIRONMENT'
value: 'dev'
volumes:
- name: authelia-config
- name: 'authelia-config'
hostPath:
path: /configmaps/authelia/configuration.yml
type: File
- name: authelia-ssl
path: '/configmaps/authelia/configuration.yml'
type: 'File'
- name: 'authelia-ssl'
hostPath:
path: /configmaps/authelia/ssl
type: Directory
- name: secrets
path: '/configmaps/authelia/ssl'
type: 'Directory'
- name: 'secrets'
secret:
secretName: authelia
secretName: 'authelia'
items:
- key: jwt_secret
path: jwt_secret
- key: session
path: session
- key: sql_password
path: sql_password
- key: ldap_password
path: ldap_password
- key: encryption_key
path: encryption_key
- key: 'jwt_secret'
path: 'jwt_secret'
- key: 'session'
path: 'session'
- key: 'sql_password'
path: 'sql_password'
- key: 'ldap_password'
path: 'ldap_password'
- key: 'encryption_key'
path: 'encryption_key'
...
---
apiVersion: v1
kind: Service
apiVersion: 'v1'
kind: 'Service'
metadata:
name: authelia-service
namespace: authelia
name: 'authelia-service'
namespace: 'authelia'
annotations:
traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd
traefik.ingress.kubernetes.io/service.serverstransport: 'authelia-skipverify@kubernetescrd'
spec:
selector:
app: authelia
app: 'authelia'
ports:
- protocol: TCP
- protocol: 'TCP'
port: 443
targetPort: 443
...
---
apiVersion: v1
kind: Secret
type: Opaque
apiVersion: 'v1'
kind: 'Secret'
type: 'Opaque'
metadata:
name: authelia
namespace: authelia
name: 'authelia'
namespace: 'authelia'
labels:
app: authelia
app: 'authelia'
data:
jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret
ldap_password: cGFzc3dvcmQ= # password
session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password
sql_password: cGFzc3dvcmQ= # password
encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5
jwt_secret: 'YW5fdW5zZWN1cmVfc2VjcmV0' # an_unsecure_secret
ldap_password: 'cGFzc3dvcmQ=' # password
session: 'dW5zZWN1cmVfcGFzc3dvcmQ=' # unsecure_password
sql_password: 'cGFzc3dvcmQ=' # password
encryption_key: 'YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5'
...
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: 'networking.k8s.io/v1'
kind: 'Ingress'
metadata:
name: authelia-ingress
namespace: authelia
name: 'authelia-ingress'
namespace: 'authelia'
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
spec:
rules:
- host: login.example.com
- host: 'login.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: authelia-service
name: 'authelia-service'
port:
number: 443
...
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'Middleware'
metadata:
name: forwardauth-authelia
namespace: authelia
name: 'forwardauth-authelia'
namespace: 'authelia'
labels:
app.kubernetes.io/instance: authelia
app.kubernetes.io/name: authelia
app.kubernetes.io/instance: 'authelia'
app.kubernetes.io/name: 'authelia'
spec:
forwardAuth:
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'

