Compare commits

...

1 Commits

Author SHA1 Message Date
James Elliott 5013952bae
refactor: single quote yaml strings
Signed-off-by: James Elliott <james-d-elliott@users.noreply.github.com>
2023-05-07 16:41:41 +10:00
102 changed files with 2254 additions and 2227 deletions

View File

@ -4,44 +4,44 @@
# secret leaks. # secret leaks.
steps: steps:
# Blocking pipeline for master branch deployments (concurrency_group). # Blocking pipeline for master branch deployments (concurrency_group).
- label: ":pipeline: Setup Pipeline" - label: ':pipeline: Setup Pipeline'
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
concurrency: 1 concurrency: 1
concurrency_group: "deployments" concurrency_group: 'deployments'
if: build.branch == "master" if: 'build.branch == "master"'
# Non-blocking pipeline for all others (tagged commits/local branches/PRs). # Non-blocking pipeline for all others (tagged commits/local branches/PRs).
- label: ":pipeline: Setup Pipeline" - label: ':pipeline: Setup Pipeline'
command: ".buildkite/pipeline.sh | buildkite-agent pipeline upload" command: '.buildkite/pipeline.sh | buildkite-agent pipeline upload'
if: build.branch != "master" if: 'build.branch != "master"'
- wait: # yamllint disable-line rule:empty-values - wait: # yamllint disable-line rule:empty-values
if: build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ # yamllint disable-line rule:line-length if: 'build.pull_request.repository.fork != true && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/' # yamllint disable-line rule:line-length
# Manual intervention by team required to deploy for forked PRs (prevent secret leakage). # Manual intervention by team required to deploy for forked PRs (prevent secret leakage).
- block: "Public fork needs approval" - block: 'Public fork needs approval'
if: build.pull_request.repository.fork == true if: 'build.pull_request.repository.fork == true'
# Blocking deployment for master branch deployments (concurrency_group). # Blocking deployment for master branch deployments (concurrency_group).
- label: ":rocket: Setup Deployment" - label: ':rocket: Setup Deployment'
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
concurrency: 1 concurrency: 1
concurrency_group: "deployments" concurrency_group: 'deployments'
depends_on: ~ depends_on: '~'
if: build.branch == "master" && build.message !~ /^docs/ if: 'build.branch == "master" && build.message !~ /^docs/'
# Non-blocking deployment for all others (tagged commits/local branches). # Non-blocking deployment for all others (tagged commits/local branches).
- label: ":rocket: Setup Deployment" - label: ':rocket: Setup Deployment'
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
depends_on: ~ depends_on: ~
if: build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true # yamllint disable-line rule:line-length if: 'build.branch != "master" && build.branch !~ /^(dependabot|renovate)\/.*/ && build.message !~ /^docs/ && build.pull_request.repository.fork != true' # yamllint disable-line rule:line-length
# Removed dependency optimisation for forked PRs to enforce block step. # Removed dependency optimisation for forked PRs to enforce block step.
- label: ":rocket: Setup Deployment" - label: ':rocket: Setup Deployment'
command: ".buildkite/deployment.sh | buildkite-agent pipeline upload" command: '.buildkite/deployment.sh | buildkite-agent pipeline upload'
if: build.message !~ /^docs/ && build.pull_request.repository.fork == true if: 'build.message !~ /^docs/ && build.pull_request.repository.fork == true'
notify: notify:
- webhook: "<REDACTED WEBHOOK_URL>" - webhook: '<REDACTED WEBHOOK_URL>'
if: build.state == "blocked" if: 'build.state == "blocked"'
... ...

View File

@ -3,42 +3,42 @@ codecov:
require_ci_to_pass: true require_ci_to_pass: true
comment: comment:
layout: "reach, diff, flags, files" layout: 'reach, diff, flags, files'
behavior: default behavior: 'default'
require_changes: false require_changes: false
coverage: coverage:
precision: 2 precision: 2
round: down round: 'down'
range: "70...100" range: '70...100'
status: status:
project: project:
default: false default: false
backend: backend:
base: auto base: 'auto'
threshold: 0.15% threshold: '0.15%'
flags: flags:
- backend - 'backend'
frontend: frontend:
base: auto base: 'auto'
threshold: 0.15% threshold: '0.15%'
flags: flags:
- frontend - 'frontend'
flags: flags:
backend: backend:
paths: paths:
- "cmd/authelia/" - 'cmd/authelia/'
- "internal/" - 'internal/'
- "!internal/suites/" - '!internal/suites/'
frontend: frontend:
paths: paths:
- "web/" - 'web/'
- "!web/coverage/" - '!web/coverage/'
ignore: ignore:
- "web/src/serviceWorker.ts" - 'web/src/serviceWorker.ts'
- "**/coverage.txt" - '**/coverage.txt'
parsers: parsers:
gcov: gcov:

View File

@ -1,12 +1,12 @@
--- ---
name: Bug Report name: 'Bug Report'
description: Report a bug description: 'Report a bug'
labels: labels:
- type/bug/unconfirmed - 'type/bug/unconfirmed'
- status/needs-triage - 'status/needs-triage'
- priority/4/normal - 'priority/4/normal'
body: body:
- type: markdown - type: 'markdown'
attributes: attributes:
value: | value: |
Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first. Thanks for taking the time to fill out this bug report. If you are unsure if this is actually a bug and you still need some form of support we generally recommend creating a [Question and Answer Discussion](https://github.com/authelia/authelia/discussions/new?category=q-a) first.
@ -25,160 +25,190 @@ body:
- Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section. - Do not truncate any logs unless you are complying with the specific instructions in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section.
- If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section. - If you plan on sanitizing, removing, or adjusting any values for the logs or configuration files please read the [Sanitization](https://www.authelia.com/r/troubleshooting#sanitization) section.
7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues. 7. Please consider including a [HTTP Archive File](https://www.authelia.com/r/har) if you're having redirection issues.
- type: dropdown - type: 'dropdown'
id: version id: 'version'
attributes: attributes:
label: Version label: |
description: What version(s) of Authelia can you reproduce this bug on? Version
description: |
What version(s) of Authelia can you reproduce this bug on?
multiple: true multiple: true
options: options:
- v4.37.5 - 'v4.37.5'
- v4.37.4 - 'v4.37.4'
- v4.37.3 - 'v4.37.3'
- v4.37.2 - 'v4.37.2'
- v4.37.1 - 'v4.37.1'
- v4.37.0 - 'v4.37.0'
- v4.36.9 - 'v4.36.9'
- v4.36.8 - 'v4.36.8'
- v4.36.7 - 'v4.36.7'
- v4.36.6 - 'v4.36.6'
- v4.36.5 - 'v4.36.5'
- v4.36.4 - 'v4.36.4'
- v4.36.3 - 'v4.36.3'
- v4.36.2 - 'v4.36.2'
- v4.36.1 - 'v4.36.1'
- v4.36.0 - 'v4.36.0'
- v4.35.6 - 'v4.35.6'
- v4.35.5 - 'v4.35.5'
- v4.35.4 - 'v4.35.4'
- v4.35.3 - 'v4.35.3'
- v4.35.2 - 'v4.35.2'
- v4.35.1 - 'v4.35.1'
- v4.35.0 - 'v4.35.0'
- v4.34.6 - 'v4.34.6'
- v4.34.5 - 'v4.34.5'
- v4.34.4 - 'v4.34.4'
- v4.34.3 - 'v4.34.3'
- v4.34.2 - 'v4.34.2'
- v4.34.1 - 'v4.34.1'
- v4.34.0 - 'v4.34.0'
- v4.33.2 - 'v4.33.2'
- v4.33.1 - 'v4.33.1'
- v4.33.0 - 'v4.33.0'
- v4.32.2 - 'v4.32.2'
- v4.32.1 - 'v4.32.1'
- v4.32.0 - 'v4.32.0'
validations: validations:
required: true required: true
- type: dropdown - type: 'dropdown'
id: deployment id: 'deployment'
attributes: attributes:
label: Deployment Method label: |
description: How are you deploying Authelia? Deployment Method
description: |
How are you deploying Authelia?
options: options:
- Docker - 'Docker'
- Kubernetes - 'Kubernetes'
- Bare-metal - 'Bare-metal'
- Other - 'Other'
validations: validations:
required: true required: true
- type: dropdown - type: 'dropdown'
id: proxy id: 'proxy'
attributes: attributes:
label: Reverse Proxy label: |
description: What reverse proxy are you using? Reverse Proxy
description: |
What reverse proxy are you using?
options: options:
- Caddy - 'Caddy'
- Traefik - 'Traefik'
- Envoy - 'Envoy'
- Istio - 'Istio'
- NGINX - 'NGINX'
- SWAG - 'SWAG'
- NGINX Proxy Manager - 'NGINX Proxy Manager'
- HAProxy - 'HAProxy'
validations: validations:
required: true required: true
- type: input - type: 'input'
id: proxy-version id: 'proxy-version'
attributes: attributes:
label: Reverse Proxy Version label: |
description: What is the version of your reverse proxy? Reverse Proxy Version
placeholder: x.x.x description: |
What is the version of your reverse proxy?
placeholder: 'x.x.x'
validations: validations:
required: false required: false
- type: textarea - type: 'textarea'
id: description id: 'description'
attributes: attributes:
label: Description label: |
description: Describe the bug. Description
description: |
Describe the bug.
validations: validations:
required: true required: true
- type: textarea - type: 'textarea'
id: reproduction id: 'reproduction'
attributes: attributes:
label: Reproduction label: |
description: Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved. Reproduction
description: |
Describe how we can reproduce this issue. This should be step by step and should include detailed and specific information. Abstract or generic information should be avoided. For example this should include specific application names and versions if relevant. Reproducing the issue is important so we can verify it exists, add relevant tests, and verify it is solved.
validations: validations:
required: true required: true
- type: textarea - type: 'textarea'
id: expectations id: 'expectations'
attributes: attributes:
label: Expectations label: |
description: Describe the desired or expected results. Expectations
description: |
Describe the desired or expected results.
validations: validations:
required: false required: false
- type: textarea - type: 'textarea'
id: configuration id: 'configuration'
attributes: attributes:
label: Configuration (Authelia) label: |
description: Provide a complete configuration file (the template will automatically put this content in a code block). Configuration (Authelia)
render: yaml description: |
Provide a complete configuration file (the template will automatically put this content in a code block).
render: 'yaml'
validations: validations:
required: false required: false
- type: textarea - type: 'textarea'
id: logs id: 'logs'
attributes: attributes:
label: Logs (Authelia) label: |
Logs (Authelia)
description: | description: |
Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide. Provide complete logs with the log level set to debug or trace. Complete means from application start until the issue occurring. This is clearly explained in the [Logs](https://www.authelia.com/r/troubleshooting#logs) section of the troubleshooting guide.
The template will automatically put this content in a code block so you can just paste it. The template will automatically put this content in a code block so you can just paste it.
render: shell render: 'shell'
validations: validations:
required: true required: true
- type: textarea - type: 'textarea'
id: logs-other id: 'logs-other'
attributes: attributes:
label: Logs (Proxy / Application) label: |
description: Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block). Logs (Proxy / Application)
render: shell description: |
Provide complete debug logs for the affected proxy and/or application if available and relevant (the template will automatically put this content in a code block).
render: 'shell'
validations: validations:
required: false required: false
- type: textarea - type: 'textarea'
id: documentation id: 'documentation'
attributes: attributes:
label: Documentation label: |
description: Provide any relevant specification or other documentation if applicable. Documentation
description: |
Provide any relevant specification or other documentation if applicable.
validations: validations:
required: false required: false
- type: checkboxes - type: 'checkboxes'
id: checklist id: 'checklist'
attributes: attributes:
label: Pre-Submission Checklist label: |
description: By submitting this issue confirm all of the following. Pre-Submission Checklist
description: |
By submitting this issue confirm all of the following.
options: options:
- label: I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct) - label: |
I agree to follow the [Code of Conduct](http://www.authelia.com/code-of-conduct)
required: true required: true
- label: This is a bug report and not a support request - label: |
This is a bug report and not a support request
required: true required: true
- label: I have read the security policy and this bug report is not a security issue or security related issue - label: |
I have read the security policy and this bug report is not a security issue or security related issue
required: true required: true
- label: I have either included the complete configuration file or I am sure it's unrelated to the configuration - label: |
I have either included the complete configuration file or I am sure it's unrelated to the configuration
required: true required: true
- label: I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide - label: |
I have provided all of the required information in full with the only alteration being reasonable sanitization in accordance with the [Troubleshooting Sanitization](https://www.authelia.com/r/sanitize) reference guide
required: true required: true
- label: I have checked for related proxy or application logs and included them if available - label: |
I have checked for related proxy or application logs and included them if available
required: true required: true
- label: I have checked for related issues and checked the documentation - label: |
I have checked for related issues and checked the documentation
required: true required: true
... ...

