Compare commits
1 Commits
master
...
refactor-y
Author | SHA1 | Date |
---|---|---|
James Elliott | 5013952bae |
|
@ -4,44 +4,44 @@
|
||||||
# secret leaks.
|
# secret leaks.
|
||||||
steps:
|
steps:
|
||||||
# Blocking pipeline for master branch deployments (concurrency_group).
|
# Blocking pipeline for master branch deployments (concurrency_group).
|
||||||
- label: ":pipeline: Setup Pipeline"
|
- label: ':pipeline: Setup Pipeline'
|
||||||
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
|
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
|
||||||
concurrency: 1
|
concurrency: 1
|
||||||
concurrency_group: "deployments"
|
concurrency_group: 'deployments'
|
||||||
if: build.branch == "master"
|
if: 'build.branch == "master"'
|
||||||
|
|
||||||
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
|
# Non-blocking pipeline for all others (tagged commits/local branches/PRs).
|
||||||
- label: ":pipeline: Setup Pipeline"
|
- label: ':pipeline: Setup Pipeline'
|
||||||
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload"
|
command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
|
||||||
if: build.branch != "master"
|
if: 'build.branch != "master"'
|
||||||
|
|
||||||
- wait: # yamllint disable-line rule:empty-values
|
- wait: # yamllint disable-line rule:empty-values
|
||||||
if: build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ # yamllint disable-line rule:line-length
|
if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
|
||||||
|
|
||||||
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
|
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
|
||||||
- block: "Public fork needs approval"
|
- block: 'Public fork needs approval'
|
||||||
if: build.pull_request.repository.fork == true
|
if: 'build.pull_request.repository.fork == true'
|
||||||
|
|
||||||
# Blocking deployment for master branch deployments (concurrency_group).
|
# Blocking deployment for master branch deployments (concurrency_group).
|
||||||
- label: ":rocket: Setup Deployment"
|
- label: ':rocket: Setup Deployment'
|
||||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||||
concurrency: 1
|
concurrency: 1
|
||||||
concurrency_group: "deployments"
|
concurrency_group: 'deployments'
|
||||||
depends_on: ~
|
depends_on: '~'
|
||||||
if: build.branch == "master" && build.message !~ /^docs/
|
if: 'build.branch == "master" && build.message !~ /^docs/'
|
||||||
|
|
||||||
# Non-blocking deployment for all others (tagged commits/local branches).
|
# Non-blocking deployment for all others (tagged commits/local branches).
|
||||||
- label: ":rocket: Setup Deployment"
|
- label: ':rocket: Setup Deployment'
|
||||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||||
depends_on: ~
|
depends_on: ~
|
||||||
if: build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true # yamllint disable-line rule:line-length
|
if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
|
||||||
|
|
||||||
# Removed dependency optimisation for forked PRs to enforce block step.
|
# Removed dependency optimisation for forked PRs to enforce block step.
|
||||||
- label: ":rocket: Setup Deployment"
|
- label: ':rocket: Setup Deployment'
|
||||||
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload"
|
command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
|
||||||
if: build.message !~ /^docs/ && build.pull_request.repository.fork == true
|
if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
|
||||||
|
|
||||||
notify:
|
notify:
|
||||||
- webhook: "<REDACTED WEBHOOK_URL>"
|
- webhook: '<REDACTED WEBHOOK_URL>'
|
||||||
if: build.state == "blocked"
|
if: 'build.state == "blocked"'
|
||||||
...
|
...
|
||||||
|
|
34
.codecov.yml
34
.codecov.yml
|
@ -3,42 +3,42 @@ codecov:
|
||||||
require_ci_to_pass: true
|
require_ci_to_pass: true
|
||||||
|
|
||||||
comment:
|
comment:
|
||||||
layout: "reach, diff, flags, files"
|
layout: 'reach, diff, flags, files'
|
||||||
behavior: default
|
behavior: 'default'
|
||||||
require_changes: false
|
require_changes: false
|
||||||
|
|
||||||
coverage:
|
coverage:
|
||||||
precision: 2
|
precision: 2
|
||||||
round: down
|
round: 'down'
|
||||||
range: "70...100"
|
range: '70...100'
|
||||||
status:
|
status:
|
||||||
project:
|
project:
|
||||||
default: false
|
default: false
|
||||||
backend:
|
backend:
|
||||||
base: auto
|
base: 'auto'
|
||||||
threshold: 0.15%
|
threshold: '0.15%'
|
||||||
flags:
|
flags:
|
||||||
- backend
|
- 'backend'
|
||||||
frontend:
|
frontend:
|
||||||
base: auto
|
base: 'auto'
|
||||||
threshold: 0.15%
|
threshold: '0.15%'
|
||||||
flags:
|
flags:
|
||||||
- frontend
|
- 'frontend'
|
||||||
|
|
||||||
flags:
|
flags:
|
||||||
backend:
|
backend:
|
||||||
paths:
|
paths:
|
||||||
- "cmd/authelia/"
|
- 'cmd/authelia/'
|
||||||
- "internal/"
|
- 'internal/'
|
||||||
- "!internal/suites/"
|
- '!internal/suites/'
|
||||||
frontend:
|
frontend:
|
||||||
paths:
|
paths:
|
||||||
- "web/"
|
- 'web/'
|
||||||
- "!web/coverage/"
|
- '!web/coverage/'
|
||||||
|
|
||||||
ignore:
|
ignore:
|
||||||
- "web/src/serviceWorker.ts"
|
- 'web/src/serviceWorker.ts'
|
||||||
- "**/coverage.txt"
|
- '**/coverage.txt'
|
||||||
|
|
||||||
parsers:
|
parsers:
|
||||||
gcov:
|
gcov:
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
name: Bug Report
|
name: 'Bug Report'
|
||||||
description: Report a bug
|
description: 'Report a bug'
|
||||||
labels:
|
labels:
|
||||||
- type/bug/unconfirmed
|
- 'type/bug/unconfirmed'
|
||||||
- status/needs-triage
|
- 'status/needs-triage'
|
||||||
- priority/4/normal
|
- 'priority/4/normal'
|
||||||
body:
|
body:
|
||||||
- type: markdown
|
- type: 'markdown'
|
||||||
attributes:
|
attributes:
|
||||||
value: |
|
value: |
|
||||||
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
|
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
|
||||||
|
@ -25,160 +25,190 @@ body:
|
||||||
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
|
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
|
||||||
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
|
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
|
||||||
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
|
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: version
|
id: 'version'
|
||||||
attributes:
|
attributes:
|
||||||
label: Version
|
label: |
|
||||||
description: What version(s) of Authelia can you reproduce this bug on?
|
Version
|
||||||
|
description: |
|
||||||
|
What version(s) of Authelia can you reproduce this bug on?
|
||||||
multiple: true
|
multiple: true
|
||||||
options:
|
options:
|
||||||
- v4.37.5
|
- 'v4.37.5'
|
||||||
- v4.37.4
|
- 'v4.37.4'
|
||||||
- v4.37.3
|
- 'v4.37.3'
|
||||||
- v4.37.2
|
- 'v4.37.2'
|
||||||
- v4.37.1
|
- 'v4.37.1'
|
||||||
- v4.37.0
|
- 'v4.37.0'
|
||||||
- v4.36.9
|
- 'v4.36.9'
|
||||||
- v4.36.8
|
- 'v4.36.8'
|
||||||
- v4.36.7
|
- 'v4.36.7'
|
||||||
- v4.36.6
|
- 'v4.36.6'
|
||||||
- v4.36.5
|
- 'v4.36.5'
|
||||||
- v4.36.4
|
- 'v4.36.4'
|
||||||
- v4.36.3
|
- 'v4.36.3'
|
||||||
- v4.36.2
|
- 'v4.36.2'
|
||||||
- v4.36.1
|
- 'v4.36.1'
|
||||||
- v4.36.0
|
- 'v4.36.0'
|
||||||
- v4.35.6
|
- 'v4.35.6'
|
||||||
- v4.35.5
|
- 'v4.35.5'
|
||||||
- v4.35.4
|
- 'v4.35.4'
|
||||||
- v4.35.3
|
- 'v4.35.3'
|
||||||
- v4.35.2
|
- 'v4.35.2'
|
||||||
- v4.35.1
|
- 'v4.35.1'
|
||||||
- v4.35.0
|
- 'v4.35.0'
|
||||||
- v4.34.6
|
- 'v4.34.6'
|
||||||
- v4.34.5
|
- 'v4.34.5'
|
||||||
- v4.34.4
|
- 'v4.34.4'
|
||||||
- v4.34.3
|
- 'v4.34.3'
|
||||||
- v4.34.2
|
- 'v4.34.2'
|
||||||
- v4.34.1
|
- 'v4.34.1'
|
||||||
- v4.34.0
|
- 'v4.34.0'
|
||||||
- v4.33.2
|
- 'v4.33.2'
|
||||||
- v4.33.1
|
- 'v4.33.1'
|
||||||
- v4.33.0
|
- 'v4.33.0'
|
||||||
- v4.32.2
|
- 'v4.32.2'
|
||||||
- v4.32.1
|
- 'v4.32.1'
|
||||||
- v4.32.0
|
- 'v4.32.0'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: deployment
|
id: 'deployment'
|
||||||
attributes:
|
attributes:
|
||||||
label: Deployment Method
|
label: |
|
||||||
description: How are you deploying Authelia?
|
Deployment Method
|
||||||
|
description: |
|
||||||
|
How are you deploying Authelia?
|
||||||
options:
|
options:
|
||||||
- Docker
|
- 'Docker'
|
||||||
- Kubernetes
|
- 'Kubernetes'
|
||||||
- Bare-metal
|
- 'Bare-metal'
|
||||||
- Other
|
- 'Other'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: dropdown
|
- type: 'dropdown'
|
||||||
id: proxy
|
id: 'proxy'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reverse Proxy
|
label: |
|
||||||
description: What reverse proxy are you using?
|
Reverse Proxy
|
||||||
|
description: |
|
||||||
|
What reverse proxy are you using?
|
||||||
options:
|
options:
|
||||||
- Caddy
|
- 'Caddy'
|
||||||
- Traefik
|
- 'Traefik'
|
||||||
- Envoy
|
- 'Envoy'
|
||||||
- Istio
|
- 'Istio'
|
||||||
- NGINX
|
- 'NGINX'
|
||||||
- SWAG
|
- 'SWAG'
|
||||||
- NGINX Proxy Manager
|
- 'NGINX Proxy Manager'
|
||||||
- HAProxy
|
- 'HAProxy'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: input
|
- type: 'input'
|
||||||
id: proxy-version
|
id: 'proxy-version'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reverse Proxy Version
|
label: |
|
||||||
description: What is the version of your reverse proxy?
|
Reverse Proxy Version
|
||||||
placeholder: x.x.x
|
description: |
|
||||||
|
What is the version of your reverse proxy?
|
||||||
|
placeholder: 'x.x.x'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: description
|
id: 'description'
|
||||||
attributes:
|
attributes:
|
||||||
label: Description
|
label: |
|
||||||
description: Describe the bug.
|
Description
|
||||||
|
description: |
|
||||||
|
Describe the bug.
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: reproduction
|
id: 'reproduction'
|
||||||
attributes:
|
attributes:
|
||||||
label: Reproduction
|
label: |
|
||||||
description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
Reproduction
|
||||||
|
description: |
|
||||||
|
Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: expectations
|
id: 'expectations'
|
||||||
attributes:
|
attributes:
|
||||||
label: Expectations
|
label: |
|
||||||
description: Describe the desired or expected results.
|
Expectations
|
||||||
|
description: |
|
||||||
|
Describe the desired or expected results.
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: configuration
|
id: 'configuration'
|
||||||
attributes:
|
attributes:
|
||||||
label: Configuration (Authelia)
|
label: |
|
||||||
description: Provide a complete configuration file (the template will automatically put this content in a code block).
|
Configuration (Authelia)
|
||||||
render: yaml
|
description: |
|
||||||
|
Provide a complete configuration file (the template will automatically put this content in a code block).
|
||||||
|
render: 'yaml'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: logs
|
id: 'logs'
|
||||||
attributes:
|
attributes:
|
||||||
label: Logs (Authelia)
|
label: |
|
||||||
|
Logs (Authelia)
|
||||||
description: |
|
description: |
|
||||||
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
|
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
|
||||||
|
|
||||||
The template will automatically put this content in a code block so you can just paste it.
|
The template will automatically put this content in a code block so you can just paste it.
|
||||||
render: shell
|
render: 'shell'
|
||||||
validations:
|
validations:
|
||||||
required: true
|
required: true
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: logs-other
|
id: 'logs-other'
|
||||||
attributes:
|
attributes:
|
||||||
label: Logs (Proxy / Application)
|
label: |
|
||||||
description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
Logs (Proxy / Application)
|
||||||
render: shell
|
description: |
|
||||||
|
Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
|
||||||
|
render: 'shell'
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: textarea
|
- type: 'textarea'
|
||||||
id: documentation
|
id: 'documentation'
|
||||||
attributes:
|
attributes:
|
||||||
label: Documentation
|
label: |
|
||||||
description: Provide any relevant specification or other documentation if applicable.
|
Documentation
|
||||||
|
description: |
|
||||||
|
Provide any relevant specification or other documentation if applicable.
|
||||||
validations:
|
validations:
|
||||||
required: false
|
required: false
|
||||||
- type: checkboxes
|
- type: 'checkboxes'
|
||||||
id: checklist
|
id: 'checklist'
|
||||||
attributes:
|
attributes:
|
||||||
label: Pre-Submission Checklist
|
label: |
|
||||||
description: By submitting this issue confirm all of the following.
|
Pre-Submission Checklist
|
||||||
|
description: |
|
||||||
|
By submitting this issue confirm all of the following.