112
internal/suites/example/kube/authelia/configs/configuration.yml
View File

@ -3,108 +3,108 @@
# Authelia configuration #
###############################################################
default_redirection_url: https://home.example.com:8080
default_redirection_url: 'https://home.example.com:8080'
server:
address: 'tcp://:443'
tls:
certificate: /pki/public.backend.crt
key: /pki/private.backend.pem
certificate: '/pki/public.backend.crt'
key: '/pki/private.backend.pem'
log:
level: debug
level: 'debug'
authentication_backend:
ldap:
address: 'ldaps://ldap-service'
tls:
skip_verify: true
base_dn: dc=example,dc=com
username_attribute: uid
additional_users_dn: ou=users
users_filter: (&({username_attribute}={input})(objectClass=person))
additional_groups_dn: ou=groups
groups_filter: (&(member={dn})(objectClass=groupOfNames))
group_name_attribute: cn
mail_attribute: mail
display_name_attribute: displayName
user: cn=admin,dc=example,dc=com
base_dn: 'dc=example,dc=com'
username_attribute: 'uid'
additional_users_dn: 'ou=users'
users_filter: '(&({username_attribute}={input})(objectClass=person))'
additional_groups_dn: 'ou=groups'
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: 'cn'
mail_attribute: 'mail'
display_name_attribute: 'displayName'
user: 'cn=admin,dc=example,dc=com'
access_control:
default_policy: deny
default_policy: 'deny'
rules:
# Rules applied to everyone
- domain: home.example.com
policy: bypass
- domain: public.example.com
policy: bypass
- domain: secure.example.com
policy: two_factor
- domain: singlefactor.example.com
policy: one_factor
- domain: 'home.example.com'
policy: 'bypass'
- domain: 'public.example.com'
policy: 'bypass'
- domain: 'secure.example.com'
policy: 'two_factor'
- domain: 'singlefactor.example.com'
policy: 'one_factor'
# Rules applied to 'admins' group
- domain: "mx2.mail.example.com"
subject: "group:admins"
policy: deny
- domain: "*.example.com"
subject: "group:admins"
policy: two_factor
- domain: 'mx2.mail.example.com'
subject: 'group:admins'
policy: 'deny'
- domain: '*.example.com'
subject: 'group:admins'
policy: 'two_factor'
# Rules applied to 'dev' group
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/groups/dev/.*$"
subject: "group:dev"
policy: two_factor
- '^/groups/dev/.*$'
subject: 'group:dev'
policy: 'two_factor'
# Rules applied to user 'john'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
- '^/users/john/.*$'
subject: 'user:john'
policy: 'two_factor'
# Rules applied to user 'harry'
- domain: dev.example.com
- domain: 'dev.example.com'
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
- '^/users/harry/.*$'
subject: 'user:harry'
policy: 'two_factor'
# Rules applied to user 'bob'
- domain: "*.mail.example.com"
subject: "user:bob"
policy: two_factor
- domain: "dev.example.com"
- domain: '*.mail.example.com'
subject: 'user:bob'
policy: 'two_factor'
- domain: 'dev.example.com'
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
- '^/users/bob/.*$'
subject: 'user:bob'
policy: 'two_factor'
session:
expiration: 3600 # 1 hour
inactivity: 300 # 5 minutes
remember_me: 1y
expiration: '1h' # 1 hour
inactivity: '5m' # 5 minutes
remember_me: '1y'
cookies:
- domain: 'example.com'
authelia_url: 'https://login.example.com:8080'
redis:
host: redis-service
host: 'redis-service'
port: 6379
regulation:
max_retries: 3
find_time: 120
ban_time: 300
find_time: '2m'
ban_time: '5m'
storage:
mysql:
address: 'tcp://mariadb-service:3306'
database: authelia
username: admin
database: 'authelia'
username: 'admin'
notifier:
smtp:

336
internal/suites/example/kube/dashboards.yml
View File

@ -1,194 +1,194 @@
# Kubernetes Dashboard
---
apiVersion: v1
kind: Namespace
apiVersion: 'v1'
kind: 'Namespace'
metadata:
name: kubernetes-dashboard
name: 'kubernetes-dashboard'
...
---
apiVersion: v1
kind: ServiceAccount
apiVersion: 'v1'
kind: 'ServiceAccount'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
...
---
kind: Service
apiVersion: v1
kind: 'Service'
apiVersion: 'v1'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
spec:
ports:
- port: 443
targetPort: 8443
selector:
k8s-app: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
...
---
apiVersion: v1
kind: Secret
apiVersion: 'v1'
kind: 'Secret'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-certs
namespace: kubernetes-dashboard
type: Opaque
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard-certs'
namespace: 'kubernetes-dashboard'
type: 'Opaque'
...
---
apiVersion: v1
kind: Secret
apiVersion: 'v1'
kind: 'Secret'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-csrf
namespace: kubernetes-dashboard
type: Opaque
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard-csrf'
namespace: 'kubernetes-dashboard'
type: 'Opaque'
data:
csrf: ""
csrf: ''
...
---
apiVersion: v1
kind: Secret
apiVersion: 'v1'
kind: 'Secret'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-key-holder
namespace: kubernetes-dashboard
type: Opaque
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard-key-holder'
namespace: 'kubernetes-dashboard'
type: 'Opaque'
...
---
kind: ConfigMap
apiVersion: v1
kind: 'ConfigMap'
apiVersion: 'v1'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard-settings
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard-settings'
namespace: 'kubernetes-dashboard'
...
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
kind: 'Role'
apiVersion: 'rbac.authorization.k8s.io/v1'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""]
resources: ["secrets"]
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
verbs: ["get", "update", "delete"]
resources: ['secrets']
resourceNames: ['kubernetes-dashboard-key-holder', 'kubernetes-dashboard-certs', 'kubernetes-dashboard-csrf']
verbs: ['get', 'update', 'delete']
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""]
resources: ["configmaps"]
resourceNames: ["kubernetes-dashboard-settings"]
verbs: ["get", "update"]
resources: ['configmaps']
resourceNames: ['kubernetes-dashboard-settings']
verbs: ['get', 'update']
# Allow Dashboard to get metrics.
- apiGroups: [""]
resources: ["services"]
resourceNames: ["heapster", "dashboard-metrics-scraper"]
verbs: ["proxy"]
resources: ['services']
resourceNames: ['heapster', 'dashboard-metrics-scraper']
verbs: ['proxy']
- apiGroups: [""]
resources: ["services/proxy"]
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] # yamllint disable-line rule:line-length
verbs: ["get"]
resources: ['services/proxy']
resourceNames: ['heapster', 'http:heapster:', 'https:heapster:', 'dashboard-metrics-scraper', 'http:dashboard-metrics-scraper'] # yamllint disable-line rule:line-length
verbs: ['get']
...
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
kind: 'ClusterRole'
apiVersion: 'rbac.authorization.k8s.io/v1'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
rules:
# Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"]
resources: ["pods", "nodes"]
verbs: ["get", "list", "watch"]
- apiGroups: ['metrics.k8s.io']
resources: ['pods', 'nodes']
verbs: ['get', 'list', 'watch']
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'RoleBinding'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: kubernetes-dashboard
apiGroup: 'rbac.authorization.k8s.io'
kind: 'Role'
name: 'kubernetes-dashboard'
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
- kind: 'ServiceAccount'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRoleBinding'
metadata:
name: kubernetes-dashboard
name: 'kubernetes-dashboard'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: kubernetes-dashboard
apiGroup: 'rbac.authorization.k8s.io'
kind: 'ClusterRole'
name: 'kubernetes-dashboard'
subjects:
- kind: ServiceAccount
name: kubernetes-dashboard
namespace: kubernetes-dashboard
- kind: 'ServiceAccount'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
...
---
kind: Deployment
apiVersion: apps/v1
kind: 'Deployment'
apiVersion: 'apps/v1'
metadata:
labels:
k8s-app: kubernetes-dashboard
name: kubernetes-dashboard
namespace: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
name: 'kubernetes-dashboard'
namespace: 'kubernetes-dashboard'
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
template:
metadata:
labels:
k8s-app: kubernetes-dashboard
k8s-app: 'kubernetes-dashboard'
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
type: 'RuntimeDefault'
containers:
- name: kubernetes-dashboard
image: kubernetesui/dashboard:v2.7.0
imagePullPolicy: Always
- name: 'kubernetes-dashboard'
image: 'kubernetesui/dashboard:v2.7.0'
imagePullPolicy: 'Always'
ports:
- containerPort: 8443