View File

@ -10,14 +10,14 @@
# the `language` matrix defined below to confirm you have the correct set of # the `language` matrix defined below to confirm you have the correct set of
# supported CodeQL languages. # supported CodeQL languages.
# #
name: "CodeQL" name: 'CodeQL'
# yamllint disable-line rule:truthy # yamllint disable-line rule:truthy
on: on:
push: push:
branches: branches:
- master - 'master'
- gh-pages - 'gh-pages'
paths: paths:
- 'go.mod' - 'go.mod'
- 'go.sum' - 'go.sum'
@ -29,7 +29,7 @@ on:
pull_request: pull_request:
# The branches below must be a subset of the branches above # The branches below must be a subset of the branches above
branches: branches:
- master - 'master'
paths: paths:
- 'go.mod' - 'go.mod'
- 'go.sum' - 'go.sum'
@ -43,12 +43,12 @@ on:
jobs: jobs:
analyze: analyze:
name: Analyze name: 'Analyze'
runs-on: ubuntu-latest runs-on: 'ubuntu-latest'
permissions: permissions:
actions: read actions: 'read'
contents: read contents: 'read'
security-events: write security-events: 'write'
strategy: strategy:
fail-fast: false fail-fast: false
@ -59,23 +59,23 @@ jobs:
- 'javascript' - 'javascript'
steps: steps:
- name: Checkout repository - name: 'Checkout repository'
uses: actions/checkout@v3 uses: 'actions/checkout@v3'
# Initializes the CodeQL tools for scanning. # Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL - name: 'Initialize CodeQL'
uses: github/codeql-action/init@v1 uses: 'github/codeql-action/init@v1'
with: with:
# If you wish to specify custom queries, you can do so here or in a config file. # If you wish to specify custom queries, you can do so here or in a config file.
# By default, queries listed here will override any specified in a config file. # By default, queries listed here will override any specified in a config file.
# Prefix the list here with "+" to use these queries and those in the config file. # Prefix the list here with "+" to use these queries and those in the config file.
# queries: ./path/to/local/query, your-org/your-repo/queries@main # queries: ./path/to/local/query, your-org/your-repo/queries@main
languages: ${{ matrix.language }} languages: '${{ matrix.language }}'
# Autobuild attempts to build any compiled languages (C/C++, C#, or Java). # Autobuild attempts to build any compiled languages (C/C++, C#, or Java).
# If this step fails, then you should remove it and run the build manually (see below) # If this step fails, then you should remove it and run the build manually (see below)
- name: Autobuild - name: 'Autobuild'
uses: github/codeql-action/autobuild@v1 uses: 'github/codeql-action/autobuild@v1'
# Command-line programs to run using the OS shell. # Command-line programs to run using the OS shell.
# 📚 https://git.io/JvXDl # 📚 https://git.io/JvXDl
@ -88,6 +88,6 @@ jobs:
# make bootstrap # make bootstrap
# make release # make release
- name: Perform CodeQL Analysis - name: 'Perform CodeQL Analysis'
uses: github/codeql-action/analyze@v1 uses: 'github/codeql-action/analyze@v1'
... ...

View File

@ -1,6 +1,6 @@
--- ---
run: run:
timeout: 3m timeout: '3m'
linters-settings: linters-settings:
goconst: goconst:
@ -11,40 +11,40 @@ linters-settings:
godot: godot:
check-all: true check-all: true
goimports: goimports:
local-prefixes: github.com/authelia/authelia local-prefixes: 'github.com/authelia/authelia'
revive: revive:
confidence: 0.8 confidence: 0.8
linters: linters:
enable: enable:
- asciicheck - 'asciicheck'
- goconst - 'goconst'
- gocritic - 'gocritic'
- gocyclo - 'gocyclo'
- godot - 'godot'
- gofmt - 'gofmt'
- goimports - 'goimports'
- gosec - 'gosec'
- misspell - 'misspell'
- nolintlint - 'nolintlint'
- prealloc - 'prealloc'
- revive - 'revive'
- unconvert - 'unconvert'
- unparam - 'unparam'
- whitespace - 'whitespace'
- wsl - 'wsl'
issues: issues:
exclude: exclude:
- Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked # yamllint disable-line rule:line-length - 'Error return value of .((os\.)?std(out|err)\..*|.*Close|.*Flush|os\.Remove(All)?|.*printf?|os\.(Un)?Setenv). is not checked' # yamllint disable-line rule:line-length
- func name will be used as test\.Test.* by other packages, and that stutters; consider calling this - 'func name will be used as test\.Test.* by other packages, and that stutters; consider calling this'
- (possible misuse of unsafe.Pointer|should have signature) - '(possible misuse of unsafe.Pointer|should have signature)'
- ineffective break statement. Did you mean to break out of the outer loop - 'ineffective break statement. Did you mean to break out of the outer loop'
- Use of unsafe calls should be audited - 'Use of unsafe calls should be audited'
- Subprocess launch(ed with variable|ing should be audited) - 'Subprocess launch(ed with variable|ing should be audited)'
- (G104|G307) - '(G104|G307)'
- (Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less) - '(Expect directory permissions to be 0750 or less|Expect file permissions to be 0600 or less)'
- Potential file inclusion via variable - 'Potential file inclusion via variable'
exclude-use-default: false exclude-use-default: false
max-issues-per-linter: 0 max-issues-per-linter: 0
max-same-issues: 0 max-same-issues: 0

View File

@ -1,19 +1,19 @@
--- ---
runner: runner:
golangci: golangci:
cmd: golangci-lint run cmd: 'golangci-lint run'
errorformat: errorformat:
- '%E%f:%l:%c: %m' - '%E%f:%l:%c: %m'
- '%E%f:%l: %m' - '%E%f:%l: %m'
- '%C%.%#' - '%C%.%#'
level: error level: 'error'
eslint: eslint:
cmd: cd web && eslint -f rdjson '*/**/*.{js,ts,tsx}' cmd: 'cd web && eslint -f rdjson "*/**/*.{js,ts,tsx}"'
format: rdjson format: 'rdjson'
level: error level: 'error'
yamllint: yamllint:
cmd: yamllint --format parsable . cmd: 'yamllint --format parsable .'
errorformat: errorformat:
- '%f:%l:%c: %m' - '%f:%l:%c: %m'
level: warning level: 'warning'
... ...

View File

@ -1,7 +1,7 @@
--- ---
extends: default extends: 'default'
locale: en_US.UTF-8 locale: 'en_US.UTF-8'
yaml-files: yaml-files:
- '*.yaml' - '*.yaml'
@ -19,13 +19,13 @@ ignore: |
.github/ISSUE_TEMPLATE/bug-report.yml .github/ISSUE_TEMPLATE/bug-report.yml
rules: rules:
document-end: document-end:
level: warning level: 'warning'
empty-values: empty-values:
level: warning level: 'warning'
indentation: indentation:
spaces: 2 spaces: 2
check-multi-line-strings: true check-multi-line-strings: true
line-length: line-length:
max: 120 max: 120
octal-values: enable octal-values: 'enable'
... ...

View File

@ -4,71 +4,70 @@
############################################################### ###############################################################
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE # This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: a_very_important_secret jwt_secret: 'a_very_important_secret'
default_redirection_url: https://public.example.com default_redirection_url: 'https://public.example.com'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
# duo_api: # duo_api:
# hostname: api-123456789.example.com # hostname: 'api-123456789.example.com'
# integration_key: ABCDEF # integration_key: 'ABCDEF'
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE # # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl # secret_key: 1234567890abcdefghifjkl
authentication_backend: authentication_backend:
file: file:
path: /config/users_database.yml path: '/config/users_database.yml'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: traefik.example.com - domain: 'traefik.example.com'
policy: one_factor policy: 'one_factor'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
session: session:
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: unsecure_session_secret secret: 'unsecure_session_secret'
cookies: cookies:
- name: authelia_session - name: 'authelia_session'
domain: example.com # Should match whatever your root protected domain is domain: 'example.com' # Should match whatever your root protected domain is
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
redis: redis:
host: redis host: 'redis'
port: 6379 port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# password: authelia # password: 'authelia'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
local: local:
path: /config/db.sqlite3 path: '/config/db.sqlite3'
notifier: notifier:
smtp: smtp:
username: test address: 'smtp://mail.example.com:25'
username: 'test'
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
password: password password: 'password'
host: mail.example.com sender: 'admin@example.com'
port: 25
sender: admin@example.com
... ...