|
||||||
options:
|
options:
|
||||||
- label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
- label: |
|
||||||
|
I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
|
||||||
required: true
|
required: true
|
||||||
- label: This is a bug report and not a support request
|
- label: |
|
||||||
|
This is a bug report and not a support request
|
||||||
required: true
|
required: true
|
||||||
- label: I have read the security policy and this bug report is not a security issue or security related issue
|
- label: |
|
||||||
|
I have read the security policy and this bug report is not a security issue or security related issue
|
||||||
required: true
|
required: true
|
||||||
- label: I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
- label: |
|
||||||
|
I have either included the complete configuration file or I am sure it's unrelated to the configuration
|
||||||
required: true
|
required: true
|
||||||
- label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
- label: |
|
||||||
|
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
|
||||||
required: true
|
required: true
|
||||||
- label: I have checked for related proxy or application logs and included them if available
|
- label: |
|
||||||
|
I have checked for related proxy or application logs and included them if available
|
||||||
required: true
|
required: true
|
||||||
- label: I have checked for related issues and checked the documentation
|
- label: |
|
||||||
|
I have checked for related issues and checked the documentation
|
||||||
required: true
|
required: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -10,14 +10,14 @@
|
||||||
# the `language` matrix defined below to confirm you have the correct set of
|
# the `language` matrix defined below to confirm you have the correct set of
|
||||||
# supported CodeQL languages.
|
# supported CodeQL languages.
|
||||||
#
|
#
|
||||||
name: "CodeQL"
|
name: 'CodeQL'
|
||||||
|
|
||||||
# yamllint disable-line rule:truthy
|
# yamllint disable-line rule:truthy
|
||||||
on:
|
on:
|
||||||
push:
|
push:
|
||||||
branches:
|
branches:
|
||||||
- master
|
- 'master'
|
||||||
- gh-pages
|
- 'gh-pages'
|
||||||
paths:
|
paths:
|
||||||
- 'go.mod'
|
- 'go.mod'
|
||||||
- 'go.sum'
|
- 'go.sum'
|
||||||
|
@ -29,7 +29,7 @@ on:
|
||||||
pull_request:
|
pull_request:
|
||||||
# The branches below must be a subset of the branches above
|
# The branches below must be a subset of the branches above
|
||||||
branches:
|
branches:
|
||||||
- master
|
- 'master'
|
||||||
paths:
|
paths:
|
||||||
- 'go.mod'
|
- 'go.mod'
|
||||||
- 'go.sum'
|
- 'go.sum'
|
||||||
|
@ -43,12 +43,12 @@ on:
|
||||||
|
|
||||||
jobs:
|
jobs:
|
||||||
analyze:
|
analyze:
|
||||||
name: Analyze
|
name: 'Analyze'
|
||||||
runs-on: ubuntu-latest
|
runs-on: 'ubuntu-latest'
|
||||||
permissions:
|
permissions:
|
||||||
actions: read
|
actions: 'read'
|
||||||
contents: read
|
contents: 'read'
|
||||||
security-events: write
|
security-events: 'write'
|
||||||
|
|
||||||
strategy:
|
strategy:
|
||||||
fail-fast: false
|
fail-fast: false
|
||||||
|
@ -59,23 +59,23 @@ jobs:
|
||||||
- 'javascript'
|
- 'javascript'
|
||||||
|
|
||||||
steps:
|
steps:
|
||||||
- name: Checkout repository
|
- name: 'Checkout repository'
|
||||||
uses: actions/checkout@v3
|
uses: 'actions/checkout@v3'
|
||||||
|
|
||||||
# Initializes the CodeQL tools for scanning.
|
# Initializes the CodeQL tools for scanning.
|
||||||
- name: Initialize CodeQL
|
- name: 'Initialize CodeQL'
|
||||||
uses: github/codeql-action/init@v1
|
uses: 'github/codeql-action/init@v1'
|
||||||
with:
|
with:
|
||||||
# If you wish to specify custom queries, you can do so here or in a config file.
|
# If you wish to specify custom queries, you can do so here or in a config file.
|
||||||
# By default, queries listed here will override any specified in a config file.
|
# By default, queries listed here will override any specified in a config file.
|
||||||
# Prefix the list here with "+" to use these queries and those in the config file.
|
# Prefix the list here with "+" to use these queries and those in the config file.
|
||||||
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
# queries: ./path/to/local/query, your-org/your-repo/queries@main
|
||||||
languages: ${{ matrix.language }}
|
languages: '${{ matrix.language }}'
|
||||||
|
|
||||||
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
|
||||||
# If this step fails, then you should remove it and run the build manually (see below)
|
# If this step fails, then you should remove it and run the build manually (see below)
|
||||||
- name: Autobuild
|
- name: 'Autobuild'
|
||||||
uses: github/codeql-action/autobuild@v1
|
uses: 'github/codeql-action/autobuild@v1'
|
||||||
|
|
||||||
# ℹ️ Command-line programs to run using the OS shell.
|
# ℹ️ Command-line programs to run using the OS shell.
|
||||||
# 📚 https://git.io/JvXDl
|
# 📚 https://git.io/JvXDl
|
||||||
|
@ -88,6 +88,6 @@ jobs:
|
||||||
# make bootstrap
|
# make bootstrap
|
||||||
# make release
|
# make release
|
||||||
|
|
||||||
- name: Perform CodeQL Analysis
|
- name: 'Perform CodeQL Analysis'
|
||||||
uses: github/codeql-action/analyze@v1
|
uses: 'github/codeql-action/analyze@v1'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
run:
|
run:
|
||||||
timeout: 3m
|
timeout: '3m'
|
||||||
|
|
||||||
linters-settings:
|
linters-settings:
|
||||||
goconst:
|
goconst:
|
||||||
|
@ -11,40 +11,40 @@ linters-settings:
|
||||||
godot:
|
godot:
|
||||||
check-all: true
|
check-all: true
|
||||||
goimports:
|
goimports:
|
||||||
local-prefixes: github.com/authelia/authelia
|
local-prefixes: 'github.com/authelia/authelia'
|
||||||
revive:
|
revive:
|
||||||
confidence: 0.8
|
confidence: 0.8
|
||||||
|
|
||||||
linters:
|
linters:
|
||||||
enable:
|
enable:
|
||||||
- asciicheck
|
- 'asciicheck'
|
||||||
- goconst
|
- 'goconst'
|
||||||
- gocritic
|
- 'gocritic'
|
||||||
- gocyclo
|
- 'gocyclo'
|
||||||
- godot
|
- 'godot'
|
||||||
- gofmt
|
- 'gofmt'
|
||||||
- goimports
|
- 'goimports'
|
||||||
- gosec
|
- 'gosec'
|
||||||
- misspell
|
- 'misspell'
|
||||||
- nolintlint
|
- 'nolintlint'
|
||||||
- prealloc
|
- 'prealloc'
|
||||||
- revive
|
- 'revive'
|
||||||
- unconvert
|
- 'unconvert'
|
||||||
- unparam
|
- 'unparam'
|
||||||
- whitespace
|
- 'whitespace'
|
||||||
- wsl
|
- 'wsl'
|
||||||
|
|
||||||
issues:
|
issues:
|
||||||
exclude:
|
exclude:
|
||||||
- Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked # yamllint disable-line rule:line-length
|
- 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked' # yamllint disable-line rule:line-length
|
||||||
- func name will be used as test\.Test.* by other packages, and that stutters; consider calling this
|
- 'func name will be used as test\.Test.* by other packages, and that stutters; consider calling this'
|
||||||
- (possible misuse of unsafe.Pointer|should have signature)
|
- '(possible misuse of unsafe.Pointer|should have signature)'
|
||||||
- ineffective break statement. Did you mean to break out of the outer loop
|
- 'ineffective break statement. Did you mean to break out of the outer loop'
|
||||||
- Use of unsafe calls should be audited
|
- 'Use of unsafe calls should be audited'
|
||||||
- Subprocess launch(ed with variable|ing should be audited)
|
- 'Subprocess launch(ed with variable|ing should be audited)'
|
||||||
- (G104|G307)
|
- '(G104|G307)'
|
||||||
- (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)
|
- '(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)'
|
||||||
- Potential file inclusion via variable
|
- 'Potential file inclusion via variable'
|
||||||
exclude-use-default: false
|
exclude-use-default: false
|
||||||
max-issues-per-linter: 0
|
max-issues-per-linter: 0
|
||||||
max-same-issues: 0
|
max-same-issues: 0
|
||||||
|
|
|
@ -1,19 +1,19 @@
|
||||||
---
|
---
|
||||||
runner:
|
runner:
|
||||||
golangci:
|
golangci:
|
||||||
cmd: golangci-lint run
|
cmd: 'golangci-lint run'
|
||||||
errorformat:
|
errorformat:
|
||||||
- '%E%f:%l:%c: %m'
|
- '%E%f:%l:%c: %m'
|
||||||
- '%E%f:%l: %m'
|
- '%E%f:%l: %m'
|
||||||
- '%C%.%#'
|
- '%C%.%#'
|
||||||
level: error
|
level: 'error'
|
||||||
eslint:
|
eslint:
|
||||||
cmd: cd web && eslint -f rdjson '*/**/*.{js,ts,tsx}'
|
cmd: 'cd web && eslint -f rdjson "*/**/*.{js,ts,tsx}"'
|
||||||
format: rdjson
|
format: 'rdjson'
|
||||||
level: error
|
level: 'error'
|
||||||
yamllint:
|
yamllint:
|
||||||
cmd: yamllint --format parsable .
|
cmd: 'yamllint --format parsable .'
|
||||||
errorformat:
|
errorformat:
|
||||||
- '%f:%l:%c: %m'
|
- '%f:%l:%c: %m'
|
||||||
level: warning
|
level: 'warning'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
extends: default
|
extends: 'default'
|
||||||
|
|
||||||
locale: en_US.UTF-8
|
locale: 'en_US.UTF-8'
|
||||||
|
|
||||||
yaml-files:
|
yaml-files:
|
||||||
- '*.yaml'
|
- '*.yaml'
|
||||||
|
@ -19,13 +19,13 @@ ignore: |
|
||||||
.github/ISSUE_TEMPLATE/bug-report.yml
|
.github/ISSUE_TEMPLATE/bug-report.yml
|
||||||
rules:
|
rules:
|
||||||
document-end:
|
document-end:
|
||||||
level: warning
|
level: 'warning'
|
||||||
empty-values:
|
empty-values:
|
||||||
level: warning
|
level: 'warning'
|
||||||
indentation:
|
indentation:
|
||||||
spaces: 2
|
spaces: 2
|
||||||
check-multi-line-strings: true
|
check-multi-line-strings: true
|
||||||
line-length:
|
line-length:
|
||||||
max: 120
|
max: 120
|
||||||
octal-values: enable
|
octal-values: 'enable'
|
||||||
...
|
...
|
||||||
|
|
|
@ -4,71 +4,70 @@
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
|
||||||
jwt_secret: a_very_important_secret
|
jwt_secret: 'a_very_important_secret'
|
||||||
default_redirection_url: https://public.example.com
|
default_redirection_url: 'https://public.example.com'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
# duo_api:
|
# duo_api:
|
||||||
# hostname: api-123456789.example.com
|
# hostname: 'api-123456789.example.com'
|
||||||
# integration_key: ABCDEF
|
# integration_key: 'ABCDEF'
|
||||||
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
|
||||||
# secret_key: 1234567890abcdefghifjkl
|
# secret_key: 1234567890abcdefghifjkl
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users_database.yml
|
path: '/config/users_database.yml'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: traefik.example.com
|
- domain: 'traefik.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
|
|
||||||
cookies:
|
cookies:
|
||||||
- name: authelia_session
|
- name: 'authelia_session'
|
||||||
domain: example.com # Should match whatever your root protected domain is
|
domain: 'example.com' # Should match whatever your root protected domain is
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
host: redis
|
host: 'redis'
|
||||||
port: 6379
|
port: 6379
|
||||||
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
|
||||||
# password: authelia
|
# password: 'authelia'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite3
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
username: test
|
address: 'smtp://mail.example.com:25'
|
||||||
|
username: 'test'
|
||||||
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
|
||||||
password: password
|
password: 'password'
|
||||||
host: mail.example.com
|
sender: 'admin@example.com'
|
||||||
port: 25
|
|
||||||
sender: admin@example.com
|
|
||||||
...
|
...
|
||||||
|
|
|
@ -9,11 +9,11 @@
|
||||||
users:
|
users:
|
||||||
authelia:
|
authelia:
|
||||||
disabled: false
|
disabled: false
|
||||||
displayname: "Authelia User"
|
displayname: 'Authelia User'
|
||||||
# Password is authelia
|
# Password is authelia
|
||||||
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/' # yamllint disable-line rule:line-length
|
||||||
email: authelia@authelia.com
|
email: 'authelia@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,18 +1,18 @@
|
||||||
---
|
---
|
||||||
version: '3.3'
|
version: '3.8'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
net:
|
net:
|
||||||
driver: bridge
|
driver: 'bridge'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
authelia:
|
authelia:
|
||||||
image: authelia/authelia
|
image: 'authelia/authelia'
|
||||||
container_name: authelia
|
container_name: 'authelia'
|
||||||
volumes:
|
volumes:
|
||||||
- ./authelia:/config
|
- './authelia:/config'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
||||||
|
@ -24,34 +24,34 @@ services:
|
||||||
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||||
expose:
|
expose:
|
||||||
- 9091
|
- 9091
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
healthcheck:
|
healthcheck:
|
||||||
## In production the healthcheck section should be commented.
|
## In production the healthcheck section should be commented.
|
||||||
disable: true
|
disable: true
|
||||||
environment:
|
environment:
|
||||||
- TZ=Australia/Melbourne
|
TZ: 'Australia/Melbourne'
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
image: redis:alpine
|
image: 'redis:alpine'
|
||||||
container_name: redis
|
container_name: 'redis'
|
||||||
volumes:
|
volumes:
|
||||||
- ./redis:/data
|
- './redis:/data'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
expose:
|
expose:
|
||||||
- 6379
|
- 6379
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
environment:
|
environment:
|
||||||
- TZ=Australia/Melbourne
|
TZ: 'Australia/Melbourne'
|
||||||
|
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v2.10.1
|
image: 'traefik:v2.10.1'
|
||||||
container_name: traefik
|
container_name: 'traefik'
|
||||||
volumes:
|
volumes:
|
||||||
- ./traefik:/etc/traefik
|
- './traefik:/etc/traefik'
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
||||||
|
@ -80,10 +80,10 @@ services:
|
||||||
- '--log.level=DEBUG'
|
- '--log.level=DEBUG'
|
||||||
|
|
||||||
secure:
|
secure:
|
||||||
image: traefik/whoami
|
image: 'traefik/whoami'
|
||||||
container_name: secure
|
container_name: 'secure'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
||||||
|
@ -93,13 +93,13 @@ services:
|
||||||
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
||||||
expose:
|
expose:
|
||||||
- 80
|
- 80
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
|
|
||||||
public:
|
public:
|
||||||
image: traefik/whoami
|
image: 'traefik/whoami'
|
||||||
container_name: public
|
container_name: 'public'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
||||||
|
@ -109,5 +109,5 @@ services:
|
||||||
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
||||||
expose:
|
expose:
|
||||||
- 80
|
- 80
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,52 +3,52 @@
|
||||||
# Authelia configuration #
|
# Authelia configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: a_very_important_secret
|
jwt_secret: 'a_very_important_secret'
|
||||||
default_redirection_url: https://public.example.com
|
default_redirection_url: 'https://public.example.com'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users_database.yml
|
path: '/config/users_database.yml'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: traefik.example.com
|
- domain: 'traefik.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
|
|
||||||
cookies:
|
cookies:
|
||||||
- name: authelia_session
|
- name: 'authelia_session'
|
||||||
domain: example.com # Should match whatever your root protected domain is
|
domain: 'example.com' # Should match whatever your root protected domain is
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
|
encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite3
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
filesystem:
|
filesystem:
|
||||||
filename: /config/notification.txt
|
filename: '/config/notification.txt'
|
||||||
...
|
...