protocol: TCP
protocol: 'TCP'
args:
- --auto-generate-certificates
- --namespace=kubernetes-dashboard
- '--auto-generate-certificates'
- '--namespace=kubernetes-dashboard'
# Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port
volumeMounts:
- name: kubernetes-dashboard-certs
mountPath: /certs
- name: 'kubernetes-dashboard-certs'
mountPath: '/certs'
# Create on-disk volume to store exec logs
- mountPath: /tmp
name: tmp-volume
- mountPath: '/tmp'
name: 'tmp-volume'
livenessProbe:
httpGet:
scheme: HTTPS
path: /
scheme: 'HTTPS'
path: '/'
port: 8443
initialDelaySeconds: 30
timeoutSeconds: 30
@ -198,149 +198,149 @@ spec:
runAsUser: 1001
runAsGroup: 2001
volumes:
- name: kubernetes-dashboard-certs
- name: 'kubernetes-dashboard-certs'
secret:
secretName: kubernetes-dashboard-certs
- name: tmp-volume
secretName: 'kubernetes-dashboard-certs'
- name: 'tmp-volume'
emptyDir: {}
serviceAccountName: kubernetes-dashboard
serviceAccountName: 'kubernetes-dashboard'
nodeSelector:
"kubernetes.io/os": linux
"kubernetes.io/os": 'linux'
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: 'node-role.kubernetes.io/master'
effect: 'NoSchedule'
...
---
kind: Service
apiVersion: v1
kind: 'Service'
apiVersion: 'v1'
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
k8s-app: 'dashboard-metrics-scraper'
name: 'dashboard-metrics-scraper'
namespace: 'kubernetes-dashboard'
spec:
ports:
- port: 8000
targetPort: 8000
selector:
k8s-app: dashboard-metrics-scraper
k8s-app: 'dashboard-metrics-scraper'
...
---
kind: Deployment
apiVersion: apps/v1
kind: 'Deployment'
apiVersion: 'apps/v1'
metadata:
labels:
k8s-app: dashboard-metrics-scraper
name: dashboard-metrics-scraper
namespace: kubernetes-dashboard
k8s-app: 'dashboard-metrics-scraper'
name: 'dashboard-metrics-scraper'
namespace: 'kubernetes-dashboard'
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
k8s-app: dashboard-metrics-scraper
k8s-app: 'dashboard-metrics-scraper'
template:
metadata:
labels:
k8s-app: dashboard-metrics-scraper
k8s-app: 'dashboard-metrics-scraper'
spec:
securityContext:
seccompProfile:
type: RuntimeDefault
type: 'RuntimeDefault'
containers:
- name: dashboard-metrics-scraper
image: kubernetesui/metrics-scraper:v1.0.9
- name: 'dashboard-metrics-scraper'
image: 'kubernetesui/metrics-scraper:v1.0.9'
ports:
- containerPort: 8000
protocol: TCP
protocol: 'TCP'
livenessProbe:
httpGet:
scheme: HTTP
path: /
scheme: 'HTTP'
path: '/'
port: 8000
initialDelaySeconds: 30
timeoutSeconds: 30
volumeMounts:
- mountPath: /tmp
name: tmp-volume
- mountPath: '/tmp'
name: 'tmp-volume'
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 2001
serviceAccountName: kubernetes-dashboard
serviceAccountName: 'kubernetes-dashboard'
nodeSelector:
"kubernetes.io/os": linux
"kubernetes.io/os": 'linux'
# Comment the following tolerations if Dashboard must not be deployed on master
tolerations:
- key: node-role.kubernetes.io/master
effect: NoSchedule
- key: 'node-role.kubernetes.io/master'
effect: 'NoSchedule'
volumes:
- name: tmp-volume
- name: 'tmp-volume'
emptyDir: {}
...
---
apiVersion: v1
kind: ServiceAccount
apiVersion: 'v1'
kind: 'ServiceAccount'
metadata:
name: admin-user
namespace: kubernetes-dashboard
name: 'admin-user'
namespace: 'kubernetes-dashboard'
...
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
apiVersion: 'rbac.authorization.k8s.io/v1'
kind: 'ClusterRoleBinding'
metadata:
name: admin-user
name: 'admin-user'
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cluster-admin
apiGroup: 'rbac.authorization.k8s.io'
kind: 'ClusterRole'
name: 'cluster-admin'
subjects:
- kind: ServiceAccount
name: admin-user
namespace: kubernetes-dashboard
- kind: 'ServiceAccount'
name: 'admin-user'
namespace: 'kubernetes-dashboard'
...
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRouteTCP
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'IngressRouteTCP'
metadata:
name: kubernetes-dashboard-ingress
namespace: kubernetes-dashboard
name: 'kubernetes-dashboard-ingress'
namespace: 'kubernetes-dashboard'
spec:
entryPoints:
- websecure
- 'websecure'
routes:
- match: HostSNI(`kubernetes.example.com`)
- match: 'HostSNI(`kubernetes.example.com`)'
services:
- name: kubernetes-dashboard
- name: 'kubernetes-dashboard'
port: 443
tls:
passthrough: true
...
# Traefik Dashboard
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'IngressRoute'
metadata:
name: traefik-dashboard-ingress
namespace: authelia
name: 'traefik-dashboard-ingress'
namespace: 'authelia'
spec:
entryPoints:
- websecure
- 'websecure'
routes:
- match: Host(`traefik.example.com`)
kind: Rule
- match: 'Host(`traefik.example.com`)'
kind: 'Rule'
services:
- name: api@internal
kind: TraefikService
- name: 'api@internal'
kind: 'TraefikService'
...
---
apiVersion: traefik.containo.us/v1alpha1
kind: ServersTransport
apiVersion: 'traefik.containo.us/v1alpha1'
kind: 'ServersTransport'
metadata:
name: skipverify
namespace: authelia
name: 'skipverify'
namespace: 'authelia'
spec:
insecureSkipVerify: true
...