View File

@ -9,11 +9,11 @@
users: users:
authelia: authelia:
disabled: false disabled: false
displayname: "Authelia User" displayname: 'Authelia User'
# Password is authelia # Password is authelia
password: "$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/" # yamllint disable-line rule:line-length password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/' # yamllint disable-line rule:line-length
email: authelia@authelia.com email: 'authelia@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
... ...

View File

@ -1,18 +1,18 @@
--- ---
version: '3.3' version: '3.8'
networks: networks:
net: net:
driver: bridge driver: 'bridge'
services: services:
authelia: authelia:
image: authelia/authelia image: 'authelia/authelia'
container_name: authelia container_name: 'authelia'
volumes: volumes:
- ./authelia:/config - './authelia:/config'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)' - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
@ -24,34 +24,34 @@ services:
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
expose: expose:
- 9091 - 9091
restart: unless-stopped restart: 'unless-stopped'
healthcheck: healthcheck:
## In production the healthcheck section should be commented. ## In production the healthcheck section should be commented.
disable: true disable: true
environment: environment:
- TZ=Australia/Melbourne TZ: 'Australia/Melbourne'
redis: redis:
image: redis:alpine image: 'redis:alpine'
container_name: redis container_name: 'redis'
volumes: volumes:
- ./redis:/data - './redis:/data'
networks: networks:
- net - 'net'
expose: expose:
- 6379 - 6379
restart: unless-stopped restart: 'unless-stopped'
environment: environment:
- TZ=Australia/Melbourne TZ: 'Australia/Melbourne'
traefik: traefik:
image: traefik:v2.10.1 image: 'traefik:v2.10.1'
container_name: traefik container_name: 'traefik'
volumes: volumes:
- ./traefik:/etc/traefik - './traefik:/etc/traefik'
- /var/run/docker.sock:/var/run/docker.sock - '/var/run/docker.sock:/var/run/docker.sock'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)' - 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
@ -80,10 +80,10 @@ services:
- '--log.level=DEBUG' - '--log.level=DEBUG'
secure: secure:
image: traefik/whoami image: 'traefik/whoami'
container_name: secure container_name: 'secure'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)' - 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
@ -93,13 +93,13 @@ services:
- 'traefik.http.routers.secure.middlewares=authelia@docker' - 'traefik.http.routers.secure.middlewares=authelia@docker'
expose: expose:
- 80 - 80
restart: unless-stopped restart: 'unless-stopped'
public: public:
image: traefik/whoami image: 'traefik/whoami'
container_name: public container_name: 'public'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.public.rule=Host(`public.example.com`)' - 'traefik.http.routers.public.rule=Host(`public.example.com`)'
@ -109,5 +109,5 @@ services:
- 'traefik.http.routers.public.middlewares=authelia@docker' - 'traefik.http.routers.public.middlewares=authelia@docker'
expose: expose:
- 80 - 80
restart: unless-stopped restart: 'unless-stopped'
... ...

View File

@ -3,52 +3,52 @@
# Authelia configuration # # Authelia configuration #
############################################################### ###############################################################
jwt_secret: a_very_important_secret jwt_secret: 'a_very_important_secret'
default_redirection_url: https://public.example.com default_redirection_url: 'https://public.example.com'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
authentication_backend: authentication_backend:
file: file:
path: /config/users_database.yml path: '/config/users_database.yml'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: traefik.example.com - domain: 'traefik.example.com'
policy: one_factor policy: 'one_factor'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
cookies: cookies:
- name: authelia_session - name: 'authelia_session'
domain: example.com # Should match whatever your root protected domain is domain: 'example.com' # Should match whatever your root protected domain is
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this encryption_key: 'you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this'
local: local:
path: /config/db.sqlite3 path: '/config/db.sqlite3'
notifier: notifier:
filesystem: filesystem:
filename: /config/notification.txt filename: '/config/notification.txt'
... ...

View File

@ -9,10 +9,10 @@
users: users:
<USERNAME>: <USERNAME>:
disabled: false disabled: false
displayname: "<DISPLAYNAME>" displayname: '<DISPLAYNAME>'
password: "<PASSWORD>" password: '<PASSWORD>'
email: <USERNAME>@example.com email: '<USERNAME>@example.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
... ...

View File

@ -3,16 +3,16 @@ version: '3.3'
networks: networks:
net: net:
driver: bridge driver: 'bridge'
services: services:
authelia: authelia:
image: authelia/authelia image: 'authelia/authelia'
container_name: authelia container_name: 'authelia'
volumes: volumes:
- ./authelia:/config - './authelia:/config'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)' - 'traefik.http.routers.authelia.rule=Host(`authelia.example.com`)'
@ -24,21 +24,21 @@ services:
- 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length - 'traefik.http.middlewares.authelia.forwardauth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Name,Remote-Email' # yamllint disable-line rule:line-length
expose: expose:
- 9091 - 9091
restart: unless-stopped restart: 'unless-stopped'
healthcheck: healthcheck:
## In production the healthcheck section should be commented. ## In production the healthcheck section should be commented.
disable: true disable: true
environment: environment:
- TZ=Australia/Melbourne TZ: 'Australia/Melbourne'
traefik: traefik:
image: traefik:v2.10.1 image: 'traefik:v2.10.1'
container_name: traefik container_name: 'traefik'
volumes: volumes:
- ./traefik:/etc/traefik - './traefik:/etc/traefik'
- /var/run/docker.sock:/var/run/docker.sock - '/var/run/docker.sock:/var/run/docker.sock'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.api.rule=Host(`traefik.example.com`)' - 'traefik.http.routers.api.rule=Host(`traefik.example.com`)'
@ -65,10 +65,10 @@ services:
- '--log.level=DEBUG' - '--log.level=DEBUG'
secure: secure:
image: traefik/whoami image: 'traefik/whoami'
container_name: secure container_name: 'secure'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.secure.rule=Host(`secure.example.com`)' - 'traefik.http.routers.secure.rule=Host(`secure.example.com`)'
@ -78,13 +78,13 @@ services:
- 'traefik.http.routers.secure.middlewares=authelia@docker' - 'traefik.http.routers.secure.middlewares=authelia@docker'
expose: expose:
- 80 - 80
restart: unless-stopped restart: 'unless-stopped'
public: public:
image: traefik/whoami image: 'traefik/whoami'
container_name: public container_name: 'public'
networks: networks:
- net - 'net'
labels: labels:
- 'traefik.enable=true' - 'traefik.enable=true'
- 'traefik.http.routers.public.rule=Host(`public.example.com`)' - 'traefik.http.routers.public.rule=Host(`public.example.com`)'
@ -94,5 +94,5 @@ services:
- 'traefik.http.routers.public.middlewares=authelia@docker' - 'traefik.http.routers.public.middlewares=authelia@docker'
expose: expose:
- 80 - 80
restart: unless-stopped restart: 'unless-stopped'
... ...

View File

@ -1,6 +1,6 @@
--- ---
tls: tls:
certificates: certificates:
- certFile: /etc/traefik/certs/cert.pem - certFile: '/etc/traefik/certs/cert.pem'
keyFile: /etc/traefik/certs/key.pem keyFile: '/etc/traefik/certs/key.pem'
... ...

View File

@ -9,11 +9,11 @@
users: users:
authelia: authelia:
disabled: false disabled: false
displayname: "Test User" displayname: 'Test User'
password: "$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk" # Password is 'authelia' password: '$argon2id$v=19$m=32768,t=1,p=8$eUhVT1dQa082YVk2VUhDMQ$E8QI4jHbUBt3EdsU1NFDu4Bq5jObKNx7nBKSn1EYQxk' # Password is 'authelia'
email: authelia@authelia.com email: 'authelia@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
... ...
# yamllint enable rule:line-length # yamllint enable rule:line-length