|
||||||
|
|
|
@ -9,10 +9,10 @@
|
||||||
users:
|
users:
|
||||||
<USERNAME>:
|
<USERNAME>:
|
||||||
disabled: false
|
disabled: false
|
||||||
displayname: "<DISPLAYNAME>"
|
displayname: '<DISPLAYNAME>'
|
||||||
password: "<PASSWORD>"
|
password: '<PASSWORD>'
|
||||||
email: <USERNAME>@example.com
|
email: '<USERNAME>@example.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,16 +3,16 @@ version: '3.3'
|
||||||
|
|
||||||
networks:
|
networks:
|
||||||
net:
|
net:
|
||||||
driver: bridge
|
driver: 'bridge'
|
||||||
|
|
||||||
services:
|
services:
|
||||||
authelia:
|
authelia:
|
||||||
image: authelia/authelia
|
image: 'authelia/authelia'
|
||||||
container_name: authelia
|
container_name: 'authelia'
|
||||||
volumes:
|
volumes:
|
||||||
- ./authelia:/config
|
- './authelia:/config'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
|
||||||
|
@ -24,21 +24,21 @@ services:
|
||||||
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
|
||||||
expose:
|
expose:
|
||||||
- 9091
|
- 9091
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
healthcheck:
|
healthcheck:
|
||||||
## In production the healthcheck section should be commented.
|
## In production the healthcheck section should be commented.
|
||||||
disable: true
|
disable: true
|
||||||
environment:
|
environment:
|
||||||
- TZ=Australia/Melbourne
|
TZ: 'Australia/Melbourne'
|
||||||
|
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v2.10.1
|
image: 'traefik:v2.10.1'
|
||||||
container_name: traefik
|
container_name: 'traefik'
|
||||||
volumes:
|
volumes:
|
||||||
- ./traefik:/etc/traefik
|
- './traefik:/etc/traefik'
|
||||||
- /var/run/docker.sock:/var/run/docker.sock
|
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
|
||||||
|
@ -65,10 +65,10 @@ services:
|
||||||
- '--log.level=DEBUG'
|
- '--log.level=DEBUG'
|
||||||
|
|
||||||
secure:
|
secure:
|
||||||
image: traefik/whoami
|
image: 'traefik/whoami'
|
||||||
container_name: secure
|
container_name: 'secure'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
|
||||||
|
@ -78,13 +78,13 @@ services:
|
||||||
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
- 'traefik.http.routers.secure.middlewares=authelia@docker'
|
||||||
expose:
|
expose:
|
||||||
- 80
|
- 80
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
|
|
||||||
public:
|
public:
|
||||||
image: traefik/whoami
|
image: 'traefik/whoami'
|
||||||
container_name: public
|
container_name: 'public'
|
||||||
networks:
|
networks:
|
||||||
- net
|
- 'net'
|
||||||
labels:
|
labels:
|
||||||
- 'traefik.enable=true'
|
- 'traefik.enable=true'
|
||||||
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
- 'traefik.http.routers.public.rule=Host(`public.example.com`)'
|
||||||
|
@ -94,5 +94,5 @@ services:
|
||||||
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
- 'traefik.http.routers.public.middlewares=authelia@docker'
|
||||||
expose:
|
expose:
|
||||||
- 80
|
- 80
|
||||||
restart: unless-stopped
|
restart: 'unless-stopped'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
tls:
|
tls:
|
||||||
certificates:
|
certificates:
|
||||||
- certFile: /etc/traefik/certs/cert.pem
|
- certFile: '/etc/traefik/certs/cert.pem'
|
||||||
keyFile: /etc/traefik/certs/key.pem
|
keyFile: '/etc/traefik/certs/key.pem'
|
||||||
...
|
...
|
||||||
|
|
|
@ -9,11 +9,11 @@
|
||||||
users:
|
users:
|
||||||
authelia:
|
authelia:
|
||||||
disabled: false
|
disabled: false
|
||||||
displayname: "Test User"
|
displayname: 'Test User'
|
||||||
password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia'
|
password: '$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk' # Password is 'authelia'
|
||||||
email: authelia@authelia.com
|
email: 'authelia@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
...
|
...
|
||||||
# yamllint enable rule:line-length
|
# yamllint enable rule:line-length
|
||||||
|
|
|
@ -1,37 +1,37 @@
|
||||||
---
|
---
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: "tcp://127.0.0.1:9091"
|
address: 'tcp://127.0.0.1:9091'
|
||||||
endpoints:
|
endpoints:
|
||||||
authz:
|
authz:
|
||||||
forward-auth:
|
forward-auth:
|
||||||
implementation: ForwardAuth
|
implementation: 'ForwardAuth'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderProxyAuthorization
|
- name: 'HeaderProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
ext-authz:
|
ext-authz:
|
||||||
implementation: ExtAuthz
|
implementation: 'ExtAuthz'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderProxyAuthorization
|
- name: 'HeaderProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
auth-request:
|
auth-request:
|
||||||
implementation: AuthRequest
|
implementation: 'AuthRequest'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderAuthRequestProxyAuthorization
|
- name: 'HeaderAuthRequestProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
legacy:
|
legacy:
|
||||||
implementation: Legacy
|
implementation: 'Legacy'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: api-123456789.example.com
|
hostname: 'api-123456789.example.com'
|
||||||
integration_key: ABCDEF
|
integration_key: 'ABCDEF'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
|
@ -65,109 +65,109 @@ authentication_backend:
|
||||||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||||
-----END RSA PRIVATE KEY-----
|
-----END RSA PRIVATE KEY-----
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
user: cn=admin,dc=example,dc=com
|
user: 'cn=admin,dc=example,dc=com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
# Network based rule, if not provided any network matches.
|
# Network based rule, if not provided any network matches.
|
||||||
networks:
|
networks:
|
||||||
- 192.168.1.0/24
|
- '192.168.1.0/24'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: [singlefactor.example.com, onefactor.example.com]
|
- domain: ['singlefactor.example.com', 'onefactor.example.com']
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Rules applied to 'admins' group
|
# Rules applied to 'admins' group
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group
|
# Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/groups/dev/.*$"
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'john'
|
# Rules applied to user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group and user 'john'
|
# Rules applied to 'dev' group and user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/deny-all.*$"
|
- '^/deny-all.*$'
|
||||||
subject: ["group:dev", "user:john"]
|
subject: ['group:dev', 'user:john']
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
|
|
||||||
# Rules applied to user 'harry'
|
# Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'bob'
|
# Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: 'authelia_session'
|
||||||
expiration: 3600000 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300000 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
domain: example.com
|
domain: 'example.com'
|
||||||
redis:
|
redis:
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 6379
|
port: 6379
|
||||||
high_availability:
|
high_availability:
|
||||||
sentinel_name: test
|
sentinel_name: 'test'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
postgres:
|
postgres:
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 5432
|
port: 5432
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: authelia
|
username: 'authelia'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
username: test
|
username: 'test'
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 1025
|
port: 1025
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,37 +1,37 @@
|
||||||
---
|
---
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: "tcp://127.0.0.1:9091"
|
address: 'tcp://127.0.0.1:9091'
|
||||||
endpoints:
|
endpoints:
|
||||||
authz:
|
authz:
|
||||||
forward-auth:
|
forward-auth:
|
||||||
implementation: ForwardAuth
|
implementation: 'ForwardAuth'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderProxyAuthorization
|
- name: 'HeaderProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
ext-authz:
|
ext-authz:
|
||||||
implementation: ExtAuthz
|
implementation: 'ExtAuthz'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderProxyAuthorization
|
- name: 'HeaderProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
auth-request:
|
auth-request:
|
||||||
implementation: AuthRequest
|
implementation: 'AuthRequest'
|
||||||
authn_strategies:
|
authn_strategies:
|
||||||
- name: HeaderAuthRequestProxyAuthorization
|
- name: 'HeaderAuthRequestProxyAuthorization'
|
||||||
- name: CookieSession
|
- name: 'CookieSession'
|
||||||
legacy:
|
legacy:
|
||||||
implementation: Legacy
|
implementation: 'Legacy'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: api-123456789.example.com
|
hostname: 'api-123456789.example.com'
|
||||||
integration_key: ABCDEF
|
integration_key: 'ABCDEF'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
|
@ -65,109 +65,109 @@ authentication_backend:
|
||||||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||||
-----END RSA PRIVATE KEY-----
|
-----END RSA PRIVATE KEY-----
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
user: cn=admin,dc=example,dc=com
|
user: 'cn=admin,dc=example,dc=com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
# Network based rule, if not provided any network matches.
|
# Network based rule, if not provided any network matches.
|
||||||
networks:
|
networks:
|
||||||
- 192.168.1.0/24
|
- '192.168.1.0/24'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: [singlefactor.example.com, onefactor.example.com]
|
- domain: ['singlefactor.example.com', 'onefactor.example.com']
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Rules applied to 'admins' group
|
# Rules applied to 'admins' group
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group
|
# Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/groups/dev/.*$"
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'john'
|
# Rules applied to user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group and user 'john'
|
# Rules applied to 'dev' group and user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/deny-all.*$"
|
- '^/deny-all.*$'
|
||||||
subject: ["group:dev", "user:john"]
|
subject: ['group:dev', 'user:john']
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
|
|
||||||
# Rules applied to user 'harry'
|
# Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'bob'
|
# Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: 'authelia_session'
|
||||||
expiration: 3600000 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300000 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
domain: example.com
|
domain: 'example.com'
|
||||||
redis:
|
redis:
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 6379
|
port: 6379
|
||||||
high_availability:
|
high_availability:
|
||||||
sentinel_name: test
|
sentinel_name: 'test'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
mysql:
|
mysql:
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 3306
|
port: 3306
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: authelia
|
username: 'authelia'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
username: test
|
username: 'test'
|
||||||
host: 127.0.0.1
|
host: '127.0.0.1'
|
||||||
port: 1025
|
port: 1025
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -5,14 +5,14 @@ server:
|
||||||
address: 'tcp://{{ env "SERVICES_SERVER" }}:9091'
|
address: 'tcp://{{ env "SERVICES_SERVER" }}:9091'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}'
|
hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}'
|
||||||
integration_key: ABCDEF
|
integration_key: 'ABCDEF'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
|
@ -46,51 +46,51 @@ authentication_backend:
|
||||||
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
|
||||||
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
|
||||||
-----END RSA PRIVATE KEY-----
|
-----END RSA PRIVATE KEY-----
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
|
users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
user: cn=admin,dc=example,dc=com
|
user: 'cn=admin,dc=example,dc=com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain:
|
- domain:
|
||||||
- 'public.{{ env "ROOT_DOMAIN" }}'
|
- 'public.{{ env "ROOT_DOMAIN" }}'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain:
|
- domain:
|
||||||
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
# Network based rule, if not provided any network matches.
|
# Network based rule, if not provided any network matches.
|
||||||
networks:
|
networks:
|
||||||
- 192.168.1.0/24
|
- '192.168.1.0/24'
|
||||||
- domain:
|
- domain:
|
||||||
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
- 'secure.{{ env "ROOT_DOMAIN" }}'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain:
|
- domain:
|
||||||
- 'singlefactor.{{ env "ROOT_DOMAIN" }}'
|
- 'singlefactor.{{ env "ROOT_DOMAIN" }}'
|
||||||
- 'onefactor.{{ env "ROOT_DOMAIN" }}'
|
- 'onefactor.{{ env "ROOT_DOMAIN" }}'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Rules applied to 'admins' group
|
# Rules applied to 'admins' group
|
||||||
- domain:
|
- domain:
|
||||||
- 'mx2.mail.{{ env "ROOT_DOMAIN" }}'
|
- 'mx2.mail.{{ env "ROOT_DOMAIN" }}'
|
||||||
subject:
|
subject:
|
||||||
- 'group:admins'
|
- 'group:admins'
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
- domain:
|
- domain:
|
||||||
- '*.{{ env "ROOT_DOMAIN" }}'
|
- '*.{{ env "ROOT_DOMAIN" }}'
|
||||||
subject:
|
subject:
|
||||||
- ['group:admins']
|
- ['group:admins']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group
|
# Rules applied to 'dev' group
|
||||||
- domain:
|
- domain:
|
||||||
|
@ -99,7 +99,7 @@ access_control:
|
||||||
- '^/groups/dev/.*$'
|
- '^/groups/dev/.*$'
|
||||||
subject:
|
subject:
|
||||||
- ['group:dev']
|
- ['group:dev']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'john'
|
# Rules applied to user 'john'
|
||||||
- domain:
|
- domain:
|
||||||
|
@ -108,17 +108,17 @@ access_control:
|
||||||
- '^/users/john/.*$'
|
- '^/users/john/.*$'
|
||||||
subject:
|
subject:
|
||||||
- ['user:john']
|
- ['user:john']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group and user 'john'
|
# Rules applied to 'dev' group and user 'john'
|
||||||
- domain:
|
- domain:
|
||||||
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
||||||
resources:
|
resources:
|
||||||
- "^/deny-all.*$"
|
- '^/deny-all.*$'
|
||||||
subject:
|
subject:
|
||||||
- ['group:dev']
|
- ['group:dev']
|
||||||
- ['user:john']
|
- ['user:john']
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
|
|
||||||
# Rules applied to user 'harry'
|
# Rules applied to user 'harry'
|
||||||
- domain:
|
- domain:
|
||||||
|
@ -127,47 +127,47 @@ access_control:
|
||||||
- '^/users/harry/.*$'
|
- '^/users/harry/.*$'
|
||||||
subject:
|
subject:
|
||||||
- ['user:harry']
|
- ['user:harry']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'bob'
|
# Rules applied to user 'bob'
|
||||||
- domain:
|
- domain:
|
||||||
- '*.mail.{{ env "ROOT_DOMAIN" }}'
|
- '*.mail.{{ env "ROOT_DOMAIN" }}'
|
||||||
subject:
|
subject:
|
||||||
- ['user:bob']
|
- ['user:bob']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain:
|
- domain:
|
||||||
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
- 'dev.{{ env "ROOT_DOMAIN" }}'
|
||||||
resources:
|
resources:
|
||||||
- '^/users/bob/.*$'
|
- '^/users/bob/.*$'
|
||||||
subject:
|
subject:
|
||||||
- ['user:bob']
|
- ['user:bob']
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: 'authelia_session'
|
||||||
expiration: 3600000 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300000 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
domain: '{{ env "ROOT_DOMAIN" }}'
|
domain: '{{ env "ROOT_DOMAIN" }}'
|
||||||
redis:
|
redis:
|
||||||
host: ${SERVICES_SERVER}
|
host: '${SERVICES_SERVER}'
|
||||||
port: 6379
|
port: 6379
|
||||||
high_availability:
|
high_availability:
|
||||||
sentinel_name: test
|
sentinel_name: 'test'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
mysql:
|
mysql:
|
||||||
address: 'tcp://{{ env "SERVICES_SERVER" }}:3306'
|
address: 'tcp://{{ env "SERVICES_SERVER" }}:3306'
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: authelia
|
username: 'authelia'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
username: test
|
username: 'test'
|
||||||
address: 'smtp://{{ env "SERVICES_SERVER" }}:1025'
|
address: 'smtp://{{ env "SERVICES_SERVER" }}:1025'
|
||||||
sender: 'admin@{{ env "ROOT_DOMAIN" }}'
|
sender: 'admin@{{ env "ROOT_DOMAIN" }}'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
|
@ -176,16 +176,16 @@ identity_providers:
|
||||||
oidc:
|
oidc:
|
||||||
cors:
|
cors:
|
||||||
allowed_origins:
|
allowed_origins:
|
||||||
- https://google.com
|
- 'https://google.com'
|
||||||
- https://example.com
|
- 'https://example.com'
|
||||||
clients:
|
clients:
|
||||||
- id: abc
|
- id: 'abc'
|
||||||
secret: '${ABC_CLIENT_SECRET}'
|
secret: '${ABC_CLIENT_SECRET}'
|
||||||
consent_mode: explicit
|
consent_mode: 'explicit'
|
||||||
- id: xyz
|
- id: 'xyz'
|
||||||
secret: '$XYZ_CLIENT_SECRET'
|
secret: '$XYZ_CLIENT_SECRET'
|
||||||
consent_mode: explicit
|
consent_mode: 'explicit'
|
||||||
- id: '123'
|
- id: '123'
|
||||||
secret: $ANOTHER_CLIENT_SECRET
|
secret: '$ANOTHER_CLIENT_SECRET'
|
||||||
consent_mode: explicit
|
consent_mode: 'explicit'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,69 +3,69 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
theme: grey
|
theme: 'grey'
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
address: 'ldap://sambaldap'
|
address: 'ldap://sambaldap'
|
||||||
implementation: activedirectory
|
implementation: 'activedirectory'
|
||||||
tls:
|
tls:
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
start_tls: true
|
start_tls: true
|
||||||
base_dn: DC=example,DC=com
|
base_dn: 'DC=example,DC=com'
|
||||||
additional_users_dn: OU=Users
|
additional_users_dn: 'OU=Users'
|
||||||
additional_groups_dn: OU=Groups
|
additional_groups_dn: 'OU=Groups'
|
||||||
user: CN=Administrator,CN=Users,DC=example,DC=com
|
user: 'CN=Administrator,CN=Users,DC=example,DC=com'
|
||||||
password: password
|
password: 'password'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite3
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -6,49 +6,49 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
# The Duo Push Notification API configuration
|
# The Duo Push Notification API configuration
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: duo.example.com
|
hostname: 'duo.example.com'
|
||||||
integration_key: ABCDEFGHIJKL
|
integration_key: 'ABCDEFGHIJKL'
|
||||||
secret_key: abcdefghijklmnopqrstuvwxyz123456789
|
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: 'true'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -6,61 +6,61 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
cookies:
|
cookies:
|
||||||
- name: 'authelia_session'
|
- name: 'authelia_session'
|
||||||
domain: 'example.com'
|
domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /tmp/db.sqlite
|
path: '/tmp/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: "resources.example.com"
|
- domain: 'resources.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
resources: ["^/resources"]
|
resources: ['^/resources']
|
||||||
- domain: "method.example.com"
|
- domain: 'method.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
methods: ["POST"]
|
methods: ['POST']
|
||||||
- domain: "network.example.com"
|
- domain: 'network.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
networks: ["192.168.1.0/24"]
|
networks: ['192.168.1.0/24']
|
||||||
- domain: "group.example.com"
|
- domain: 'group.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
subject: ["group:basic"]
|
subject: ['group:basic']
|
||||||
- domain: "user.example.com"
|
- domain: 'user.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
subject: ["user:john"]
|
subject: ['user:john']
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
filesystem:
|
filesystem:
|
||||||
filename: /tmp/notification.txt
|
filename: '/tmp/notification.txt'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,5 +8,5 @@ services:
|
||||||
- './CLI/users.yml:/config/users.yml'
|
- './CLI/users.yml:/config/users.yml'
|
||||||
- './common/pki:/pki:ro'
|
- './common/pki:/pki:ro'
|
||||||
- '/tmp:/tmp'
|
- '/tmp:/tmp'
|
||||||
user: ${USER_ID}:${GROUP_ID}
|
user: '${USER_ID}:${GROUP_ID}'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /tmp/db.sqlite3
|
path: '/tmp/db.sqlite3'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,56 +3,56 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
asset_path: '/config/assets/'
|
asset_path: '/config/assets/'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
endpoints:
|
endpoints:
|
||||||
authz:
|
authz:
|
||||||
caddy:
|
caddy:
|
||||||
implementation: ForwardAuth
|
implementation: 'ForwardAuth'
|
||||||
authn_strategies: []
|
authn_strategies: []
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,89 +3,89 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite3
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,49 +3,49 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: trace
|
level: 'trace'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /tmp/db.sqlite3
|
path: '/tmp/db.sqlite3'
|
||||||
|
|
||||||
# TOTP Issuer Name
|
# TOTP Issuer Name
|
||||||
#
|
#
|
||||||
# This will be the issuer name displayed in Google Authenticator
|
# This will be the issuer name displayed in Google Authenticator
|
||||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
# See: 'https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names'
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
# The Duo Push Notification API configuration
|
# The Duo Push Notification API configuration
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: duo.example.com
|
hostname: 'duo.example.com'
|
||||||
integration_key: ABCDEFGHIJKL
|
integration_key: 'ABCDEFGHIJKL'
|
||||||
secret_key: abcdefghijklmnopqrstuvwxyz123456789
|
secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
|
||||||
enable_self_enrollment: true
|
enable_self_enrollment: true
|
||||||
|
|
||||||
# Access Control
|
# Access Control
|
||||||
|
@ -54,43 +54,43 @@ duo_api:
|
||||||
# resources.
|
# resources.
|
||||||
access_control:
|
access_control:
|
||||||
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
|
||||||
default_policy: two_factor
|
default_policy: 'two_factor'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
regulation:
|
regulation:
|
||||||
|
@ -98,12 +98,12 @@ regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
filesystem:
|
filesystem:
|
||||||
filename: /tmp/notifier.html
|
filename: '/tmp/notifier.html'
|
||||||
...
|
...
|
||||||
|
|
|
@ -7,5 +7,5 @@ services:
|
||||||
- './DuoPush/users.yml:/config/users.yml'
|
- './DuoPush/users.yml:/config/users.yml'
|
||||||
- './common/pki:/pki:ro'
|
- './common/pki:/pki:ro'
|
||||||
- '/tmp:/tmp'
|
- '/tmp:/tmp'
|
||||||
user: ${USER_ID}:${GROUP_ID}
|
user: '${USER_ID}:${GROUP_ID}'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,59 +3,59 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
asset_path: '/config/assets/'
|
asset_path: '/config/assets/'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
endpoints:
|
endpoints:
|
||||||
authz:
|
authz:
|
||||||
ext-authz:
|
ext-authz:
|
||||||
implementation: ExtAuthz
|
implementation: 'ExtAuthz'
|
||||||
authn_strategies: []
|
authn_strategies: []
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- name: 'authelia_session'
|
- name: 'authelia_session'
|
||||||
domain: 'example.com'
|
domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080/'
|
authelia_url: 'https://login.example.com:8080/'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "login.example.com"
|
- domain: 'login.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,50 +3,50 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,125 +3,125 @@
|
||||||
# Authelia configuration #
|
# Authelia configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: authelia.com
|
issuer: 'authelia.com'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
address: 'ldap://openldap'
|
address: 'ldap://openldap'
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
display_name_attribute: displayName
|
display_name_attribute: 'displayName'
|
||||||
user: cn=admin,dc=example,dc=com
|
user: 'cn=admin,dc=example,dc=com'
|
||||||
password: password
|
password: 'password'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Rules applied to 'admins' group
|
# Rules applied to 'admins' group
|
||||||
- domain: mx2.mail.example.com
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
|
|
||||||
# Rules applied to user 'john'
|
# Rules applied to user 'john'
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group
|
# Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/groups/dev/.*$"
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'harry'
|
# Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'bob'
|
# Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
name: authelia_session
|
name: 'authelia_session'
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
redis:
|
redis:
|
||||||
username: authelia
|
username: 'authelia'
|
||||||
password: redis-user-password
|
password: 'redis-user-password'
|
||||||
high_availability:
|
high_availability:
|
||||||
sentinel_name: authelia
|
sentinel_name: 'authelia'
|
||||||
sentinel_password: sentinel-server-password
|
sentinel_password: 'sentinel-server-password'
|
||||||
nodes:
|
nodes:
|
||||||
- host: redis-sentinel-0
|
- host: 'redis-sentinel-0'
|
||||||
port: 26379
|
port: 26379
|
||||||
- host: redis-sentinel-1
|
- host: 'redis-sentinel-1'
|
||||||
port: 26379
|
port: 26379
|
||||||
- host: redis-sentinel-2
|
- host: 'redis-sentinel-2'
|
||||||
port: 26379
|
port: 26379
|
||||||
|
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 8
|
find_time: '8s'
|
||||||
ban_time: 10
|
ban_time: 10
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
mysql:
|
mysql:
|
||||||
address: 'tcp://mariadb:3306'
|
address: 'tcp://mariadb:3306'
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: admin
|
username: 'admin'
|
||||||
password: password
|
password: 'password'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,73 +3,73 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
theme: dark
|
theme: 'dark'
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
address: 'ldaps://openldap'
|
address: 'ldaps://openldap'
|
||||||
tls:
|
tls:
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length
|
users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson))' # yamllint disable-line rule:line-length
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
display_name_attribute: displayName
|
display_name_attribute: 'displayName'
|
||||||
user: cn=pwmanager,dc=example,dc=com
|
user: 'cn=pwmanager,dc=example,dc=com'
|
||||||
password: password
|
password: 'password'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite3
|
path: '/config/db.sqlite3'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: 'true'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,58 +3,58 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
mysql:
|
mysql:
|
||||||
address: 'tcp://mariadb:3306'
|
address: 'tcp://mariadb:3306'
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: admin
|
username: 'admin'
|
||||||
password: password
|
password: 'password'
|
||||||
|
|
||||||
# TOTP Issuer Name
|
# TOTP Issuer Name
|
||||||
#
|
#
|
||||||
# This will be the issuer name displayed in Google Authenticator
|
# This will be the issuer name displayed in Google Authenticator
|
||||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
regulation:
|
regulation:
|
||||||
|
@ -62,7 +62,7 @@ regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: '8s'
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 10
|
ban_time: 10
|
||||||
|
@ -71,6 +71,6 @@ notifier:
|
||||||
# Use a SMTP server for sending notifications
|
# Use a SMTP server for sending notifications
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,14 +3,14 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
theme: auto
|
theme: 'auto'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
telemetry:
|
telemetry:
|
||||||
metrics:
|
metrics:
|
||||||
|
@ -18,17 +18,17 @@ telemetry:
|
||||||
address: 'tcp://:9959'
|
address: 'tcp://:9959'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600
|
expiration: '1h'
|
||||||
inactivity: 300
|
inactivity: '5m'
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- name: 'authelia_session'
|
- name: 'authelia_session'
|
||||||
domain: 'example.com'
|
domain: 'example.com'
|
||||||
|
@ -42,153 +42,153 @@ session:
|
||||||
authelia_url: 'https://login.example3.com:8080'
|
authelia_url: 'https://login.example3.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# First cookie domain
|
# First cookie domain
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
methods:
|
methods:
|
||||||
- OPTIONS
|
- 'OPTIONS'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Second cookie domain
|
# Second cookie domain
|
||||||
- domain: singlefactor.example2.com
|
- domain: 'singlefactor.example2.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example2.com
|
- domain: 'public.example2.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example2.com
|
- domain: 'secure.example2.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
methods:
|
methods:
|
||||||
- OPTIONS
|
- 'OPTIONS'
|
||||||
|
|
||||||
- domain: secure.example2.com
|
- domain: 'secure.example2.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example2.com"
|
- domain: '*.example2.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example2.com
|
- domain: 'dev.example2.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example2.com
|
- domain: 'dev.example2.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example2.com"
|
- domain: '*.mail.example2.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example2.com
|
- domain: 'dev.example2.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Third cookie domain
|
# Third cookie domain
|
||||||
- domain: singlefactor.example3.com
|
- domain: 'singlefactor.example3.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example3.com
|
- domain: 'public.example3.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example3.com
|
- domain: 'secure.example3.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
methods:
|
methods:
|
||||||
- OPTIONS
|
- 'OPTIONS'
|
||||||
|
|
||||||
- domain: secure.example3.com
|
- domain: 'secure.example3.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example3.com"
|
- domain: '*.example3.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example3.com
|
- domain: 'dev.example3.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example3.com
|
- domain: 'dev.example3.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example3.com"
|
- domain: '*.mail.example3.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example3.com
|
- domain: 'dev.example3.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
ntp:
|
ntp:
|
||||||
## NTP server address
|
## NTP server address
|
||||||
|
@ -196,7 +196,7 @@ ntp:
|
||||||
## ntp version
|
## ntp version
|
||||||
version: 4
|
version: 4
|
||||||
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
||||||
max_desync: 3s
|
max_desync: '3s'
|
||||||
## You can enable or disable the NTP synchronization check on startup
|
## You can enable or disable the NTP synchronization check on startup
|
||||||
disable_startup_check: false
|
disable_startup_check: false
|
||||||
|
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -6,32 +6,32 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
mysql:
|
mysql:
|
||||||
address: 'tcp://mysql:3306'
|
address: 'tcp://mysql:3306'
|
||||||
database: 'authelia'
|
database: 'authelia'
|
||||||
|
@ -43,19 +43,19 @@ storage:
|
||||||
# This will be the issuer name displayed in Google Authenticator
|
# This will be the issuer name displayed in Google Authenticator
|
||||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
regulation:
|
regulation:
|
||||||
|
@ -63,7 +63,7 @@ regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: '8s'
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 10
|
ban_time: 10
|
||||||
|
@ -72,6 +72,6 @@ notifier:
|
||||||
# Use a SMTP server for sending notifications
|
# Use a SMTP server for sending notifications
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: 'true'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,26 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -6,71 +6,71 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
jwt_secret: unsecure_password
|
jwt_secret: 'unsecure_password'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
# Access Control
|
# Access Control
|
||||||
#
|
#
|
||||||
# Access control is a set of rules you can use to restrict user access to certain
|
# Access control is a set of rules you can use to restrict user access to certain
|
||||||
# resources.
|
# resources.
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
networks:
|
networks:
|
||||||
- name: Clients
|
- name: 'Clients'
|
||||||
networks:
|
networks:
|
||||||
- 192.168.240.202/32
|
- 192.168.240.202/32
|
||||||
- 192.168.240.203/32
|
- 192.168.240.203/32
|
||||||
rules:
|
rules:
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
networks:
|
networks:
|
||||||
- 192.168.240.201/32
|
- 192.168.240.201/32
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
networks:
|
networks:
|
||||||
- Clients
|
- 'Clients'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
# Use a SMTP server for sending notifications
|
# Use a SMTP server for sending notifications
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,78 +2,78 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
|
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
|
|
||||||
# We use redis here to keep the users authenticated when Authelia restarts
|
# We use redis here to keep the users authenticated when Authelia restarts
|
||||||
# It eases development.
|
# It eases development.
|
||||||
redis:
|
redis:
|
||||||
host: redis
|
host: 'redis'
|
||||||
port: 6379
|
port: 6379
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "home.example.com"
|
- domain: 'home.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: "oidc.example.com"
|
- domain: 'oidc.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "oidc-public.example.com"
|
- domain: 'oidc-public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
|
|
||||||
identity_providers:
|
identity_providers:
|
||||||
oidc:
|
oidc:
|
||||||
enable_client_debug_messages: true
|
enable_client_debug_messages: true
|
||||||
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
|
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
|
||||||
clients:
|
clients:
|
||||||
- id: oidc-tester-app
|
- id: 'oidc-tester-app'
|
||||||
secret: foobar
|
secret: 'foobar'
|
||||||
authorization_policy: two_factor
|
authorization_policy: 'two_factor'
|
||||||
redirect_uris:
|
redirect_uris:
|
||||||
- https://oidc.example.com:8080/oauth2/callback
|
- https://oidc.example.com:8080/oauth2/callback
|
||||||
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
||||||
# otherwise it won't work properly.
|
# otherwise it won't work properly.
|
||||||
- id: oidc-tester-app-public
|
- id: 'oidc-tester-app-public'
|
||||||
secret: foobar
|
secret: 'foobar'
|
||||||
authorization_policy: one_factor
|
authorization_policy: 'one_factor'
|
||||||
redirect_uris:
|
redirect_uris:
|
||||||
- https://oidc-public.example.com:8080/oauth2/callback
|
- https://oidc-public.example.com:8080/oauth2/callback
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,8 +3,8 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-backend:
|
authelia-backend:
|
||||||
environment:
|
environment:
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
|
||||||
volumes:
|
volumes:
|
||||||
- './OIDC/configuration.yml:/config/configuration.yml:ro'
|
- './OIDC/configuration.yml:/config/configuration.yml:ro'
|
||||||
- './OIDC/users.yml:/config/users.yml'
|
- './OIDC/users.yml:/config/users.yml'
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,23 +2,23 @@
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
@ -26,55 +26,55 @@ session:
|
||||||
# We use redis here to keep the users authenticated when Authelia restarts
|
# We use redis here to keep the users authenticated when Authelia restarts
|
||||||
# It eases development.
|
# It eases development.
|
||||||
redis:
|
redis:
|
||||||
host: redis
|
host: 'redis'
|
||||||
port: 6379
|
port: 6379
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "home.example.com"
|
- domain: 'home.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: "oidc.example.com"
|
- domain: 'oidc.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "oidc-public.example.com"
|
- domain: 'oidc-public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "traefik.example.com"
|
- domain: 'traefik.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
|
|
||||||
identity_providers:
|
identity_providers:
|
||||||
oidc:
|
oidc:
|
||||||
enable_client_debug_messages: true
|
enable_client_debug_messages: true
|
||||||
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
|
hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
|
||||||
clients:
|
clients:
|
||||||
- id: oidc-tester-app
|
- id: 'oidc-tester-app'
|
||||||
secret: foobar
|
secret: 'foobar'
|
||||||
authorization_policy: two_factor
|
authorization_policy: 'two_factor'
|
||||||
redirect_uris:
|
redirect_uris:
|
||||||
- https://oidc.example.com:8080/oauth2/callback
|
- https://oidc.example.com:8080/oauth2/callback
|
||||||
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
# This client is used for testing purpose. As of now, the app must be protected by ACLs
|
||||||
# otherwise it won't work properly.
|
# otherwise it won't work properly.
|
||||||
- id: oidc-tester-app-public
|
- id: 'oidc-tester-app-public'
|
||||||
secret: foobar
|
secret: 'foobar'
|
||||||
authorization_policy: one_factor
|
authorization_policy: 'one_factor'
|
||||||
redirect_uris:
|
redirect_uris:
|
||||||
- https://oidc-public.example.com:8080/oauth2/callback
|
- https://oidc-public.example.com:8080/oauth2/callback
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,8 +3,8 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-backend:
|
authelia-backend:
|
||||||
environment:
|
environment:
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
|
||||||
volumes:
|
volumes:
|
||||||
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
|
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
|
||||||
- './OIDCTraefik/users.yml:/config/users.yml'
|
- './OIDCTraefik/users.yml:/config/users.yml'
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,49 +3,49 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: home.example.com
|
- domain: 'home.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: unsafe.local
|
- domain: 'unsafe.local'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
filesystem:
|
filesystem:
|
||||||
filename: /config/notifier.html
|
filename: '/config/notifier.html'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,51 +3,51 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
path: 'auth'
|
path: 'auth'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080/auth/'
|
authelia_url: 'https://login.example.com:8080/auth/'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: 'true'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,34 +3,34 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: very_important_secret
|
jwt_secret: 'very_important_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
# Configuration of the storage backend used to store data and secrets. i.e. totp data
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
postgres:
|
postgres:
|
||||||
address: 'tcp://postgres:5432'
|
address: 'tcp://postgres:5432'
|
||||||
database: 'authelia'
|
database: 'authelia'
|
||||||
|
@ -42,19 +42,19 @@ storage:
|
||||||
# This will be the issuer name displayed in Google Authenticator
|
# This will be the issuer name displayed in Google Authenticator
|
||||||
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
regulation:
|
regulation:
|
||||||
|
@ -62,7 +62,7 @@ regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
|
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 8
|
find_time: '8s'
|
||||||
|
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 10
|
ban_time: 10
|
||||||
|
@ -71,6 +71,6 @@ notifier:
|
||||||
# Use a SMTP server for sending notifications
|
# Use a SMTP server for sending notifications
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: 'true'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,81 +3,81 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
default_redirection_url: https://home.example.com:8080/
|
default_redirection_url: 'https://home.example.com:8080/'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
cookies:
|
cookies:
|
||||||
- name: 'authelia_sessin'
|
- name: 'authelia_sessin'
|
||||||
domain: 'example.com'
|
domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
inactivity: 5
|
inactivity: 5
|
||||||
expiration: 8
|
expiration: '8s'
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 5
|
find_time: '5s'
|
||||||
ban_time: 10
|
ban_time: 10
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,103 +3,103 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
theme: auto
|
theme: 'auto'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
telemetry:
|
telemetry:
|
||||||
metrics:
|
metrics:
|
||||||
enabled: true
|
enabled: true
|
||||||
address: tcp://0.0.0.0:9959
|
address: 'tcp://:9959'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
expiration: 3600
|
expiration: '1h'
|
||||||
inactivity: 300
|
inactivity: '5m'
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /tmp/db.sqlite3
|
path: '/tmp/db.sqlite3'
|
||||||
|
|
||||||
totp:
|
totp:
|
||||||
issuer: example.com
|
issuer: 'example.com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
methods:
|
methods:
|
||||||
- OPTIONS
|
- 'OPTIONS'
|
||||||
|
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
# Set it to 0 to disable max_retries.
|
# Set it to 0 to disable max_retries.
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
|
||||||
find_time: 300
|
find_time: '5m'
|
||||||
# The length of time before a banned user can login again.
|
# The length of time before a banned user can login again.
|
||||||
ban_time: 900
|
ban_time: '15m'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
ntp:
|
ntp:
|
||||||
## NTP server address
|
## NTP server address
|
||||||
address: "time.cloudflare.com:123"
|
address: 'time.cloudflare.com:123'
|
||||||
## ntp version
|
## ntp version
|
||||||
version: 4
|
version: 4
|
||||||
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
## "maximum desynchronization" is the allowed offset time between the host and the ntp server
|
||||||
|
|
|
@ -3,12 +3,12 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-backend:
|
authelia-backend:
|
||||||
environment:
|
environment:
|
||||||
- AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt
|
- 'AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt'
|
||||||
- AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session
|
- 'AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session'
|
||||||
volumes:
|
volumes:
|
||||||
- './Standalone/configuration.yml:/config/configuration.yml:ro'
|
- './Standalone/configuration.yml:/config/configuration.yml:ro'
|
||||||
- './Standalone/users.yml:/config/users.yml'
|
- './Standalone/users.yml:/config/users.yml'
|
||||||
- './common/pki:/pki:ro'
|
- './common/pki:/pki:ro'
|
||||||
- '/tmp:/tmp'
|
- '/tmp:/tmp'
|
||||||
user: ${USER_ID}:${GROUP_ID}
|
user: '${USER_ID}:${GROUP_ID}'
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,51 +3,51 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
asset_path: '/config/assets/'
|
asset_path: '/config/assets/'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,58 +3,58 @@
|
||||||
# Authelia minimal configuration #
|
# Authelia minimal configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
jwt_secret: unsecure_secret
|
jwt_secret: 'unsecure_secret'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:9091'
|
address: 'tcp://:9091'
|
||||||
asset_path: '/config/assets/'
|
asset_path: '/config/assets/'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
endpoints:
|
endpoints:
|
||||||
authz:
|
authz:
|
||||||
forward-auth:
|
forward-auth:
|
||||||
implementation: ForwardAuth
|
implementation: 'ForwardAuth'
|
||||||
authn_strategies: []
|
authn_strategies: []
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
file:
|
file:
|
||||||
path: /config/users.yml
|
path: '/config/users.yml'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
secret: unsecure_session_secret
|
secret: 'unsecure_session_secret'
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
host: redis
|
host: 'redis'
|
||||||
port: 6379
|
port: 6379
|
||||||
username: authelia
|
username: 'authelia'
|
||||||
password: redis-user-password
|
password: 'redis-user-password'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
encryption_key: a_not_so_secure_encryption_key
|
encryption_key: 'a_not_so_secure_encryption_key'
|
||||||
local:
|
local:
|
||||||
path: /config/db.sqlite
|
path: '/config/db.sqlite'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: bypass
|
default_policy: 'bypass'
|
||||||
rules:
|
rules:
|
||||||
- domain: "public.example.com"
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: "admin.example.com"
|
- domain: 'admin.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "secure.example.com"
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "singlefactor.example.com"
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
ntp:
|
ntp:
|
||||||
version: 3
|
version: 3
|
||||||
|
@ -62,6 +62,6 @@ ntp:
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
address: 'smtp://smtp:1025'
|
address: 'smtp://smtp:1025'
|
||||||
sender: admin@example.com
|
sender: 'admin@example.com'
|
||||||
disable_require_tls: true
|
disable_require_tls: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -8,28 +8,28 @@
|
||||||
# List of users
|
# List of users
|
||||||
users:
|
users:
|
||||||
john:
|
john:
|
||||||
displayname: "John Doe"
|
displayname: 'John Doe'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: john.doe@authelia.com
|
email: 'john.doe@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- admins
|
- 'admins'
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
harry:
|
harry:
|
||||||
displayname: "Harry Potter"
|
displayname: 'Harry Potter'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: harry.potter@authelia.com
|
email: 'harry.potter@authelia.com'
|
||||||
groups: []
|
groups: []
|
||||||
|
|
||||||
bob:
|
bob:
|
||||||
displayname: "Bob Dylan"
|
displayname: 'Bob Dylan'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: bob.dylan@authelia.com
|
email: 'bob.dylan@authelia.com'
|
||||||
groups:
|
groups:
|
||||||
- dev
|
- 'dev'
|
||||||
|
|
||||||
james:
|
james:
|
||||||
displayname: "James Dean"
|
displayname: 'James Dean'
|
||||||
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length
|
password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
|
||||||
email: james.dean@authelia.com
|
email: 'james.dean@authelia.com'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
driver: bridge
|
driver: 'bridge'
|
||||||
ipam:
|
ipam:
|
||||||
config:
|
config:
|
||||||
- subnet: 192.168.240.0/24
|
- subnet: 192.168.240.0/24
|
||||||
|
|
|
@ -3,18 +3,18 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-backend:
|
authelia-backend:
|
||||||
build:
|
build:
|
||||||
context: example/compose/authelia
|
context: 'example/compose/authelia'
|
||||||
dockerfile: Dockerfile.backend
|
dockerfile: 'Dockerfile.backend'
|
||||||
args:
|
args:
|
||||||
USER_ID: ${USER_ID}
|
USER_ID: '${USER_ID}'
|
||||||
GROUP_ID: ${GROUP_ID}
|
GROUP_ID: '${GROUP_ID}'
|
||||||
security_opt:
|
security_opt:
|
||||||
- seccomp:unconfined
|
- seccomp:unconfined
|
||||||
- apparmor:unconfined
|
- apparmor:unconfined
|
||||||
command: /resources/entrypoint-backend.sh
|
command: '/resources/entrypoint-backend.sh'
|
||||||
working_dir: /app
|
working_dir: '/app'
|
||||||
cap_add:
|
cap_add:
|
||||||
- SYS_PTRACE
|
- 'SYS_PTRACE'
|
||||||
volumes:
|
volumes:
|
||||||
- './example/compose/authelia/resources/:/resources'
|
- './example/compose/authelia/resources/:/resources'
|
||||||
- '../..:/app'
|
- '../..:/app'
|
||||||
|
@ -30,7 +30,7 @@ services:
|
||||||
- 'traefik.http.routers.authelia_backend.tls=true'
|
- 'traefik.http.routers.authelia_backend.tls=true'
|
||||||
- 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
|
- 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
|
||||||
environment:
|
environment:
|
||||||
- ENVIRONMENT=dev
|
ENVIRONMENT: 'dev'
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
ipv4_address: 192.168.240.50
|
ipv4_address: 192.168.240.50
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-backend:
|
authelia-backend:
|
||||||
image: authelia:dist
|
image: 'authelia:dist'
|
||||||
labels:
|
labels:
|
||||||
# Traefik 1.x
|
# Traefik 1.x
|
||||||
- 'traefik.frontend.rule=Host:login.example.com'
|
- 'traefik.frontend.rule=Host:login.example.com'
|
||||||
|
@ -18,8 +18,8 @@ services:
|
||||||
volumes:
|
volumes:
|
||||||
- '../..:/authelia'
|
- '../..:/authelia'
|
||||||
environment:
|
environment:
|
||||||
- ENVIRONMENT=dev
|
ENVIRONMENT: 'dev'
|
||||||
restart: always
|
restart: 'always'
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
ipv4_address: 192.168.240.50
|
ipv4_address: 192.168.240.50
|
||||||
|
|
|
@ -3,13 +3,13 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-frontend:
|
authelia-frontend:
|
||||||
build:
|
build:
|
||||||
context: example/compose/authelia
|
context: 'example/compose/authelia'
|
||||||
dockerfile: Dockerfile.frontend
|
dockerfile: 'Dockerfile.frontend'
|
||||||
args:
|
args:
|
||||||
USER_ID: ${USER_ID}
|
USER_ID: '${USER_ID}'
|
||||||
GROUP_ID: ${GROUP_ID}
|
GROUP_ID: '${GROUP_ID}'
|
||||||
command: '/resources/entrypoint-frontend.sh'
|
command: '/resources/entrypoint-frontend.sh'
|
||||||
working_dir: /app
|
working_dir: '/app'
|
||||||
stdin_open: true
|
stdin_open: true
|
||||||
volumes:
|
volumes:
|
||||||
- './example/compose/authelia/resources/:/resources'
|
- './example/compose/authelia/resources/:/resources'
|
||||||
|
@ -24,7 +24,7 @@ services:
|
||||||
- 'traefik.http.routers.authelia_frontend.entrypoints=https'
|
- 'traefik.http.routers.authelia_frontend.entrypoints=https'
|
||||||
- 'traefik.http.routers.authelia_frontend.tls=true'
|
- 'traefik.http.routers.authelia_frontend.tls=true'
|
||||||
environment:
|
environment:
|
||||||
- VITE_BASEPATH=${PathPrefix}
|
VITE_BASEPATH: '${PathPrefix}'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
authelia-frontend:
|
authelia-frontend:
|
||||||
image: nginx:alpine
|
image: 'nginx:alpine'
|
||||||
volumes:
|
volumes:
|
||||||
- './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
|
- './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
|
||||||
labels:
|
labels:
|
||||||
|
@ -15,7 +15,7 @@ services:
|
||||||
- 'traefik.http.routers.authelia_frontend.tls=true'
|
- 'traefik.http.routers.authelia_frontend.tls=true'
|
||||||
- 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
|
- 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
expose:
|
expose:
|
||||||
- 3000
|
- 3000
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,8 +2,8 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
caddy:
|
caddy:
|
||||||
# build: ./example/compose/caddy/ # used for debugging
|
# build: './example/compose/caddy/ # used for debugging'
|
||||||
image: caddy:2.6.4-alpine
|
image: 'caddy:2.6.4-alpine'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile
|
- ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
duo-api:
|
duo-api:
|
||||||
image: authelia/integration-duo
|
image: 'authelia/integration-duo'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js
|
- ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
envoy:
|
envoy:
|
||||||
image: envoyproxy/envoy:v1.26.1
|
image: 'envoyproxy/envoy:v1.26.1'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
|
- ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
|
||||||
- ./common/pki:/pki
|
- ./common/pki:/pki
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
haproxy:
|
haproxy:
|
||||||
image: authelia/integration-haproxy
|
image: 'authelia/integration-haproxy'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
|
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
|
||||||
- ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua
|
- ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua
|
||||||
|
|
|
@ -2,9 +2,9 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
httpbin:
|
httpbin:
|
||||||
image: citizenstig/httpbin
|
image: 'citizenstig/httpbin'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
labels:
|
labels:
|
||||||
# Traefik 1.x
|
# Traefik 1.x
|
||||||
- 'traefik.frontend.rule=Host:public.example.com;Path:/headers'
|
- 'traefik.frontend.rule=Host:public.example.com;Path:/headers'
|
||||||
|
|
|
@ -2,25 +2,25 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
k3d:
|
k3d:
|
||||||
image: ghcr.io/k3d-io/k3d:5.4.9-dind
|
image: 'ghcr.io/k3d-io/k3d:5.4.9-dind'
|
||||||
volumes:
|
volumes:
|
||||||
- './example/kube:/authelia'
|
- './example/kube:/authelia'
|
||||||
- './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml'
|
- './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml'
|
||||||
- './common/pki:/configmaps/authelia/ssl'
|
- './common/pki:/configmaps/authelia/ssl'
|
||||||
- './example/compose/ldap/ldif:/configmaps/ldap'
|
- './example/compose/ldap/ldif:/configmaps/ldap'
|
||||||
- './example/compose/nginx/backend:/configmaps/nginx-backend'
|
- './example/compose/nginx/backend:/configmaps/nginx-backend'
|
||||||
privileged: true
|
privileged: 'true'
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- public.example.com
|
- 'public.example.com'
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- login.example.com
|
- 'login.example.com'
|
||||||
- admin.example.com
|
- 'admin.example.com'
|
||||||
- dev.example.com
|
- 'dev.example.com'
|
||||||
- mail.example.com
|
- 'mail.example.com'
|
||||||
- kubernetes.example.com
|
- 'kubernetes.example.com'
|
||||||
- traefik.example.com
|
- 'traefik.example.com'
|
||||||
# Set the IP to be able to query on port 443
|