74
internal/suites/example/kube/ldap/ldap.yml
View File

@ -1,64 +1,64 @@
---
apiVersion: apps/v1
kind: Deployment
apiVersion: 'apps/v1'
kind: 'Deployment'
metadata:
name: ldap
namespace: authelia
name: 'ldap'
namespace: 'authelia'
labels:
app: ldap
app: 'ldap'
spec:
replicas: 1
selector:
matchLabels:
app: ldap
app: 'ldap'
template:
metadata:
labels:
app: ldap
app: 'ldap'
spec:
containers:
- name: ldap
image: osixia/openldap:1.5.0
- name: 'ldap'
image: 'osixia/openldap:1.5.0'
ports:
- containerPort: 389
- containerPort: 636
args: ["--copy-service", "--loglevel", "debug"]
args: ['--copy-service', '--loglevel', 'debug']
env:
- name: LDAP_ORGANISATION
value: MyCompany
- name: LDAP_DOMAIN
value: example.com
- name: LDAP_ADMIN_PASSWORD
value: password
- name: LDAP_CONFIG_PASSWORD
value: password
- name: LDAP_ADDITIONAL_MODULES
value: memberof
- name: LDAP_ADDITIONAL_SCHEMAS
value: openldap
- name: LDAP_FORCE_RECONFIGURE
value: "true"
- name: LDAP_TLS_VERIFY_CLIENT
value: try
- name: 'LDAP_ORGANISATION'
value: 'MyCompany'
- name: 'LDAP_DOMAIN'
value: 'example.com'
- name: 'LDAP_ADMIN_PASSWORD'
value: 'password'
- name: 'LDAP_CONFIG_PASSWORD'
value: 'password'
- name: 'LDAP_ADDITIONAL_MODULES'
value: 'memberof'
- name: 'LDAP_ADDITIONAL_SCHEMAS'
value: 'openldap'
- name: 'LDAP_FORCE_RECONFIGURE'
value: 'true'
- name: 'LDAP_TLS_VERIFY_CLIENT'
value: 'try'
volumeMounts:
- name: ldap-config
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
- name: 'ldap-config'
mountPath: '/container/service/slapd/assets/config/bootstrap/ldif/custom'
volumes:
- name: ldap-config
- name: 'ldap-config'
hostPath:
path: /configmaps/ldap
type: Directory
path: '/configmaps/ldap'
type: 'Directory'
...
---
apiVersion: v1
kind: Service
apiVersion: 'v1'
kind: 'Service'
metadata:
name: ldap-service
namespace: authelia
name: 'ldap-service'
namespace: 'authelia'
spec:
selector:
app: ldap
app: 'ldap'
ports:
- protocol: TCP
- protocol: 'TCP'
port: 636
...

56
internal/suites/example/kube/mail/mail.yml
View File

@ -1,64 +1,64 @@
---
apiVersion: apps/v1
kind: Deployment
apiVersion: 'apps/v1'
kind: 'Deployment'
metadata:
name: mailcatcher
namespace: authelia
name: 'mailcatcher'
namespace: 'authelia'
labels:
app: mailcatcher
app: 'mailcatcher'
spec:
replicas: 1
selector:
matchLabels:
app: mailcatcher
app: 'mailcatcher'
template:
metadata:
labels:
app: mailcatcher
app: 'mailcatcher'
spec:
containers:
- name: mailcatcher
image: schickling/mailcatcher
- name: 'mailcatcher'
image: 'schickling/mailcatcher'
ports:
- containerPort: 1025
- containerPort: 1080
...
---
apiVersion: v1
kind: Service
apiVersion: 'v1'
kind: 'Service'
metadata:
name: mailcatcher-service
namespace: authelia
name: 'mailcatcher-service'
namespace: 'authelia'
spec:
selector:
app: mailcatcher
app: 'mailcatcher'
ports:
- protocol: TCP
- protocol: 'TCP'
port: 1080
name: ui
- protocol: TCP
name: 'ui'
- protocol: 'TCP'
port: 1025
name: smtp
name: 'smtp'
...
---
apiVersion: networking.k8s.io/v1
kind: Ingress
apiVersion: 'networking.k8s.io/v1'
kind: 'Ingress'
metadata:
name: mailcatcher-ingress
namespace: authelia
name: 'mailcatcher-ingress'
namespace: 'authelia'
annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/router.entrypoints: websecure
kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
spec:
rules:
- host: mail.example.com
- host: 'mail.example.com'
http:
paths:
- path: /
pathType: Prefix
- path: '/'
pathType: 'Prefix'
backend:
service:
name: mailcatcher-service
name: 'mailcatcher-service'
port:
number: 1080
...

6
internal/suites/example/kube/namespace.yml
View File

@ -1,6 +1,6 @@
---
apiVersion: v1
kind: Namespace
apiVersion: 'v1'
kind: 'Namespace'
metadata:
name: authelia
name: 'authelia'
...

Some files were not shown because too many files have changed in this diff Show More