View File

@ -1,37 +1,37 @@
--- ---
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: "tcp://127.0.0.1:9091" address: 'tcp://127.0.0.1:9091'
endpoints: endpoints:
authz: authz:
forward-auth: forward-auth:
implementation: ForwardAuth implementation: 'ForwardAuth'
authn_strategies: authn_strategies:
- name: HeaderProxyAuthorization - name: 'HeaderProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
ext-authz: ext-authz:
implementation: ExtAuthz implementation: 'ExtAuthz'
authn_strategies: authn_strategies:
- name: HeaderProxyAuthorization - name: 'HeaderProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
auth-request: auth-request:
implementation: AuthRequest implementation: 'AuthRequest'
authn_strategies: authn_strategies:
- name: HeaderAuthRequestProxyAuthorization - name: 'HeaderAuthRequestProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
legacy: legacy:
implementation: Legacy implementation: 'Legacy'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
duo_api: duo_api:
hostname: api-123456789.example.com hostname: 'api-123456789.example.com'
integration_key: ABCDEF integration_key: 'ABCDEF'
authentication_backend: authentication_backend:
ldap: ldap:
@ -65,109 +65,109 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0 USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw== 1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
user: cn=admin,dc=example,dc=com user: 'cn=admin,dc=example,dc=com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: 'one_factor'
# Network based rule, if not provided any network matches. # Network based rule, if not provided any network matches.
networks: networks:
- 192.168.1.0/24 - '192.168.1.0/24'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: [singlefactor.example.com, onefactor.example.com] - domain: ['singlefactor.example.com', 'onefactor.example.com']
policy: one_factor policy: 'one_factor'
# Rules applied to 'admins' group # Rules applied to 'admins' group
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: 'deny'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group # Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/groups/dev/.*$" - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'john' # Rules applied to user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group and user 'john' # Rules applied to 'dev' group and user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/deny-all.*$" - '^/deny-all.*$'
subject: ["group:dev", "user:john"] subject: ['group:dev', 'user:john']
policy: deny policy: 'deny'
# Rules applied to user 'harry' # Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'bob' # Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
session: session:
name: authelia_session name: 'authelia_session'
expiration: 3600000 # 1 hour expiration: '1h' # 1 hour
inactivity: 300000 # 5 minutes inactivity: '5m' # 5 minutes
domain: example.com domain: 'example.com'
redis: redis:
host: 127.0.0.1 host: '127.0.0.1'
port: 6379 port: 6379
high_availability: high_availability:
sentinel_name: test sentinel_name: 'test'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
postgres: postgres:
host: 127.0.0.1 host: '127.0.0.1'
port: 5432 port: 5432
database: authelia database: 'authelia'
username: authelia username: 'authelia'
notifier: notifier:
smtp: smtp:
username: test username: 'test'
host: 127.0.0.1 host: '127.0.0.1'
port: 1025 port: 1025
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -1,37 +1,37 @@
--- ---
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: "tcp://127.0.0.1:9091" address: 'tcp://127.0.0.1:9091'
endpoints: endpoints:
authz: authz:
forward-auth: forward-auth:
implementation: ForwardAuth implementation: 'ForwardAuth'
authn_strategies: authn_strategies:
- name: HeaderProxyAuthorization - name: 'HeaderProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
ext-authz: ext-authz:
implementation: ExtAuthz implementation: 'ExtAuthz'
authn_strategies: authn_strategies:
- name: HeaderProxyAuthorization - name: 'HeaderProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
auth-request: auth-request:
implementation: AuthRequest implementation: 'AuthRequest'
authn_strategies: authn_strategies:
- name: HeaderAuthRequestProxyAuthorization - name: 'HeaderAuthRequestProxyAuthorization'
- name: CookieSession - name: 'CookieSession'
legacy: legacy:
implementation: Legacy implementation: 'Legacy'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
duo_api: duo_api:
hostname: api-123456789.example.com hostname: 'api-123456789.example.com'
integration_key: ABCDEF integration_key: 'ABCDEF'
authentication_backend: authentication_backend:
ldap: ldap:
@ -65,109 +65,109 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0 USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw== 1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
user: cn=admin,dc=example,dc=com user: 'cn=admin,dc=example,dc=com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: 'one_factor'
# Network based rule, if not provided any network matches. # Network based rule, if not provided any network matches.
networks: networks:
- 192.168.1.0/24 - '192.168.1.0/24'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: [singlefactor.example.com, onefactor.example.com] - domain: ['singlefactor.example.com', 'onefactor.example.com']
policy: one_factor policy: 'one_factor'
# Rules applied to 'admins' group # Rules applied to 'admins' group
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: 'deny'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group # Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/groups/dev/.*$" - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'john' # Rules applied to user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group and user 'john' # Rules applied to 'dev' group and user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/deny-all.*$" - '^/deny-all.*$'
subject: ["group:dev", "user:john"] subject: ['group:dev', 'user:john']
policy: deny policy: 'deny'
# Rules applied to user 'harry' # Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'bob' # Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
session: session:
name: authelia_session name: 'authelia_session'
expiration: 3600000 # 1 hour expiration: '1h' # 1 hour
inactivity: 300000 # 5 minutes inactivity: '5m' # 5 minutes
domain: example.com domain: 'example.com'
redis: redis:
host: 127.0.0.1 host: '127.0.0.1'
port: 6379 port: 6379
high_availability: high_availability:
sentinel_name: test sentinel_name: 'test'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
mysql: mysql:
host: 127.0.0.1 host: '127.0.0.1'
port: 3306 port: 3306
database: authelia database: 'authelia'
username: authelia username: 'authelia'
notifier: notifier:
smtp: smtp:
username: test username: 'test'
host: 127.0.0.1 host: '127.0.0.1'
port: 1025 port: 1025
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -5,14 +5,14 @@ server:
address: 'tcp://{{ env "SERVICES_SERVER" }}:9091' address: 'tcp://{{ env "SERVICES_SERVER" }}:9091'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
duo_api: duo_api:
hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}' hostname: 'api-123456789.{{ env "ROOT_DOMAIN" }}'
integration_key: ABCDEF integration_key: 'ABCDEF'
authentication_backend: authentication_backend:
ldap: ldap:
@ -46,51 +46,51 @@ authentication_backend:
USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0 USjhLXY0Nld2zBm9r8wMb81mXH29uvD+tDqqsICvyuKlA/tyzXR+QTr7dCVKVwu0
1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw== 1YjCJ36UpTsLre2f8nOSLtNmRfDPtbOE2mkOoO9dD9UU0XZwnvn9xw==
-----END RSA PRIVATE KEY----- -----END RSA PRIVATE KEY-----
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
user: cn=admin,dc=example,dc=com user: 'cn=admin,dc=example,dc=com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: - domain:
- 'public.{{ env "ROOT_DOMAIN" }}' - 'public.{{ env "ROOT_DOMAIN" }}'
policy: bypass policy: 'bypass'
- domain: - domain:
- 'secure.{{ env "ROOT_DOMAIN" }}' - 'secure.{{ env "ROOT_DOMAIN" }}'
policy: one_factor policy: 'one_factor'
# Network based rule, if not provided any network matches. # Network based rule, if not provided any network matches.
networks: networks:
- 192.168.1.0/24 - '192.168.1.0/24'
- domain: - domain:
- 'secure.{{ env "ROOT_DOMAIN" }}' - 'secure.{{ env "ROOT_DOMAIN" }}'
policy: two_factor policy: 'two_factor'
- domain: - domain:
- 'singlefactor.{{ env "ROOT_DOMAIN" }}' - 'singlefactor.{{ env "ROOT_DOMAIN" }}'
- 'onefactor.{{ env "ROOT_DOMAIN" }}' - 'onefactor.{{ env "ROOT_DOMAIN" }}'
policy: one_factor policy: 'one_factor'
# Rules applied to 'admins' group # Rules applied to 'admins' group
- domain: - domain:
- 'mx2.mail.{{ env "ROOT_DOMAIN" }}' - 'mx2.mail.{{ env "ROOT_DOMAIN" }}'
subject: subject:
- 'group:admins' - 'group:admins'
policy: deny policy: 'deny'
- domain: - domain:
- '*.{{ env "ROOT_DOMAIN" }}' - '*.{{ env "ROOT_DOMAIN" }}'
subject: subject:
- ['group:admins'] - ['group:admins']
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group # Rules applied to 'dev' group
- domain: - domain:
@ -99,7 +99,7 @@ access_control:
- '^/groups/dev/.*$' - '^/groups/dev/.*$'
subject: subject:
- ['group:dev'] - ['group:dev']
policy: two_factor policy: 'two_factor'
# Rules applied to user 'john' # Rules applied to user 'john'
- domain: - domain:
@ -108,17 +108,17 @@ access_control:
- '^/users/john/.*$' - '^/users/john/.*$'
subject: subject:
- ['user:john'] - ['user:john']
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group and user 'john' # Rules applied to 'dev' group and user 'john'
- domain: - domain:
- 'dev.{{ env "ROOT_DOMAIN" }}' - 'dev.{{ env "ROOT_DOMAIN" }}'
resources: resources:
- "^/deny-all.*$" - '^/deny-all.*$'
subject: subject:
- ['group:dev'] - ['group:dev']
- ['user:john'] - ['user:john']
policy: deny policy: 'deny'
# Rules applied to user 'harry' # Rules applied to user 'harry'
- domain: - domain:
@ -127,47 +127,47 @@ access_control:
- '^/users/harry/.*$' - '^/users/harry/.*$'
subject: subject:
- ['user:harry'] - ['user:harry']
policy: two_factor policy: 'two_factor'
# Rules applied to user 'bob' # Rules applied to user 'bob'
- domain: - domain:
- '*.mail.{{ env "ROOT_DOMAIN" }}' - '*.mail.{{ env "ROOT_DOMAIN" }}'
subject: subject:
- ['user:bob'] - ['user:bob']
policy: two_factor policy: 'two_factor'
- domain: - domain:
- 'dev.{{ env "ROOT_DOMAIN" }}' - 'dev.{{ env "ROOT_DOMAIN" }}'
resources: resources:
- '^/users/bob/.*$' - '^/users/bob/.*$'
subject: subject:
- ['user:bob'] - ['user:bob']
policy: two_factor policy: 'two_factor'
session: session:
name: authelia_session name: 'authelia_session'
expiration: 3600000 # 1 hour expiration: '1h' # 1 hour
inactivity: 300000 # 5 minutes inactivity: '5m' # 5 minutes
domain: '{{ env "ROOT_DOMAIN" }}' domain: '{{ env "ROOT_DOMAIN" }}'
redis: redis:
host: ${SERVICES_SERVER} host: '${SERVICES_SERVER}'
port: 6379 port: 6379
high_availability: high_availability:
sentinel_name: test sentinel_name: 'test'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
mysql: mysql:
address: 'tcp://{{ env "SERVICES_SERVER" }}:3306' address: 'tcp://{{ env "SERVICES_SERVER" }}:3306'
database: authelia database: 'authelia'
username: authelia username: 'authelia'
notifier: notifier:
smtp: smtp:
username: test username: 'test'
address: 'smtp://{{ env "SERVICES_SERVER" }}:1025' address: 'smtp://{{ env "SERVICES_SERVER" }}:1025'
sender: 'admin@{{ env "ROOT_DOMAIN" }}' sender: 'admin@{{ env "ROOT_DOMAIN" }}'
disable_require_tls: true disable_require_tls: true
@ -176,16 +176,16 @@ identity_providers:
oidc: oidc:
cors: cors:
allowed_origins: allowed_origins:
- https://google.com - 'https://google.com'
- https://example.com - 'https://example.com'
clients: clients:
- id: abc - id: 'abc'
secret: '${ABC_CLIENT_SECRET}' secret: '${ABC_CLIENT_SECRET}'
consent_mode: explicit consent_mode: 'explicit'
- id: xyz - id: 'xyz'
secret: '$XYZ_CLIENT_SECRET' secret: '$XYZ_CLIENT_SECRET'
consent_mode: explicit consent_mode: 'explicit'
- id: '123' - id: '123'
secret: $ANOTHER_CLIENT_SECRET secret: '$ANOTHER_CLIENT_SECRET'
consent_mode: explicit consent_mode: 'explicit'
... ...