# Set the IP to be able to query on port 443
|
||||||
ipv4_address: 192.168.240.100
|
ipv4_address: 192.168.240.100
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,12 +2,12 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
openldap-admin:
|
openldap-admin:
|
||||||
image: osixia/phpldapadmin:0.9.0
|
image: 'osixia/phpldapadmin:0.9.0'
|
||||||
ports:
|
ports:
|
||||||
- 9090:80
|
- 9090:80
|
||||||
environment:
|
environment:
|
||||||
- PHPLDAPADMIN_LDAP_HOSTS=openldap
|
PHPLDAPADMIN_LDAP_HOSTS: 'openldap'
|
||||||
- PHPLDAPADMIN_HTTPS=false
|
PHPLDAPADMIN_HTTPS: 'false'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,17 +2,17 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
openldap:
|
openldap:
|
||||||
image: osixia/openldap:1.5.0
|
image: 'osixia/openldap:1.5.0'
|
||||||
hostname: ldap.example.com
|
hostname: 'ldap.example.com'
|
||||||
environment:
|
environment:
|
||||||
- LDAP_ORGANISATION=MyCompany
|
LDAP_ORGANISATION: 'MyCompany'
|
||||||
- LDAP_DOMAIN=example.com
|
LDAP_DOMAIN: 'example.com'
|
||||||
- LDAP_ADMIN_PASSWORD=password
|
LDAP_ADMIN_PASSWORD: 'password'
|
||||||
- LDAP_CONFIG_PASSWORD=password
|
LDAP_CONFIG_PASSWORD: 'password'
|
||||||
- LDAP_ADDITIONAL_MODULES=memberof
|
LDAP_ADDITIONAL_MODULES: 'memberof'
|
||||||
- LDAP_ADDITIONAL_SCHEMAS=openldap
|
LDAP_ADDITIONAL_SCHEMAS: 'openldap'
|
||||||
- LDAP_FORCE_RECONFIGURE=true
|
LDAP_FORCE_RECONFIGURE: 'true'
|
||||||
- LDAP_TLS_VERIFY_CLIENT=try
|
LDAP_TLS_VERIFY_CLIENT: 'try'
|
||||||
volumes:
|
volumes:
|
||||||
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
||||||
command:
|
command:
|
||||||
|
@ -20,5 +20,5 @@ services:
|
||||||
- '--loglevel'
|
- '--loglevel'
|
||||||
- 'debug'
|
- 'debug'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,12 +2,12 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
mariadb:
|
mariadb:
|
||||||
image: mariadb:10.11.2
|
image: 'mariadb:10.11.2'
|
||||||
environment:
|
environment:
|
||||||
- MYSQL_ROOT_PASSWORD=rootpassword
|
MYSQL_ROOT_PASSWORD: 'rootpassword'
|
||||||
- MYSQL_USER=admin
|
MYSQL_USER: 'admin'
|
||||||
- MYSQL_PASSWORD=password
|
MYSQL_PASSWORD: 'password'
|
||||||
- MYSQL_DATABASE=authelia
|
MYSQL_DATABASE: 'authelia'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,12 +2,12 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
mysql:
|
mysql:
|
||||||
image: mysql:8.0
|
image: 'mysql:8.0'
|
||||||
environment:
|
environment:
|
||||||
- MYSQL_ROOT_PASSWORD=rootpassword
|
MYSQL_ROOT_PASSWORD: 'rootpassword'
|
||||||
- MYSQL_USER=admin
|
MYSQL_USER: 'admin'
|
||||||
- MYSQL_PASSWORD=password
|
MYSQL_PASSWORD: 'password'
|
||||||
- MYSQL_DATABASE=authelia
|
MYSQL_DATABASE: 'authelia'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
nginx-backend:
|
nginx-backend:
|
||||||
image: nginx:alpine
|
image: 'nginx:alpine'
|
||||||
labels:
|
labels:
|
||||||
# Traefik 1.x
|
# Traefik 1.x
|
||||||
- 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length
|
- 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length
|
||||||
|
@ -20,5 +20,5 @@ services:
|
||||||
- ./example/compose/nginx/backend/html:/usr/share/nginx/html
|
- ./example/compose/nginx/backend/html:/usr/share/nginx/html
|
||||||
- ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
- ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,17 +2,17 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
nginx-portal:
|
nginx-portal:
|
||||||
image: nginx:alpine
|
image: 'nginx:alpine'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
|
- ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
|
||||||
- ./common/pki:/pki
|
- ./common/pki:/pki
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- public.example.com
|
- 'public.example.com'
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- login.example.com
|
- 'login.example.com'
|
||||||
- duo.example.com
|
- 'duo.example.com'
|
||||||
# Set the IP to be able to query on port 443
|
# Set the IP to be able to query on port 443
|
||||||
ipv4_address: 192.168.240.100
|
ipv4_address: 192.168.240.100
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,10 +2,10 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
oidc-client:
|
oidc-client:
|
||||||
image: ghcr.io/authelia/oidc-tester-app:master-aeac7f4
|
image: 'ghcr.io/authelia/oidc-tester-app:master-aeac7f4'
|
||||||
command: /entrypoint.sh
|
command: '/entrypoint.sh'
|
||||||
depends_on:
|
depends_on:
|
||||||
- authelia-backend
|
- 'authelia-backend'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh
|
- ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh
|
||||||
expose:
|
expose:
|
||||||
|
@ -17,5 +17,5 @@ services:
|
||||||
- 'traefik.http.routers.oidc.tls=true'
|
- 'traefik.http.routers.oidc.tls=true'
|
||||||
- 'traefik.http.routers.oidc.middlewares=authelia@docker'
|
- 'traefik.http.routers.oidc.middlewares=authelia@docker'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,12 +1,12 @@
|
||||||
---
|
---
|
||||||
version: "3"
|
version: '3'
|
||||||
services:
|
services:
|
||||||
postgres:
|
postgres:
|
||||||
image: postgres:15
|
image: 'postgres:15'
|
||||||
environment:
|
environment:
|
||||||
- POSTGRES_PASSWORD=password
|
POSTGRES_PASSWORD: 'password'
|
||||||
- POSTGRES_USER=admin
|
POSTGRES_USER: 'admin'
|
||||||
- POSTGRES_DB=authelia
|
POSTGRES_DB: 'authelia'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,10 +2,10 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
redis-node-0:
|
redis-node-0:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh master
|
command: '/entrypoint.sh master'
|
||||||
expose:
|
expose:
|
||||||
- "6379"
|
- '6379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/users.acl:/data/users.acl
|
- ./example/compose/redis/users.acl:/data/users.acl
|
||||||
|
@ -13,15 +13,15 @@ services:
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-node-0.example.com
|
- 'redis-node-0.example.com'
|
||||||
ipv4_address: 192.168.240.110
|
ipv4_address: 192.168.240.110
|
||||||
redis-node-1:
|
redis-node-1:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh slave
|
command: '/entrypoint.sh slave'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis-node-0
|
- 'redis-node-0'
|
||||||
expose:
|
expose:
|
||||||
- "6379"
|
- '6379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/users.acl:/data/users.acl
|
- ./example/compose/redis/users.acl:/data/users.acl
|
||||||
|
@ -29,15 +29,15 @@ services:
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-node-1.example.com
|
- 'redis-node-1.example.com'
|
||||||
ipv4_address: 192.168.240.111
|
ipv4_address: 192.168.240.111
|
||||||
redis-node-2:
|
redis-node-2:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh slave
|
command: '/entrypoint.sh slave'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis-node-0
|
- 'redis-node-0'
|
||||||
expose:
|
expose:
|
||||||
- "6379"
|
- '6379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/users.acl:/data/users.acl
|
- ./example/compose/redis/users.acl:/data/users.acl
|
||||||
|
@ -45,54 +45,54 @@ services:
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-node-2.example.com
|
- 'redis-node-2.example.com'
|
||||||
ipv4_address: 192.168.240.112
|
ipv4_address: 192.168.240.112
|
||||||
redis-sentinel-0:
|
redis-sentinel-0:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh sentinel
|
command: '/entrypoint.sh sentinel'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis-node-1
|
- 'redis-node-1'
|
||||||
- redis-node-2
|
- 'redis-node-2'
|
||||||
expose:
|
expose:
|
||||||
- "26379"
|
- '26379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-sentinel-0.example.com
|
- 'redis-sentinel-0.example.com'
|
||||||
ipv4_address: 192.168.240.120
|
ipv4_address: 192.168.240.120
|
||||||
redis-sentinel-1:
|
redis-sentinel-1:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh sentinel
|
command: '/entrypoint.sh sentinel'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis-node-1
|
- 'redis-node-1'
|
||||||
- redis-node-2
|
- 'redis-node-2'
|
||||||
expose:
|
expose:
|
||||||
- "26379"
|
- '26379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-sentinel-1.example.com
|
- 'redis-sentinel-1.example.com'
|
||||||
ipv4_address: 192.168.240.121
|
ipv4_address: 192.168.240.121
|
||||||
redis-sentinel-2:
|
redis-sentinel-2:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh sentinel
|
command: '/entrypoint.sh sentinel'
|
||||||
depends_on:
|
depends_on:
|
||||||
- redis-node-1
|
- 'redis-node-1'
|
||||||
- redis-node-2
|
- 'redis-node-2'
|
||||||
expose:
|
expose:
|
||||||
- "26379"
|
- '26379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- redis-sentinel-2.example.com
|
- 'redis-sentinel-2.example.com'
|
||||||
ipv4_address: 192.168.240.122
|
ipv4_address: 192.168.240.122
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,14 +2,14 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
redis:
|
redis:
|
||||||
image: redis:7.0-alpine
|
image: 'redis:7.0-alpine'
|
||||||
command: /entrypoint.sh master
|
command: '/entrypoint.sh master'
|
||||||
expose:
|
expose:
|
||||||
- "6379"
|
- '6379'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/redis/templates:/templates
|
- ./example/compose/redis/templates:/templates
|
||||||
- ./example/compose/redis/users.acl:/data/users.acl
|
- ./example/compose/redis/users.acl:/data/users.acl
|
||||||
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,16 +2,16 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
sambaldap:
|
sambaldap:
|
||||||
image: authelia/integration-samba
|
image: 'authelia/integration-samba'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/samba/init.sh:/init.sh
|
- ./example/compose/samba/init.sh:/init.sh
|
||||||
cap_add:
|
cap_add:
|
||||||
- SYS_ADMIN
|
- 'SYS_ADMIN'
|
||||||
hostname: ldap.example.com
|
hostname: 'ldap.example.com'
|
||||||
environment:
|
environment:
|
||||||
- DOMAIN=example.com
|
DOMAIN: 'example.com'
|
||||||
- DOMAINPASS=Password1
|
DOMAINPASS: 'Password1'
|
||||||
- NOCOMPLEXITY=true
|
NOCOMPLEXITY: 'true'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
smtp:
|
smtp:
|
||||||
image: schickling/mailcatcher
|
image: 'schickling/mailcatcher'
|
||||||
ports:
|
ports:
|
||||||
- '1025:1025'
|
- '1025:1025'
|
||||||
labels:
|
labels:
|
||||||
|
@ -14,5 +14,5 @@ services:
|
||||||
- 'traefik.http.routers.mail.tls=true'
|
- 'traefik.http.routers.mail.tls=true'
|
||||||
- 'traefik.http.services.mail.loadbalancer.server.port=1080'
|
- 'traefik.http.services.mail.loadbalancer.server.port=1080'
|
||||||
networks:
|
networks:
|
||||||
- authelianet
|
- 'authelianet'
|
||||||
...
|
...
|
||||||
|
|
|
@ -3,7 +3,7 @@ version: '3'
|
||||||
services:
|
services:
|
||||||
# Simulates client 1.
|
# Simulates client 1.
|
||||||
client-1:
|
client-1:
|
||||||
image: sameersbn/squid:3.5.27-1
|
image: 'sameersbn/squid:3.5.27-1'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
||||||
networks:
|
networks:
|
||||||
|
@ -11,7 +11,7 @@ services:
|
||||||
# Set the IP to be able to query on port 443
|
# Set the IP to be able to query on port 443
|
||||||
ipv4_address: 192.168.240.201
|
ipv4_address: 192.168.240.201
|
||||||
client-2:
|
client-2:
|
||||||
image: sameersbn/squid:3.5.27-1
|
image: 'sameersbn/squid:3.5.27-1'
|
||||||
volumes:
|
volumes:
|
||||||
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf
|
||||||
networks:
|
networks:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v1.7.34-alpine
|
image: 'traefik:v1.7.34-alpine'
|
||||||
volumes:
|
volumes:
|
||||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||||
labels:
|
labels:
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
version: '3'
|
version: '3'
|
||||||
services:
|
services:
|
||||||
traefik:
|
traefik:
|
||||||
image: traefik:v2.10.1
|
image: 'traefik:v2.10.1'
|
||||||
volumes:
|
volumes:
|
||||||
- '/var/run/docker.sock:/var/run/docker.sock'
|
- '/var/run/docker.sock:/var/run/docker.sock'
|
||||||
labels:
|
labels:
|
||||||
|
@ -29,9 +29,9 @@ services:
|
||||||
networks:
|
networks:
|
||||||
authelianet:
|
authelianet:
|
||||||
aliases:
|
aliases:
|
||||||
- public.example.com
|
- 'public.example.com'
|
||||||
- secure.example.com
|
- 'secure.example.com'
|
||||||
- login.example.com
|
- 'login.example.com'
|
||||||
# Set the IP to be able to query on port 8080
|
# Set the IP to be able to query on port 8080
|
||||||
ipv4_address: 192.168.240.100
|
ipv4_address: 192.168.240.100
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,138 +1,138 @@
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-backend
|
name: 'nginx-backend'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: nginx-backend
|
app: 'nginx-backend'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: nginx-backend
|
app: 'nginx-backend'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: nginx-backend
|
app: 'nginx-backend'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: nginx-backend
|
- name: 'nginx-backend'
|
||||||
image: nginx:alpine
|
image: 'nginx:alpine'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 80
|
- containerPort: 80
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: nginx-config
|
- name: 'nginx-config'
|
||||||
mountPath: /etc/nginx/nginx.conf
|
mountPath: '/etc/nginx/nginx.conf'
|
||||||
- name: nginx-html
|
- name: 'nginx-html'
|
||||||
mountPath: /usr/share/nginx/html
|
mountPath: '/usr/share/nginx/html'
|
||||||
volumes:
|
volumes:
|
||||||
- name: nginx-config
|
- name: 'nginx-config'
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /configmaps/nginx-backend/nginx.conf
|
path: '/configmaps/nginx-backend/nginx.conf'
|
||||||
type: File
|
type: 'File'
|
||||||
- name: nginx-html
|
- name: 'nginx-html'
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /configmaps/nginx-backend/html
|
path: '/configmaps/nginx-backend/html'
|
||||||
type: Directory
|
type: 'Directory'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: nginx-backend
|
app: 'nginx-backend'
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: nginx-backend
|
app: 'nginx-backend'
|
||||||
ports:
|
ports:
|
||||||
- port: 80
|
- port: 80
|
||||||
name: http
|
name: 'http'
|
||||||
- port: 443
|
- port: 443
|
||||||
name: https
|
name: 'https'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: 'networking.k8s.io/v1'
|
||||||
kind: Ingress
|
kind: 'Ingress'
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-backend-ingress
|
name: 'nginx-backend-ingress'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: traefik
|
kubernetes.io/ingress.class: 'traefik'
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||||
traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd
|
traefik.ingress.kubernetes.io/router.middlewares: 'authelia-forwardauth-authelia@kubernetescrd'
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: home.example.com
|
- host: 'home.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: public.example.com
|
- host: 'public.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: admin.example.com
|
- host: 'admin.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: dev.example.com
|
- host: 'dev.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: mx1.mail.example.com
|
- host: 'mx1.mail.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: mx2.mail.example.com
|
- host: 'mx2.mail.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
- host: singlefactor.example.com
|
- host: 'singlefactor.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: nginx-backend-service
|
name: 'nginx-backend-service'
|
||||||
port:
|
port:
|
||||||
number: 80
|
number: 80
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,145 +1,145 @@
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
metadata:
|
metadata:
|
||||||
name: authelia
|
name: 'authelia'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: authelia
|
app: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: authelia
|
app: 'authelia'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: authelia
|
app: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: authelia
|
- name: 'authelia'
|
||||||
image: authelia:dist
|
image: 'authelia:dist'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 443
|
- containerPort: 443
|
||||||
readinessProbe:
|
readinessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTPS
|
scheme: 'HTTPS'
|
||||||
path: /api/health
|
path: '/api/health'
|
||||||
port: 443
|
port: 443
|
||||||
initialDelaySeconds: 3
|
initialDelaySeconds: 3
|
||||||
periodSeconds: 3
|
periodSeconds: 3
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: authelia-config
|
- name: 'authelia-config'
|
||||||
mountPath: /config/configuration.yml
|
mountPath: '/config/configuration.yml'
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: authelia-ssl
|
- name: 'authelia-ssl'
|
||||||
mountPath: /pki
|
mountPath: '/pki'
|
||||||
readOnly: true
|
readOnly: true
|
||||||
- name: secrets
|
- name: 'secrets'
|
||||||
mountPath: /config/secrets
|
mountPath: '/config/secrets'
|
||||||
readOnly: true
|
readOnly: true
|
||||||
env:
|
env:
|
||||||
# We set secrets directly here for ease of deployment but all secrets
|
# We set secrets directly here for ease of deployment but all secrets
|
||||||
# should be stored in the Kube Vault in production.
|
# should be stored in the Kube Vault in production.
|
||||||
- name: AUTHELIA_JWT_SECRET_FILE
|
- name: 'AUTHELIA_JWT_SECRET_FILE'
|
||||||
value: /config/secrets/jwt_secret
|
value: '/config/secrets/jwt_secret'
|
||||||
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
- name: 'AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE'
|
||||||
value: /config/secrets/ldap_password
|
value: '/config/secrets/ldap_password'
|
||||||
- name: AUTHELIA_SESSION_SECRET_FILE
|
- name: 'AUTHELIA_SESSION_SECRET_FILE'
|
||||||
value: /config/secrets/session
|
value: '/config/secrets/session'
|
||||||
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE
|
- name: 'AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE'
|
||||||
value: /config/secrets/sql_password
|
value: '/config/secrets/sql_password'
|
||||||
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
- name: 'AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE'
|
||||||
value: /config/secrets/encryption_key
|
value: '/config/secrets/encryption_key'
|
||||||
- name: ENVIRONMENT
|
- name: 'ENVIRONMENT'
|
||||||
value: dev
|
value: 'dev'
|
||||||
volumes:
|
volumes:
|
||||||
- name: authelia-config
|
- name: 'authelia-config'
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /configmaps/authelia/configuration.yml
|
path: '/configmaps/authelia/configuration.yml'
|
||||||
type: File
|
type: 'File'
|
||||||
- name: authelia-ssl
|
- name: 'authelia-ssl'
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /configmaps/authelia/ssl
|
path: '/configmaps/authelia/ssl'
|
||||||
type: Directory
|
type: 'Directory'
|
||||||
- name: secrets
|
- name: 'secrets'
|
||||||
secret:
|
secret:
|
||||||
secretName: authelia
|
secretName: 'authelia'
|
||||||
items:
|
items:
|
||||||
- key: jwt_secret
|
- key: 'jwt_secret'
|
||||||
path: jwt_secret
|
path: 'jwt_secret'
|
||||||
- key: session
|
- key: 'session'
|
||||||
path: session
|
path: 'session'
|
||||||
- key: sql_password
|
- key: 'sql_password'
|
||||||
path: sql_password
|
path: 'sql_password'
|
||||||
- key: ldap_password
|
- key: 'ldap_password'
|
||||||
path: ldap_password
|
path: 'ldap_password'
|
||||||
- key: encryption_key
|
- key: 'encryption_key'
|
||||||
path: encryption_key
|
path: 'encryption_key'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
metadata:
|
metadata:
|
||||||
name: authelia-service
|
name: 'authelia-service'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
annotations:
|
annotations:
|
||||||
traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd
|
traefik.ingress.kubernetes.io/service.serverstransport: 'authelia-skipverify@kubernetescrd'
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: authelia
|
app: 'authelia'
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: 'TCP'
|
||||||
port: 443
|
port: 443
|
||||||
targetPort: 443
|
targetPort: 443
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Secret
|
kind: 'Secret'
|
||||||
type: Opaque
|
type: 'Opaque'
|
||||||
metadata:
|
metadata:
|
||||||
name: authelia
|
name: 'authelia'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: authelia
|
app: 'authelia'
|
||||||
data:
|
data:
|
||||||
jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret
|
jwt_secret: 'YW5fdW5zZWN1cmVfc2VjcmV0' # an_unsecure_secret
|
||||||
ldap_password: cGFzc3dvcmQ= # password
|
ldap_password: 'cGFzc3dvcmQ=' # password
|
||||||
session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password
|
session: 'dW5zZWN1cmVfcGFzc3dvcmQ=' # unsecure_password
|
||||||
sql_password: cGFzc3dvcmQ= # password
|
sql_password: 'cGFzc3dvcmQ=' # password
|
||||||
encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5
|
encryption_key: 'YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: 'networking.k8s.io/v1'
|
||||||
kind: Ingress
|
kind: 'Ingress'
|
||||||
metadata:
|
metadata:
|
||||||
name: authelia-ingress
|
name: 'authelia-ingress'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: traefik
|
kubernetes.io/ingress.class: 'traefik'
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: login.example.com
|
- host: 'login.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: authelia-service
|
name: 'authelia-service'
|
||||||
port:
|
port:
|
||||||
number: 443
|
number: 443
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||||
kind: Middleware
|
kind: 'Middleware'
|
||||||
metadata:
|
metadata:
|
||||||
name: forwardauth-authelia
|
name: 'forwardauth-authelia'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/instance: authelia
|
app.kubernetes.io/instance: 'authelia'
|
||||||
app.kubernetes.io/name: authelia
|
app.kubernetes.io/name: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
forwardAuth:
|
forwardAuth:
|
||||||
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'
|
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'
|
||||||
|
|
|
@ -3,108 +3,108 @@
|
||||||
# Authelia configuration #
|
# Authelia configuration #
|
||||||
###############################################################
|
###############################################################
|
||||||
|
|
||||||
default_redirection_url: https://home.example.com:8080
|
default_redirection_url: 'https://home.example.com:8080'
|
||||||
|
|
||||||
server:
|
server:
|
||||||
address: 'tcp://:443'
|
address: 'tcp://:443'
|
||||||
tls:
|
tls:
|
||||||
certificate: /pki/public.backend.crt
|
certificate: '/pki/public.backend.crt'
|
||||||
key: /pki/private.backend.pem
|
key: '/pki/private.backend.pem'
|
||||||
|
|
||||||
log:
|
log:
|
||||||
level: debug
|
level: 'debug'
|
||||||
|
|
||||||
authentication_backend:
|
authentication_backend:
|
||||||
ldap:
|
ldap:
|
||||||
address: 'ldaps://ldap-service'
|
address: 'ldaps://ldap-service'
|
||||||
tls:
|
tls:
|
||||||
skip_verify: true
|
skip_verify: true
|
||||||
base_dn: dc=example,dc=com
|
base_dn: 'dc=example,dc=com'
|
||||||
username_attribute: uid
|
username_attribute: 'uid'
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: 'ou=users'
|
||||||
users_filter: (&({username_attribute}={input})(objectClass=person))
|
users_filter: '(&({username_attribute}={input})(objectClass=person))'
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: 'ou=groups'
|
||||||
groups_filter: (&(member={dn})(objectClass=groupOfNames))
|
groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
|
||||||
group_name_attribute: cn
|
group_name_attribute: 'cn'
|
||||||
mail_attribute: mail
|
mail_attribute: 'mail'
|
||||||
display_name_attribute: displayName
|
display_name_attribute: 'displayName'
|
||||||
user: cn=admin,dc=example,dc=com
|
user: 'cn=admin,dc=example,dc=com'
|
||||||
|
|
||||||
access_control:
|
access_control:
|
||||||
default_policy: deny
|
default_policy: 'deny'
|
||||||
|
|
||||||
rules:
|
rules:
|
||||||
# Rules applied to everyone
|
# Rules applied to everyone
|
||||||
- domain: home.example.com
|
- domain: 'home.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: public.example.com
|
- domain: 'public.example.com'
|
||||||
policy: bypass
|
policy: 'bypass'
|
||||||
- domain: secure.example.com
|
- domain: 'secure.example.com'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: singlefactor.example.com
|
- domain: 'singlefactor.example.com'
|
||||||
policy: one_factor
|
policy: 'one_factor'
|
||||||
|
|
||||||
# Rules applied to 'admins' group
|
# Rules applied to 'admins' group
|
||||||
- domain: "mx2.mail.example.com"
|
- domain: 'mx2.mail.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: deny
|
policy: 'deny'
|
||||||
- domain: "*.example.com"
|
- domain: '*.example.com'
|
||||||
subject: "group:admins"
|
subject: 'group:admins'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to 'dev' group
|
# Rules applied to 'dev' group
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/groups/dev/.*$"
|
- '^/groups/dev/.*$'
|
||||||
subject: "group:dev"
|
subject: 'group:dev'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'john'
|
# Rules applied to user 'john'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/john/.*$"
|
- '^/users/john/.*$'
|
||||||
subject: "user:john"
|
subject: 'user:john'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'harry'
|
# Rules applied to user 'harry'
|
||||||
- domain: dev.example.com
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/harry/.*$"
|
- '^/users/harry/.*$'
|
||||||
subject: "user:harry"
|
subject: 'user:harry'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
# Rules applied to user 'bob'
|
# Rules applied to user 'bob'
|
||||||
- domain: "*.mail.example.com"
|
- domain: '*.mail.example.com'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
- domain: "dev.example.com"
|
- domain: 'dev.example.com'
|
||||||
resources:
|
resources:
|
||||||
- "^/users/bob/.*$"
|
- '^/users/bob/.*$'
|
||||||
subject: "user:bob"
|
subject: 'user:bob'
|
||||||
policy: two_factor
|
policy: 'two_factor'
|
||||||
|
|
||||||
session:
|
session:
|
||||||
expiration: 3600 # 1 hour
|
expiration: '1h' # 1 hour
|
||||||
inactivity: 300 # 5 minutes
|
inactivity: '5m' # 5 minutes
|
||||||
remember_me: 1y
|
remember_me: '1y'
|
||||||
cookies:
|
cookies:
|
||||||
- domain: 'example.com'
|
- domain: 'example.com'
|
||||||
authelia_url: 'https://login.example.com:8080'
|
authelia_url: 'https://login.example.com:8080'
|
||||||
|
|
||||||
redis:
|
redis:
|
||||||
host: redis-service
|
host: 'redis-service'
|
||||||
port: 6379
|
port: 6379
|
||||||
|
|
||||||
regulation:
|
regulation:
|
||||||
max_retries: 3
|
max_retries: 3
|
||||||
find_time: 120
|
find_time: '2m'
|
||||||
ban_time: 300
|
ban_time: '5m'
|
||||||
|
|
||||||
storage:
|
storage:
|
||||||
mysql:
|
mysql:
|
||||||
address: 'tcp://mariadb-service:3306'
|
address: 'tcp://mariadb-service:3306'
|
||||||
database: authelia
|
database: 'authelia'
|
||||||
username: admin
|
username: 'admin'
|
||||||
|
|
||||||
notifier:
|
notifier:
|
||||||
smtp:
|
smtp:
|
||||||
|
|
|
@ -1,194 +1,194 @@
|
||||||
# Kubernetes Dashboard
|
# Kubernetes Dashboard
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Namespace
|
kind: 'Namespace'
|
||||||
metadata:
|
metadata:
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: ServiceAccount
|
kind: 'ServiceAccount'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- port: 443
|
- port: 443
|
||||||
targetPort: 8443
|
targetPort: 8443
|
||||||
selector:
|
selector:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Secret
|
kind: 'Secret'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard-certs
|
name: 'kubernetes-dashboard-certs'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
type: Opaque
|
type: 'Opaque'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Secret
|
kind: 'Secret'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard-csrf
|
name: 'kubernetes-dashboard-csrf'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
type: Opaque
|
type: 'Opaque'
|
||||||
data:
|
data:
|
||||||
csrf: ""
|
csrf: ''
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Secret
|
kind: 'Secret'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard-key-holder
|
name: 'kubernetes-dashboard-key-holder'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
type: Opaque
|
type: 'Opaque'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: ConfigMap
|
kind: 'ConfigMap'
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard-settings
|
name: 'kubernetes-dashboard-settings'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: Role
|
kind: 'Role'
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
rules:
|
rules:
|
||||||
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
# Allow Dashboard to get, update and delete Dashboard exclusive secrets.
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["secrets"]
|
resources: ['secrets']
|
||||||
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
|
resourceNames: ['kubernetes-dashboard-key-holder', 'kubernetes-dashboard-certs', 'kubernetes-dashboard-csrf']
|
||||||
verbs: ["get", "update", "delete"]
|
verbs: ['get', 'update', 'delete']
|
||||||
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["configmaps"]
|
resources: ['configmaps']
|
||||||
resourceNames: ["kubernetes-dashboard-settings"]
|
resourceNames: ['kubernetes-dashboard-settings']
|
||||||
verbs: ["get", "update"]
|
verbs: ['get', 'update']