View File

@ -3,69 +3,69 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
theme: grey theme: 'grey'
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
ldap: ldap:
address: 'ldap://sambaldap' address: 'ldap://sambaldap'
implementation: activedirectory implementation: 'activedirectory'
tls: tls:
skip_verify: true skip_verify: true
start_tls: true start_tls: true
base_dn: DC=example,DC=com base_dn: 'DC=example,DC=com'
additional_users_dn: OU=Users additional_users_dn: 'OU=Users'
additional_groups_dn: OU=Groups additional_groups_dn: 'OU=Groups'
user: CN=Administrator,CN=Users,DC=example,DC=com user: 'CN=Administrator,CN=Users,DC=example,DC=com'
password: password password: 'password'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite3 path: '/config/db.sqlite3'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 300 find_time: '5m'
ban_time: 900 ban_time: '15m'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -6,49 +6,49 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
# The Duo Push Notification API configuration # The Duo Push Notification API configuration
duo_api: duo_api:
hostname: duo.example.com hostname: 'duo.example.com'
integration_key: ABCDEFGHIJKL integration_key: 'ABCDEFGHIJKL'
secret_key: abcdefghijklmnopqrstuvwxyz123456789 secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: 'true'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -6,61 +6,61 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
cookies: cookies:
- name: 'authelia_session' - name: 'authelia_session'
domain: 'example.com' domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /tmp/db.sqlite path: '/tmp/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: "resources.example.com" - domain: 'resources.example.com'
policy: one_factor policy: 'one_factor'
resources: ["^/resources"] resources: ['^/resources']
- domain: "method.example.com" - domain: 'method.example.com'
policy: one_factor policy: 'one_factor'
methods: ["POST"] methods: ['POST']
- domain: "network.example.com" - domain: 'network.example.com'
policy: one_factor policy: 'one_factor'
networks: ["192.168.1.0/24"] networks: ['192.168.1.0/24']
- domain: "group.example.com" - domain: 'group.example.com'
policy: one_factor policy: 'one_factor'
subject: ["group:basic"] subject: ['group:basic']
- domain: "user.example.com" - domain: 'user.example.com'
policy: one_factor policy: 'one_factor'
subject: ["user:john"] subject: ['user:john']
notifier: notifier:
filesystem: filesystem:
filename: /tmp/notification.txt filename: '/tmp/notification.txt'
... ...

View File

@ -8,5 +8,5 @@ services:
- './CLI/users.yml:/config/users.yml' - './CLI/users.yml:/config/users.yml'
- './common/pki:/pki:ro' - './common/pki:/pki:ro'
- '/tmp:/tmp' - '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID} user: '${USER_ID}:${GROUP_ID}'
... ...

View File

@ -1,6 +1,6 @@
--- ---
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /tmp/db.sqlite3 path: '/tmp/db.sqlite3'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,56 +3,56 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
asset_path: '/config/assets/' asset_path: '/config/assets/'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
endpoints: endpoints:
authz: authz:
caddy: caddy:
implementation: ForwardAuth implementation: 'ForwardAuth'
authn_strategies: [] authn_strategies: []
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,89 +3,89 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite3 path: '/config/db.sqlite3'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
regulation: regulation:
# Set it to 0 to disable max_retries. # Set it to 0 to disable max_retries.
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: '5m'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 900 ban_time: '15m'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,49 +3,49 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: trace level: 'trace'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data # Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /tmp/db.sqlite3 path: '/tmp/db.sqlite3'
# TOTP Issuer Name # TOTP Issuer Name
# #
# This will be the issuer name displayed in Google Authenticator # This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names # See: 'https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names'
totp: totp:
issuer: example.com issuer: 'example.com'
# The Duo Push Notification API configuration # The Duo Push Notification API configuration
duo_api: duo_api:
hostname: duo.example.com hostname: 'duo.example.com'
integration_key: ABCDEFGHIJKL integration_key: 'ABCDEFGHIJKL'
secret_key: abcdefghijklmnopqrstuvwxyz123456789 secret_key: 'abcdefghijklmnopqrstuvwxyz123456789'
enable_self_enrollment: true enable_self_enrollment: true
# Access Control # Access Control
@ -54,43 +54,43 @@ duo_api:
# resources. # resources.
access_control: access_control:
# Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`. # Default policy can either be `bypass`, `one_factor`, `two_factor` or `deny`.
default_policy: two_factor default_policy: 'two_factor'
rules: rules:
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
regulation: regulation:
@ -98,12 +98,12 @@ regulation:
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: '5m'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 900 ban_time: '15m'
notifier: notifier:
filesystem: filesystem:
filename: /tmp/notifier.html filename: '/tmp/notifier.html'
... ...

View File

@ -7,5 +7,5 @@ services:
- './DuoPush/users.yml:/config/users.yml' - './DuoPush/users.yml:/config/users.yml'
- './common/pki:/pki:ro' - './common/pki:/pki:ro'
- '/tmp:/tmp' - '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID} user: '${USER_ID}:${GROUP_ID}'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,59 +3,59 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
asset_path: '/config/assets/' asset_path: '/config/assets/'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
endpoints: endpoints:
authz: authz:
ext-authz: ext-authz:
implementation: ExtAuthz implementation: 'ExtAuthz'
authn_strategies: [] authn_strategies: []
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- name: 'authelia_session' - name: 'authelia_session'
domain: 'example.com' domain: 'example.com'
authelia_url: 'https://login.example.com:8080/' authelia_url: 'https://login.example.com:8080/'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "login.example.com" - domain: 'login.example.com'
policy: bypass policy: 'bypass'
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,50 +3,50 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,125 +3,125 @@
# Authelia configuration # # Authelia configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
totp: totp:
issuer: authelia.com issuer: 'authelia.com'
authentication_backend: authentication_backend:
ldap: ldap:
address: 'ldap://openldap' address: 'ldap://openldap'
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&({username_attribute}={input})(objectClass=person)) users_filter: '(&({username_attribute}={input})(objectClass=person))'
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
display_name_attribute: displayName display_name_attribute: 'displayName'
user: cn=admin,dc=example,dc=com user: 'cn=admin,dc=example,dc=com'
password: password password: 'password'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
# Rules applied to 'admins' group # Rules applied to 'admins' group
- domain: mx2.mail.example.com - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: 'deny'
# Rules applied to user 'john' # Rules applied to user 'john'
- domain: "*.example.com" - domain: '*.example.com'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group # Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/groups/dev/.*$" - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'harry' # Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'bob' # Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
session: session:
name: authelia_session name: 'authelia_session'
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
redis: redis:
username: authelia username: 'authelia'
password: redis-user-password password: 'redis-user-password'
high_availability: high_availability:
sentinel_name: authelia sentinel_name: 'authelia'
sentinel_password: sentinel-server-password sentinel_password: 'sentinel-server-password'
nodes: nodes:
- host: redis-sentinel-0 - host: 'redis-sentinel-0'
port: 26379 port: 26379
- host: redis-sentinel-1 - host: 'redis-sentinel-1'
port: 26379 port: 26379
- host: redis-sentinel-2 - host: 'redis-sentinel-2'
port: 26379 port: 26379
remember_me: 1y remember_me: '1y'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 8 find_time: '8s'
ban_time: 10 ban_time: 10
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
mysql: mysql:
address: 'tcp://mariadb:3306' address: 'tcp://mariadb:3306'
database: authelia database: 'authelia'
username: admin username: 'admin'
password: password password: 'password'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -3,73 +3,73 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
theme: dark theme: 'dark'
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
ldap: ldap:
address: 'ldaps://openldap' address: 'ldaps://openldap'
tls: tls:
skip_verify: true skip_verify: true
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson)) # yamllint disable-line rule:line-length users_filter: '(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)(objectClass=inetOrgPerson))' # yamllint disable-line rule:line-length
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
display_name_attribute: displayName display_name_attribute: 'displayName'
user: cn=pwmanager,dc=example,dc=com user: 'cn=pwmanager,dc=example,dc=com'
password: password password: 'password'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite3 path: '/config/db.sqlite3'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 300 find_time: '5m'
ban_time: 900 ban_time: '15m'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: 'true'
... ...

View File

@ -3,58 +3,58 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data # Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
mysql: mysql:
address: 'tcp://mariadb:3306' address: 'tcp://mariadb:3306'
database: authelia database: 'authelia'
username: admin username: 'admin'
password: password password: 'password'
# TOTP Issuer Name # TOTP Issuer Name
# #
# This will be the issuer name displayed in Google Authenticator # This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
regulation: regulation:
@ -62,7 +62,7 @@ regulation:
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8 find_time: '8s'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 10 ban_time: 10
@ -71,6 +71,6 @@ notifier:
# Use a SMTP server for sending notifications # Use a SMTP server for sending notifications
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,14 +3,14 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
theme: auto theme: 'auto'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
telemetry: telemetry:
metrics: metrics:
@ -18,17 +18,17 @@ telemetry:
address: 'tcp://:9959' address: 'tcp://:9959'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 expiration: '1h'
inactivity: 300 inactivity: '5m'
remember_me: 1y remember_me: '1y'
cookies: cookies:
- name: 'authelia_session' - name: 'authelia_session'
domain: 'example.com' domain: 'example.com'
@ -42,153 +42,153 @@ session:
authelia_url: 'https://login.example3.com:8080' authelia_url: 'https://login.example3.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# First cookie domain # First cookie domain
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: bypass policy: 'bypass'
methods: methods:
- OPTIONS - 'OPTIONS'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
# Second cookie domain # Second cookie domain
- domain: singlefactor.example2.com - domain: 'singlefactor.example2.com'
policy: one_factor policy: 'one_factor'
- domain: public.example2.com - domain: 'public.example2.com'
policy: bypass policy: 'bypass'
- domain: secure.example2.com - domain: 'secure.example2.com'
policy: bypass policy: 'bypass'
methods: methods:
- OPTIONS - 'OPTIONS'
- domain: secure.example2.com - domain: 'secure.example2.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example2.com" - domain: '*.example2.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example2.com - domain: 'dev.example2.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example2.com - domain: 'dev.example2.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example2.com" - domain: '*.mail.example2.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example2.com - domain: 'dev.example2.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
# Third cookie domain # Third cookie domain
- domain: singlefactor.example3.com - domain: 'singlefactor.example3.com'
policy: one_factor policy: 'one_factor'
- domain: public.example3.com - domain: 'public.example3.com'
policy: bypass policy: 'bypass'
- domain: secure.example3.com - domain: 'secure.example3.com'
policy: bypass policy: 'bypass'
methods: methods:
- OPTIONS - 'OPTIONS'
- domain: secure.example3.com - domain: 'secure.example3.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example3.com" - domain: '*.example3.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example3.com - domain: 'dev.example3.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example3.com - domain: 'dev.example3.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example3.com" - domain: '*.mail.example3.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example3.com - domain: 'dev.example3.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
regulation: regulation:
# Set it to 0 to disable max_retries. # Set it to 0 to disable max_retries.
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: '5m'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 900 ban_time: '15m'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
ntp: ntp:
## NTP server address ## NTP server address
@ -196,7 +196,7 @@ ntp:
## ntp version ## ntp version
version: 4 version: 4
## "maximum desynchronization" is the allowed offset time between the host and the ntp server ## "maximum desynchronization" is the allowed offset time between the host and the ntp server
max_desync: 3s max_desync: '3s'
## You can enable or disable the NTP synchronization check on startup ## You can enable or disable the NTP synchronization check on startup
disable_startup_check: false disable_startup_check: false

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -6,32 +6,32 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data # Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
mysql: mysql:
address: 'tcp://mysql:3306' address: 'tcp://mysql:3306'
database: 'authelia' database: 'authelia'
@ -43,19 +43,19 @@ storage:
# This will be the issuer name displayed in Google Authenticator # This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
regulation: regulation:
@ -63,7 +63,7 @@ regulation:
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8 find_time: '8s'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 10 ban_time: 10
@ -72,6 +72,6 @@ notifier:
# Use a SMTP server for sending notifications # Use a SMTP server for sending notifications
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: 'true'
... ...

View File

@ -8,28 +8,26 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -6,71 +6,71 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
jwt_secret: unsecure_password jwt_secret: 'unsecure_password'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data # Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
# Access Control # Access Control
# #
# Access control is a set of rules you can use to restrict user access to certain # Access control is a set of rules you can use to restrict user access to certain
# resources. # resources.
access_control: access_control:
default_policy: deny default_policy: 'deny'
networks: networks:
- name: Clients - name: 'Clients'
networks: networks:
- 192.168.240.202/32 - 192.168.240.202/32
- 192.168.240.203/32 - 192.168.240.203/32
rules: rules:
- domain: secure.example.com - domain: 'secure.example.com'
policy: one_factor policy: 'one_factor'
networks: networks:
- 192.168.240.201/32 - 192.168.240.201/32
- domain: secure.example.com - domain: 'secure.example.com'
policy: bypass policy: 'bypass'
networks: networks:
- Clients - 'Clients'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
regulation: regulation:
# Set it to 0 to disable max_retries. # Set it to 0 to disable max_retries.
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: '5m'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 900 ban_time: '15m'
notifier: notifier:
# Use a SMTP server for sending notifications # Use a SMTP server for sending notifications
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -2,78 +2,78 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
# We use redis here to keep the users authenticated when Authelia restarts # We use redis here to keep the users authenticated when Authelia restarts
# It eases development. # It eases development.
redis: redis:
host: redis host: 'redis'
port: 6379 port: 6379
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "home.example.com" - domain: 'home.example.com'
policy: bypass policy: 'bypass'
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: "oidc.example.com" - domain: 'oidc.example.com'
policy: two_factor policy: 'two_factor'
- domain: "oidc-public.example.com" - domain: 'oidc-public.example.com'
policy: bypass policy: 'bypass'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
identity_providers: identity_providers:
oidc: oidc:
enable_client_debug_messages: true enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
clients: clients:
- id: oidc-tester-app - id: 'oidc-tester-app'
secret: foobar secret: 'foobar'
authorization_policy: two_factor authorization_policy: 'two_factor'
redirect_uris: redirect_uris:
- https://oidc.example.com:8080/oauth2/callback - https://oidc.example.com:8080/oauth2/callback
# This client is used for testing purpose. As of now, the app must be protected by ACLs # This client is used for testing purpose. As of now, the app must be protected by ACLs
# otherwise it won't work properly. # otherwise it won't work properly.
- id: oidc-tester-app-public - id: 'oidc-tester-app-public'
secret: foobar secret: 'foobar'
authorization_policy: one_factor authorization_policy: 'one_factor'
redirect_uris: redirect_uris:
- https://oidc-public.example.com:8080/oauth2/callback - https://oidc-public.example.com:8080/oauth2/callback
... ...

View File

@ -3,8 +3,8 @@ version: '3'
services: services:
authelia-backend: authelia-backend:
environment: environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
volumes: volumes:
- './OIDC/configuration.yml:/config/configuration.yml:ro' - './OIDC/configuration.yml:/config/configuration.yml:ro'
- './OIDC/users.yml:/config/users.yml' - './OIDC/users.yml:/config/users.yml'

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -2,23 +2,23 @@
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
@ -26,55 +26,55 @@ session:
# We use redis here to keep the users authenticated when Authelia restarts # We use redis here to keep the users authenticated when Authelia restarts
# It eases development. # It eases development.
redis: redis:
host: redis host: 'redis'
port: 6379 port: 6379
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "home.example.com" - domain: 'home.example.com'
policy: bypass policy: 'bypass'
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: "oidc.example.com" - domain: 'oidc.example.com'
policy: two_factor policy: 'two_factor'
- domain: "oidc-public.example.com" - domain: 'oidc-public.example.com'
policy: bypass policy: 'bypass'
- domain: "traefik.example.com" - domain: 'traefik.example.com'
policy: bypass policy: 'bypass'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
identity_providers: identity_providers:
oidc: oidc:
enable_client_debug_messages: true enable_client_debug_messages: true
hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm hmac_secret: 'IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm'
clients: clients:
- id: oidc-tester-app - id: 'oidc-tester-app'
secret: foobar secret: 'foobar'
authorization_policy: two_factor authorization_policy: 'two_factor'
redirect_uris: redirect_uris:
- https://oidc.example.com:8080/oauth2/callback - https://oidc.example.com:8080/oauth2/callback
# This client is used for testing purpose. As of now, the app must be protected by ACLs # This client is used for testing purpose. As of now, the app must be protected by ACLs
# otherwise it won't work properly. # otherwise it won't work properly.
- id: oidc-tester-app-public - id: 'oidc-tester-app-public'
secret: foobar secret: 'foobar'
authorization_policy: one_factor authorization_policy: 'one_factor'
redirect_uris: redirect_uris:
- https://oidc-public.example.com:8080/oauth2/callback - https://oidc-public.example.com:8080/oauth2/callback
... ...

View File

@ -3,8 +3,8 @@ version: '3'
services: services:
authelia-backend: authelia-backend:
environment: environment:
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: /pki/public.oidc.chain.pem AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_CERTIFICATE_CHAIN_FILE: '/pki/public.oidc.chain.pem'
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: /pki/private.oidc.pem AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE: '/pki/private.oidc.pem'
volumes: volumes:
- './OIDCTraefik/configuration.yml:/config/configuration.yml:ro' - './OIDCTraefik/configuration.yml:/config/configuration.yml:ro'
- './OIDCTraefik/users.yml:/config/users.yml' - './OIDCTraefik/users.yml:/config/users.yml'

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,49 +3,49 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: home.example.com - domain: 'home.example.com'
policy: bypass policy: 'bypass'
- domain: unsafe.local - domain: 'unsafe.local'
policy: bypass policy: 'bypass'
notifier: notifier:
filesystem: filesystem:
filename: /config/notifier.html filename: '/config/notifier.html'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,51 +3,51 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
path: 'auth' path: 'auth'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080/auth/' authelia_url: 'https://login.example.com:8080/auth/'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: 'true'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,34 +3,34 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: very_important_secret jwt_secret: 'very_important_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
# Configuration of the storage backend used to store data and secrets. i.e. totp data # Configuration of the storage backend used to store data and secrets. i.e. totp data
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
postgres: postgres:
address: 'tcp://postgres:5432' address: 'tcp://postgres:5432'
database: 'authelia' database: 'authelia'
@ -42,19 +42,19 @@ storage:
# This will be the issuer name displayed in Google Authenticator # This will be the issuer name displayed in Google Authenticator
# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names # See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
regulation: regulation:
@ -62,7 +62,7 @@ regulation:
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 8 find_time: '8s'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 10 ban_time: 10
@ -71,6 +71,6 @@ notifier:
# Use a SMTP server for sending notifications # Use a SMTP server for sending notifications
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: 'true'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,81 +3,81 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
default_redirection_url: https://home.example.com:8080/ default_redirection_url: 'https://home.example.com:8080/'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
cookies: cookies:
- name: 'authelia_sessin' - name: 'authelia_sessin'
domain: 'example.com' domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
inactivity: 5 inactivity: 5
expiration: 8 expiration: '8s'
remember_me: 1y remember_me: '1y'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 5 find_time: '5s'
ban_time: 10 ban_time: 10
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,103 +3,103 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
theme: auto theme: 'auto'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
telemetry: telemetry:
metrics: metrics:
enabled: true enabled: true
address: tcp://0.0.0.0:9959 address: 'tcp://:9959'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
expiration: 3600 expiration: '1h'
inactivity: 300 inactivity: '5m'
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /tmp/db.sqlite3 path: '/tmp/db.sqlite3'
totp: totp:
issuer: example.com issuer: 'example.com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: bypass policy: 'bypass'
methods: methods:
- OPTIONS - 'OPTIONS'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
regulation: regulation:
# Set it to 0 to disable max_retries. # Set it to 0 to disable max_retries.
max_retries: 3 max_retries: 3
# The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window. # The user is banned if the authentication failed `max_retries` times in a `find_time` seconds window.
find_time: 300 find_time: '5m'
# The length of time before a banned user can login again. # The length of time before a banned user can login again.
ban_time: 900 ban_time: '15m'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
ntp: ntp:
## NTP server address ## NTP server address
address: "time.cloudflare.com:123" address: 'time.cloudflare.com:123'
## ntp version ## ntp version
version: 4 version: 4
## "maximum desynchronization" is the allowed offset time between the host and the ntp server ## "maximum desynchronization" is the allowed offset time between the host and the ntp server