|
||||||
# Allow Dashboard to get metrics.
|
# Allow Dashboard to get metrics.
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["services"]
|
resources: ['services']
|
||||||
resourceNames: ["heapster", "dashboard-metrics-scraper"]
|
resourceNames: ['heapster', 'dashboard-metrics-scraper']
|
||||||
verbs: ["proxy"]
|
verbs: ['proxy']
|
||||||
- apiGroups: [""]
|
- apiGroups: [""]
|
||||||
resources: ["services/proxy"]
|
resources: ['services/proxy']
|
||||||
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] # yamllint disable-line rule:line-length
|
resourceNames: ['heapster', 'http:heapster:', 'https:heapster:', 'dashboard-metrics-scraper', 'http:dashboard-metrics-scraper'] # yamllint disable-line rule:line-length
|
||||||
verbs: ["get"]
|
verbs: ['get']
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: ClusterRole
|
kind: 'ClusterRole'
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
rules:
|
rules:
|
||||||
# Allow Metrics Scraper to get metrics from the Metrics server
|
# Allow Metrics Scraper to get metrics from the Metrics server
|
||||||
- apiGroups: ["metrics.k8s.io"]
|
- apiGroups: ['metrics.k8s.io']
|
||||||
resources: ["pods", "nodes"]
|
resources: ['pods', 'nodes']
|
||||||
verbs: ["get", "list", "watch"]
|
verbs: ['get', 'list', 'watch']
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||||
kind: RoleBinding
|
kind: 'RoleBinding'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: 'rbac.authorization.k8s.io'
|
||||||
kind: Role
|
kind: 'Role'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: 'ServiceAccount'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||||
kind: ClusterRoleBinding
|
kind: 'ClusterRoleBinding'
|
||||||
metadata:
|
metadata:
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: 'rbac.authorization.k8s.io'
|
||||||
kind: ClusterRole
|
kind: 'ClusterRole'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: 'ServiceAccount'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
name: kubernetes-dashboard
|
name: 'kubernetes-dashboard'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
revisionHistoryLimit: 10
|
revisionHistoryLimit: 10
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: kubernetes-dashboard
|
k8s-app: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: 'RuntimeDefault'
|
||||||
containers:
|
containers:
|
||||||
- name: kubernetes-dashboard
|
- name: 'kubernetes-dashboard'
|
||||||
image: kubernetesui/dashboard:v2.7.0
|
image: 'kubernetesui/dashboard:v2.7.0'
|
||||||
imagePullPolicy: Always
|
imagePullPolicy: 'Always'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8443
|
- containerPort: 8443
|
||||||
protocol: TCP
|
protocol: 'TCP'
|
||||||
args:
|
args:
|
||||||
- --auto-generate-certificates
|
- '--auto-generate-certificates'
|
||||||
- --namespace=kubernetes-dashboard
|
- '--namespace=kubernetes-dashboard'
|
||||||
# Uncomment the following line to manually specify Kubernetes API server Host
|
# Uncomment the following line to manually specify Kubernetes API server Host
|
||||||
# If not specified, Dashboard will attempt to auto discover the API server and connect
|
# If not specified, Dashboard will attempt to auto discover the API server and connect
|
||||||
# to it. Uncomment only if the default does not work.
|
# to it. Uncomment only if the default does not work.
|
||||||
# - --apiserver-host=http://my-address:port
|
# - --apiserver-host=http://my-address:port
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: kubernetes-dashboard-certs
|
- name: 'kubernetes-dashboard-certs'
|
||||||
mountPath: /certs
|
mountPath: '/certs'
|
||||||
# Create on-disk volume to store exec logs
|
# Create on-disk volume to store exec logs
|
||||||
- mountPath: /tmp
|
- mountPath: '/tmp'
|
||||||
name: tmp-volume
|
name: 'tmp-volume'
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTPS
|
scheme: 'HTTPS'
|
||||||
path: /
|
path: '/'
|
||||||
port: 8443
|
port: 8443
|
||||||
initialDelaySeconds: 30
|
initialDelaySeconds: 30
|
||||||
timeoutSeconds: 30
|
timeoutSeconds: 30
|
||||||
|
@ -198,149 +198,149 @@ spec:
|
||||||
runAsUser: 1001
|
runAsUser: 1001
|
||||||
runAsGroup: 2001
|
runAsGroup: 2001
|
||||||
volumes:
|
volumes:
|
||||||
- name: kubernetes-dashboard-certs
|
- name: 'kubernetes-dashboard-certs'
|
||||||
secret:
|
secret:
|
||||||
secretName: kubernetes-dashboard-certs
|
secretName: 'kubernetes-dashboard-certs'
|
||||||
- name: tmp-volume
|
- name: 'tmp-volume'
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
serviceAccountName: kubernetes-dashboard
|
serviceAccountName: 'kubernetes-dashboard'
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
"kubernetes.io/os": linux
|
"kubernetes.io/os": 'linux'
|
||||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: 'node-role.kubernetes.io/master'
|
||||||
effect: NoSchedule
|
effect: 'NoSchedule'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: 'dashboard-metrics-scraper'
|
||||||
name: dashboard-metrics-scraper
|
name: 'dashboard-metrics-scraper'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
ports:
|
ports:
|
||||||
- port: 8000
|
- port: 8000
|
||||||
targetPort: 8000
|
targetPort: 8000
|
||||||
selector:
|
selector:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: 'dashboard-metrics-scraper'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: 'dashboard-metrics-scraper'
|
||||||
name: dashboard-metrics-scraper
|
name: 'dashboard-metrics-scraper'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
revisionHistoryLimit: 10
|
revisionHistoryLimit: 10
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: 'dashboard-metrics-scraper'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
k8s-app: dashboard-metrics-scraper
|
k8s-app: 'dashboard-metrics-scraper'
|
||||||
spec:
|
spec:
|
||||||
securityContext:
|
securityContext:
|
||||||
seccompProfile:
|
seccompProfile:
|
||||||
type: RuntimeDefault
|
type: 'RuntimeDefault'
|
||||||
containers:
|
containers:
|
||||||
- name: dashboard-metrics-scraper
|
- name: 'dashboard-metrics-scraper'
|
||||||
image: kubernetesui/metrics-scraper:v1.0.9
|
image: 'kubernetesui/metrics-scraper:v1.0.9'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 8000
|
- containerPort: 8000
|
||||||
protocol: TCP
|
protocol: 'TCP'
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
scheme: HTTP
|
scheme: 'HTTP'
|
||||||
path: /
|
path: '/'
|
||||||
port: 8000
|
port: 8000
|
||||||
initialDelaySeconds: 30
|
initialDelaySeconds: 30
|
||||||
timeoutSeconds: 30
|
timeoutSeconds: 30
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- mountPath: /tmp
|
- mountPath: '/tmp'
|
||||||
name: tmp-volume
|
name: 'tmp-volume'
|
||||||
securityContext:
|
securityContext:
|
||||||
allowPrivilegeEscalation: false
|
allowPrivilegeEscalation: false
|
||||||
readOnlyRootFilesystem: true
|
readOnlyRootFilesystem: true
|
||||||
runAsUser: 1001
|
runAsUser: 1001
|
||||||
runAsGroup: 2001
|
runAsGroup: 2001
|
||||||
serviceAccountName: kubernetes-dashboard
|
serviceAccountName: 'kubernetes-dashboard'
|
||||||
nodeSelector:
|
nodeSelector:
|
||||||
"kubernetes.io/os": linux
|
"kubernetes.io/os": 'linux'
|
||||||
# Comment the following tolerations if Dashboard must not be deployed on master
|
# Comment the following tolerations if Dashboard must not be deployed on master
|
||||||
tolerations:
|
tolerations:
|
||||||
- key: node-role.kubernetes.io/master
|
- key: 'node-role.kubernetes.io/master'
|
||||||
effect: NoSchedule
|
effect: 'NoSchedule'
|
||||||
volumes:
|
volumes:
|
||||||
- name: tmp-volume
|
- name: 'tmp-volume'
|
||||||
emptyDir: {}
|
emptyDir: {}
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: ServiceAccount
|
kind: 'ServiceAccount'
|
||||||
metadata:
|
metadata:
|
||||||
name: admin-user
|
name: 'admin-user'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: rbac.authorization.k8s.io/v1
|
apiVersion: 'rbac.authorization.k8s.io/v1'
|
||||||
kind: ClusterRoleBinding
|
kind: 'ClusterRoleBinding'
|
||||||
metadata:
|
metadata:
|
||||||
name: admin-user
|
name: 'admin-user'
|
||||||
roleRef:
|
roleRef:
|
||||||
apiGroup: rbac.authorization.k8s.io
|
apiGroup: 'rbac.authorization.k8s.io'
|
||||||
kind: ClusterRole
|
kind: 'ClusterRole'
|
||||||
name: cluster-admin
|
name: 'cluster-admin'
|
||||||
subjects:
|
subjects:
|
||||||
- kind: ServiceAccount
|
- kind: 'ServiceAccount'
|
||||||
name: admin-user
|
name: 'admin-user'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||||
kind: IngressRouteTCP
|
kind: 'IngressRouteTCP'
|
||||||
metadata:
|
metadata:
|
||||||
name: kubernetes-dashboard-ingress
|
name: 'kubernetes-dashboard-ingress'
|
||||||
namespace: kubernetes-dashboard
|
namespace: 'kubernetes-dashboard'
|
||||||
spec:
|
spec:
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- websecure
|
- 'websecure'
|
||||||
routes:
|
routes:
|
||||||
- match: HostSNI(`kubernetes.example.com`)
|
- match: 'HostSNI(`kubernetes.example.com`)'
|
||||||
services:
|
services:
|
||||||
- name: kubernetes-dashboard
|
- name: 'kubernetes-dashboard'
|
||||||
port: 443
|
port: 443
|
||||||
tls:
|
tls:
|
||||||
passthrough: true
|
passthrough: true
|
||||||
...
|
...
|
||||||
# Traefik Dashboard
|
# Traefik Dashboard
|
||||||
---
|
---
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||||
kind: IngressRoute
|
kind: 'IngressRoute'
|
||||||
metadata:
|
metadata:
|
||||||
name: traefik-dashboard-ingress
|
name: 'traefik-dashboard-ingress'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
entryPoints:
|
entryPoints:
|
||||||
- websecure
|
- 'websecure'
|
||||||
routes:
|
routes:
|
||||||
- match: Host(`traefik.example.com`)
|
- match: 'Host(`traefik.example.com`)'
|
||||||
kind: Rule
|
kind: 'Rule'
|
||||||
services:
|
services:
|
||||||
- name: api@internal
|
- name: 'api@internal'
|
||||||
kind: TraefikService
|
kind: 'TraefikService'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: traefik.containo.us/v1alpha1
|
apiVersion: 'traefik.containo.us/v1alpha1'
|
||||||
kind: ServersTransport
|
kind: 'ServersTransport'
|
||||||
metadata:
|
metadata:
|
||||||
name: skipverify
|
name: 'skipverify'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
insecureSkipVerify: true
|
insecureSkipVerify: true
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,64 +1,64 @@
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
metadata:
|
metadata:
|
||||||
name: ldap
|
name: 'ldap'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: ldap
|
app: 'ldap'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: ldap
|
app: 'ldap'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: ldap
|
app: 'ldap'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: ldap
|
- name: 'ldap'
|
||||||
image: osixia/openldap:1.5.0
|
image: 'osixia/openldap:1.5.0'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 389
|
- containerPort: 389
|
||||||
- containerPort: 636
|
- containerPort: 636
|
||||||
args: ["--copy-service", "--loglevel", "debug"]
|
args: ['--copy-service', '--loglevel', 'debug']
|
||||||
env:
|
env:
|
||||||
- name: LDAP_ORGANISATION
|
- name: 'LDAP_ORGANISATION'
|
||||||
value: MyCompany
|
value: 'MyCompany'
|
||||||
- name: LDAP_DOMAIN
|
- name: 'LDAP_DOMAIN'
|
||||||
value: example.com
|
value: 'example.com'
|
||||||
- name: LDAP_ADMIN_PASSWORD
|
- name: 'LDAP_ADMIN_PASSWORD'
|
||||||
value: password
|
value: 'password'
|
||||||
- name: LDAP_CONFIG_PASSWORD
|
- name: 'LDAP_CONFIG_PASSWORD'
|
||||||
value: password
|
value: 'password'
|
||||||
- name: LDAP_ADDITIONAL_MODULES
|
- name: 'LDAP_ADDITIONAL_MODULES'
|
||||||
value: memberof
|
value: 'memberof'
|
||||||
- name: LDAP_ADDITIONAL_SCHEMAS
|
- name: 'LDAP_ADDITIONAL_SCHEMAS'
|
||||||
value: openldap
|
value: 'openldap'
|
||||||
- name: LDAP_FORCE_RECONFIGURE
|
- name: 'LDAP_FORCE_RECONFIGURE'
|
||||||
value: "true"
|
value: 'true'
|
||||||
- name: LDAP_TLS_VERIFY_CLIENT
|
- name: 'LDAP_TLS_VERIFY_CLIENT'
|
||||||
value: try
|
value: 'try'
|
||||||
volumeMounts:
|
volumeMounts:
|
||||||
- name: ldap-config
|
- name: 'ldap-config'
|
||||||
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom
|
mountPath: '/container/service/slapd/assets/config/bootstrap/ldif/custom'
|
||||||
volumes:
|
volumes:
|
||||||
- name: ldap-config
|
- name: 'ldap-config'
|
||||||
hostPath:
|
hostPath:
|
||||||
path: /configmaps/ldap
|
path: '/configmaps/ldap'
|
||||||
type: Directory
|
type: 'Directory'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
metadata:
|
metadata:
|
||||||
name: ldap-service
|
name: 'ldap-service'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: ldap
|
app: 'ldap'
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: 'TCP'
|
||||||
port: 636
|
port: 636
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,64 +1,64 @@
|
||||||
---
|
---
|
||||||
apiVersion: apps/v1
|
apiVersion: 'apps/v1'
|
||||||
kind: Deployment
|
kind: 'Deployment'
|
||||||
metadata:
|
metadata:
|
||||||
name: mailcatcher
|
name: 'mailcatcher'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
labels:
|
labels:
|
||||||
app: mailcatcher
|
app: 'mailcatcher'
|
||||||
spec:
|
spec:
|
||||||
replicas: 1
|
replicas: 1
|
||||||
selector:
|
selector:
|
||||||
matchLabels:
|
matchLabels:
|
||||||
app: mailcatcher
|
app: 'mailcatcher'
|
||||||
template:
|
template:
|
||||||
metadata:
|
metadata:
|
||||||
labels:
|
labels:
|
||||||
app: mailcatcher
|
app: 'mailcatcher'
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
- name: mailcatcher
|
- name: 'mailcatcher'
|
||||||
image: schickling/mailcatcher
|
image: 'schickling/mailcatcher'
|
||||||
ports:
|
ports:
|
||||||
- containerPort: 1025
|
- containerPort: 1025
|
||||||
- containerPort: 1080
|
- containerPort: 1080
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Service
|
kind: 'Service'
|
||||||
metadata:
|
metadata:
|
||||||
name: mailcatcher-service
|
name: 'mailcatcher-service'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
spec:
|
spec:
|
||||||
selector:
|
selector:
|
||||||
app: mailcatcher
|
app: 'mailcatcher'
|
||||||
ports:
|
ports:
|
||||||
- protocol: TCP
|
- protocol: 'TCP'
|
||||||
port: 1080
|
port: 1080
|
||||||
name: ui
|
name: 'ui'
|
||||||
- protocol: TCP
|
- protocol: 'TCP'
|
||||||
port: 1025
|
port: 1025
|
||||||
name: smtp
|
name: 'smtp'
|
||||||
...
|
...
|
||||||
---
|
---
|
||||||
apiVersion: networking.k8s.io/v1
|
apiVersion: 'networking.k8s.io/v1'
|
||||||
kind: Ingress
|
kind: 'Ingress'
|
||||||
metadata:
|
metadata:
|
||||||
name: mailcatcher-ingress
|
name: 'mailcatcher-ingress'
|
||||||
namespace: authelia
|
namespace: 'authelia'
|
||||||
annotations:
|
annotations:
|
||||||
kubernetes.io/ingress.class: traefik
|
kubernetes.io/ingress.class: 'traefik'
|
||||||
traefik.ingress.kubernetes.io/router.entrypoints: websecure
|
traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
|
||||||
spec:
|
spec:
|
||||||
rules:
|
rules:
|
||||||
- host: mail.example.com
|
- host: 'mail.example.com'
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- path: /
|
- path: '/'
|
||||||
pathType: Prefix
|
pathType: 'Prefix'
|
||||||
backend:
|
backend:
|
||||||
service:
|
service:
|
||||||
name: mailcatcher-service
|
name: 'mailcatcher-service'
|
||||||
port:
|
port:
|
||||||
number: 1080
|
number: 1080
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
---
|
---
|
||||||
apiVersion: v1
|
apiVersion: 'v1'
|
||||||
kind: Namespace
|
kind: 'Namespace'
|
||||||
metadata:
|
metadata:
|
||||||
name: authelia
|
name: 'authelia'
|
||||||
...
|
...
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show More
Loading…
Reference in New Issue