View File

@ -3,12 +3,12 @@ version: '3'
services: services:
authelia-backend: authelia-backend:
environment: environment:
- AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt - 'AUTHELIA_JWT_SECRET_FILE=/tmp/authelia/StandaloneSuite/jwt'
- AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session - 'AUTHELIA_SESSION_SECRET_FILE=/tmp/authelia/StandaloneSuite/session'
volumes: volumes:
- './Standalone/configuration.yml:/config/configuration.yml:ro' - './Standalone/configuration.yml:/config/configuration.yml:ro'
- './Standalone/users.yml:/config/users.yml' - './Standalone/users.yml:/config/users.yml'
- './common/pki:/pki:ro' - './common/pki:/pki:ro'
- '/tmp:/tmp' - '/tmp:/tmp'
user: ${USER_ID}:${GROUP_ID} user: '${USER_ID}:${GROUP_ID}'
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,51 +3,51 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
asset_path: '/config/assets/' asset_path: '/config/assets/'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -3,58 +3,58 @@
# Authelia minimal configuration # # Authelia minimal configuration #
############################################################### ###############################################################
jwt_secret: unsecure_secret jwt_secret: 'unsecure_secret'
server: server:
address: 'tcp://:9091' address: 'tcp://:9091'
asset_path: '/config/assets/' asset_path: '/config/assets/'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
endpoints: endpoints:
authz: authz:
forward-auth: forward-auth:
implementation: ForwardAuth implementation: 'ForwardAuth'
authn_strategies: [] authn_strategies: []
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
file: file:
path: /config/users.yml path: '/config/users.yml'
session: session:
secret: unsecure_session_secret secret: 'unsecure_session_secret'
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
redis: redis:
host: redis host: 'redis'
port: 6379 port: 6379
username: authelia username: 'authelia'
password: redis-user-password password: 'redis-user-password'
storage: storage:
encryption_key: a_not_so_secure_encryption_key encryption_key: 'a_not_so_secure_encryption_key'
local: local:
path: /config/db.sqlite path: '/config/db.sqlite'
access_control: access_control:
default_policy: bypass default_policy: 'bypass'
rules: rules:
- domain: "public.example.com" - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: "admin.example.com" - domain: 'admin.example.com'
policy: two_factor policy: 'two_factor'
- domain: "secure.example.com" - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: "singlefactor.example.com" - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
ntp: ntp:
version: 3 version: 3
@ -62,6 +62,6 @@ ntp:
notifier: notifier:
smtp: smtp:
address: 'smtp://smtp:1025' address: 'smtp://smtp:1025'
sender: admin@example.com sender: 'admin@example.com'
disable_require_tls: true disable_require_tls: true
... ...

View File

@ -8,28 +8,28 @@
# List of users # List of users
users: users:
john: john:
displayname: "John Doe" displayname: 'John Doe'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: john.doe@authelia.com email: 'john.doe@authelia.com'
groups: groups:
- admins - 'admins'
- dev - 'dev'
harry: harry:
displayname: "Harry Potter" displayname: 'Harry Potter'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: harry.potter@authelia.com email: 'harry.potter@authelia.com'
groups: [] groups: []
bob: bob:
displayname: "Bob Dylan" displayname: 'Bob Dylan'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: bob.dylan@authelia.com email: 'bob.dylan@authelia.com'
groups: groups:
- dev - 'dev'
james: james:
displayname: "James Dean" displayname: 'James Dean'
password: "$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/" # yamllint disable-line rule:line-length password: '$6$rounds=500000$jgiCMRyGXzoqpxS3$w2pJeZnnH8bwW3zzvoMWtTRfQYsHbWbD/hquuQ5vUeIyl9gdwBIt6RWk2S6afBA0DPakbeWgD/4SZPiS0hYtU/' # yamllint disable-line rule:line-length
email: james.dean@authelia.com email: 'james.dean@authelia.com'
... ...

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
networks: networks:
authelianet: authelianet:
driver: bridge driver: 'bridge'
ipam: ipam:
config: config:
- subnet: 192.168.240.0/24 - subnet: 192.168.240.0/24

View File

@ -3,18 +3,18 @@ version: '3'
services: services:
authelia-backend: authelia-backend:
build: build:
context: example/compose/authelia context: 'example/compose/authelia'
dockerfile: Dockerfile.backend dockerfile: 'Dockerfile.backend'
args: args:
USER_ID: ${USER_ID} USER_ID: '${USER_ID}'
GROUP_ID: ${GROUP_ID} GROUP_ID: '${GROUP_ID}'
security_opt: security_opt:
- seccomp:unconfined - seccomp:unconfined
- apparmor:unconfined - apparmor:unconfined
command: /resources/entrypoint-backend.sh command: '/resources/entrypoint-backend.sh'
working_dir: /app working_dir: '/app'
cap_add: cap_add:
- SYS_PTRACE - 'SYS_PTRACE'
volumes: volumes:
- './example/compose/authelia/resources/:/resources' - './example/compose/authelia/resources/:/resources'
- '../..:/app' - '../..:/app'
@ -30,7 +30,7 @@ services:
- 'traefik.http.routers.authelia_backend.tls=true' - 'traefik.http.routers.authelia_backend.tls=true'
- 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https' - 'traefik.http.services.authelia_backend.loadbalancer.server.scheme=https'
environment: environment:
- ENVIRONMENT=dev ENVIRONMENT: 'dev'
networks: networks:
authelianet: authelianet:
ipv4_address: 192.168.240.50 ipv4_address: 192.168.240.50

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
authelia-backend: authelia-backend:
image: authelia:dist image: 'authelia:dist'
labels: labels:
# Traefik 1.x # Traefik 1.x
- 'traefik.frontend.rule=Host:login.example.com' - 'traefik.frontend.rule=Host:login.example.com'
@ -18,8 +18,8 @@ services:
volumes: volumes:
- '../..:/authelia' - '../..:/authelia'
environment: environment:
- ENVIRONMENT=dev ENVIRONMENT: 'dev'
restart: always restart: 'always'
networks: networks:
authelianet: authelianet:
ipv4_address: 192.168.240.50 ipv4_address: 192.168.240.50

View File

@ -3,13 +3,13 @@ version: '3'
services: services:
authelia-frontend: authelia-frontend:
build: build:
context: example/compose/authelia context: 'example/compose/authelia'
dockerfile: Dockerfile.frontend dockerfile: 'Dockerfile.frontend'
args: args:
USER_ID: ${USER_ID} USER_ID: '${USER_ID}'
GROUP_ID: ${GROUP_ID} GROUP_ID: '${GROUP_ID}'
command: '/resources/entrypoint-frontend.sh' command: '/resources/entrypoint-frontend.sh'
working_dir: /app working_dir: '/app'
stdin_open: true stdin_open: true
volumes: volumes:
- './example/compose/authelia/resources/:/resources' - './example/compose/authelia/resources/:/resources'
@ -24,7 +24,7 @@ services:
- 'traefik.http.routers.authelia_frontend.entrypoints=https' - 'traefik.http.routers.authelia_frontend.entrypoints=https'
- 'traefik.http.routers.authelia_frontend.tls=true' - 'traefik.http.routers.authelia_frontend.tls=true'
environment: environment:
- VITE_BASEPATH=${PathPrefix} VITE_BASEPATH: '${PathPrefix}'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
authelia-frontend: authelia-frontend:
image: nginx:alpine image: 'nginx:alpine'
volumes: volumes:
- './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf' - './example/compose/authelia/resources/nginx.conf:/etc/nginx/nginx.conf'
labels: labels:
@ -15,7 +15,7 @@ services:
- 'traefik.http.routers.authelia_frontend.tls=true' - 'traefik.http.routers.authelia_frontend.tls=true'
- 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000' - 'traefik.http.services.authelia_frontend.loadbalancer.server.port=3000'
networks: networks:
- authelianet - 'authelianet'
expose: expose:
- 3000 - 3000
... ...

View File

@ -2,8 +2,8 @@
version: '3' version: '3'
services: services:
caddy: caddy:
# build: ./example/compose/caddy/ # used for debugging # build: './example/compose/caddy/ # used for debugging'
image: caddy:2.6.4-alpine image: 'caddy:2.6.4-alpine'
volumes: volumes:
- ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile - ./example/compose/caddy/Caddyfile:/etc/caddy/Caddyfile
networks: networks:

View File

@ -2,9 +2,9 @@
version: '3' version: '3'
services: services:
duo-api: duo-api:
image: authelia/integration-duo image: 'authelia/integration-duo'
volumes: volumes:
- ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js - ./example/compose/duo-api/duo_api.js:/usr/app/src/duo_api.js
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
envoy: envoy:
image: envoyproxy/envoy:v1.26.1 image: 'envoyproxy/envoy:v1.26.1'
volumes: volumes:
- ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml - ./example/compose/envoy/envoy.yaml:/etc/envoy/envoy.yaml
- ./common/pki:/pki - ./common/pki:/pki

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
haproxy: haproxy:
image: authelia/integration-haproxy image: 'authelia/integration-haproxy'
volumes: volumes:
- ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro - ./example/compose/haproxy/haproxy.cfg:/usr/local/etc/haproxy/haproxy.cfg:ro
- ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua - ./example/compose/haproxy/http.lua:/usr/local/etc/haproxy/haproxy-lua-http/http.lua

View File

@ -2,9 +2,9 @@
version: '3' version: '3'
services: services:
httpbin: httpbin:
image: citizenstig/httpbin image: 'citizenstig/httpbin'
networks: networks:
- authelianet - 'authelianet'
labels: labels:
# Traefik 1.x # Traefik 1.x
- 'traefik.frontend.rule=Host:public.example.com;Path:/headers' - 'traefik.frontend.rule=Host:public.example.com;Path:/headers'

View File

@ -2,25 +2,25 @@
version: '3' version: '3'
services: services:
k3d: k3d:
image: ghcr.io/k3d-io/k3d:5.4.9-dind image: 'ghcr.io/k3d-io/k3d:5.4.9-dind'
volumes: volumes:
- './example/kube:/authelia' - './example/kube:/authelia'
- './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml' - './example/kube/authelia/configs/configuration.yml:/configmaps/authelia/configuration.yml'
- './common/pki:/configmaps/authelia/ssl' - './common/pki:/configmaps/authelia/ssl'
- './example/compose/ldap/ldif:/configmaps/ldap' - './example/compose/ldap/ldif:/configmaps/ldap'
- './example/compose/nginx/backend:/configmaps/nginx-backend' - './example/compose/nginx/backend:/configmaps/nginx-backend'
privileged: true privileged: 'true'
networks: networks:
authelianet: authelianet:
aliases: aliases:
- public.example.com - 'public.example.com'
- secure.example.com - 'secure.example.com'
- login.example.com - 'login.example.com'
- admin.example.com - 'admin.example.com'
- dev.example.com - 'dev.example.com'
- mail.example.com - 'mail.example.com'
- kubernetes.example.com - 'kubernetes.example.com'
- traefik.example.com - 'traefik.example.com'
# Set the IP to be able to query on port 443 # Set the IP to be able to query on port 443
ipv4_address: 192.168.240.100 ipv4_address: 192.168.240.100
... ...

View File

@ -2,12 +2,12 @@
version: '3' version: '3'
services: services:
openldap-admin: openldap-admin:
image: osixia/phpldapadmin:0.9.0 image: 'osixia/phpldapadmin:0.9.0'
ports: ports:
- 9090:80 - 9090:80
environment: environment:
- PHPLDAPADMIN_LDAP_HOSTS=openldap PHPLDAPADMIN_LDAP_HOSTS: 'openldap'
- PHPLDAPADMIN_HTTPS=false PHPLDAPADMIN_HTTPS: 'false'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,17 +2,17 @@
version: '3' version: '3'
services: services:
openldap: openldap:
image: osixia/openldap:1.5.0 image: 'osixia/openldap:1.5.0'
hostname: ldap.example.com hostname: 'ldap.example.com'
environment: environment:
- LDAP_ORGANISATION=MyCompany LDAP_ORGANISATION: 'MyCompany'
- LDAP_DOMAIN=example.com LDAP_DOMAIN: 'example.com'
- LDAP_ADMIN_PASSWORD=password LDAP_ADMIN_PASSWORD: 'password'
- LDAP_CONFIG_PASSWORD=password LDAP_CONFIG_PASSWORD: 'password'
- LDAP_ADDITIONAL_MODULES=memberof LDAP_ADDITIONAL_MODULES: 'memberof'
- LDAP_ADDITIONAL_SCHEMAS=openldap LDAP_ADDITIONAL_SCHEMAS: 'openldap'
- LDAP_FORCE_RECONFIGURE=true LDAP_FORCE_RECONFIGURE: 'true'
- LDAP_TLS_VERIFY_CLIENT=try LDAP_TLS_VERIFY_CLIENT: 'try'
volumes: volumes:
- './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom' - './example/compose/ldap/ldif:/container/service/slapd/assets/config/bootstrap/ldif/custom'
command: command:
@ -20,5 +20,5 @@ services:
- '--loglevel' - '--loglevel'
- 'debug' - 'debug'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,12 +2,12 @@
version: '3' version: '3'
services: services:
mariadb: mariadb:
image: mariadb:10.11.2 image: 'mariadb:10.11.2'
environment: environment:
- MYSQL_ROOT_PASSWORD=rootpassword MYSQL_ROOT_PASSWORD: 'rootpassword'
- MYSQL_USER=admin MYSQL_USER: 'admin'
- MYSQL_PASSWORD=password MYSQL_PASSWORD: 'password'
- MYSQL_DATABASE=authelia MYSQL_DATABASE: 'authelia'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,12 +2,12 @@
version: '3' version: '3'
services: services:
mysql: mysql:
image: mysql:8.0 image: 'mysql:8.0'
environment: environment:
- MYSQL_ROOT_PASSWORD=rootpassword MYSQL_ROOT_PASSWORD: 'rootpassword'
- MYSQL_USER=admin MYSQL_USER: 'admin'
- MYSQL_PASSWORD=password MYSQL_PASSWORD: 'password'
- MYSQL_DATABASE=authelia MYSQL_DATABASE: 'authelia'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
nginx-backend: nginx-backend:
image: nginx:alpine image: 'nginx:alpine'
labels: labels:
# Traefik 1.x # Traefik 1.x
- 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length - 'traefik.frontend.rule=Host:home.example.com,public.example.com,secure.example.com,admin.example.com,singlefactor.example.com' # yamllint disable-line rule:line-length
@ -20,5 +20,5 @@ services:
- ./example/compose/nginx/backend/html:/usr/share/nginx/html - ./example/compose/nginx/backend/html:/usr/share/nginx/html
- ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf - ./example/compose/nginx/backend/nginx.conf:/etc/nginx/nginx.conf
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,17 +2,17 @@
version: '3' version: '3'
services: services:
nginx-portal: nginx-portal:
image: nginx:alpine image: 'nginx:alpine'
volumes: volumes:
- ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf - ./example/compose/nginx/portal/nginx.conf:/etc/nginx/nginx.conf
- ./common/pki:/pki - ./common/pki:/pki
networks: networks:
authelianet: authelianet:
aliases: aliases:
- public.example.com - 'public.example.com'
- secure.example.com - 'secure.example.com'
- login.example.com - 'login.example.com'
- duo.example.com - 'duo.example.com'
# Set the IP to be able to query on port 443 # Set the IP to be able to query on port 443
ipv4_address: 192.168.240.100 ipv4_address: 192.168.240.100
... ...

View File

@ -2,10 +2,10 @@
version: '3' version: '3'
services: services:
oidc-client: oidc-client:
image: ghcr.io/authelia/oidc-tester-app:master-aeac7f4 image: 'ghcr.io/authelia/oidc-tester-app:master-aeac7f4'
command: /entrypoint.sh command: '/entrypoint.sh'
depends_on: depends_on:
- authelia-backend - 'authelia-backend'
volumes: volumes:
- ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh - ./example/compose/oidc-client/entrypoint.sh:/entrypoint.sh
expose: expose:
@ -17,5 +17,5 @@ services:
- 'traefik.http.routers.oidc.tls=true' - 'traefik.http.routers.oidc.tls=true'
- 'traefik.http.routers.oidc.middlewares=authelia@docker' - 'traefik.http.routers.oidc.middlewares=authelia@docker'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -1,12 +1,12 @@
--- ---
version: "3" version: '3'
services: services:
postgres: postgres:
image: postgres:15 image: 'postgres:15'
environment: environment:
- POSTGRES_PASSWORD=password POSTGRES_PASSWORD: 'password'
- POSTGRES_USER=admin POSTGRES_USER: 'admin'
- POSTGRES_DB=authelia POSTGRES_DB: 'authelia'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,10 +2,10 @@
version: '3' version: '3'
services: services:
redis-node-0: redis-node-0:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh master command: '/entrypoint.sh master'
expose: expose:
- "6379" - '6379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl - ./example/compose/redis/users.acl:/data/users.acl
@ -13,15 +13,15 @@ services:
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-node-0.example.com - 'redis-node-0.example.com'
ipv4_address: 192.168.240.110 ipv4_address: 192.168.240.110
redis-node-1: redis-node-1:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh slave command: '/entrypoint.sh slave'
depends_on: depends_on:
- redis-node-0 - 'redis-node-0'
expose: expose:
- "6379" - '6379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl - ./example/compose/redis/users.acl:/data/users.acl
@ -29,15 +29,15 @@ services:
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-node-1.example.com - 'redis-node-1.example.com'
ipv4_address: 192.168.240.111 ipv4_address: 192.168.240.111
redis-node-2: redis-node-2:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh slave command: '/entrypoint.sh slave'
depends_on: depends_on:
- redis-node-0 - 'redis-node-0'
expose: expose:
- "6379" - '6379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl - ./example/compose/redis/users.acl:/data/users.acl
@ -45,54 +45,54 @@ services:
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-node-2.example.com - 'redis-node-2.example.com'
ipv4_address: 192.168.240.112 ipv4_address: 192.168.240.112
redis-sentinel-0: redis-sentinel-0:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh sentinel command: '/entrypoint.sh sentinel'
depends_on: depends_on:
- redis-node-1 - 'redis-node-1'
- redis-node-2 - 'redis-node-2'
expose: expose:
- "26379" - '26379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh - ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-sentinel-0.example.com - 'redis-sentinel-0.example.com'
ipv4_address: 192.168.240.120 ipv4_address: 192.168.240.120
redis-sentinel-1: redis-sentinel-1:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh sentinel command: '/entrypoint.sh sentinel'
depends_on: depends_on:
- redis-node-1 - 'redis-node-1'
- redis-node-2 - 'redis-node-2'
expose: expose:
- "26379" - '26379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh - ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-sentinel-1.example.com - 'redis-sentinel-1.example.com'
ipv4_address: 192.168.240.121 ipv4_address: 192.168.240.121
redis-sentinel-2: redis-sentinel-2:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh sentinel command: '/entrypoint.sh sentinel'
depends_on: depends_on:
- redis-node-1 - 'redis-node-1'
- redis-node-2 - 'redis-node-2'
expose: expose:
- "26379" - '26379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh - ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks: networks:
authelianet: authelianet:
aliases: aliases:
- redis-sentinel-2.example.com - 'redis-sentinel-2.example.com'
ipv4_address: 192.168.240.122 ipv4_address: 192.168.240.122
... ...

View File

@ -2,14 +2,14 @@
version: '3' version: '3'
services: services:
redis: redis:
image: redis:7.0-alpine image: 'redis:7.0-alpine'
command: /entrypoint.sh master command: '/entrypoint.sh master'
expose: expose:
- "6379" - '6379'
volumes: volumes:
- ./example/compose/redis/templates:/templates - ./example/compose/redis/templates:/templates
- ./example/compose/redis/users.acl:/data/users.acl - ./example/compose/redis/users.acl:/data/users.acl
- ./example/compose/redis/entrypoint.sh:/entrypoint.sh - ./example/compose/redis/entrypoint.sh:/entrypoint.sh
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,16 +2,16 @@
version: '3' version: '3'
services: services:
sambaldap: sambaldap:
image: authelia/integration-samba image: 'authelia/integration-samba'
volumes: volumes:
- ./example/compose/samba/init.sh:/init.sh - ./example/compose/samba/init.sh:/init.sh
cap_add: cap_add:
- SYS_ADMIN - 'SYS_ADMIN'
hostname: ldap.example.com hostname: 'ldap.example.com'
environment: environment:
- DOMAIN=example.com DOMAIN: 'example.com'
- DOMAINPASS=Password1 DOMAINPASS: 'Password1'
- NOCOMPLEXITY=true NOCOMPLEXITY: 'true'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
smtp: smtp:
image: schickling/mailcatcher image: 'schickling/mailcatcher'
ports: ports:
- '1025:1025' - '1025:1025'
labels: labels:
@ -14,5 +14,5 @@ services:
- 'traefik.http.routers.mail.tls=true' - 'traefik.http.routers.mail.tls=true'
- 'traefik.http.services.mail.loadbalancer.server.port=1080' - 'traefik.http.services.mail.loadbalancer.server.port=1080'
networks: networks:
- authelianet - 'authelianet'
... ...

View File

@ -3,7 +3,7 @@ version: '3'
services: services:
# Simulates client 1. # Simulates client 1.
client-1: client-1:
image: sameersbn/squid:3.5.27-1 image: 'sameersbn/squid:3.5.27-1'
volumes: volumes:
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf - ./example/compose/squid/squid.conf:/etc/squid/squid.conf
networks: networks:
@ -11,7 +11,7 @@ services:
# Set the IP to be able to query on port 443 # Set the IP to be able to query on port 443
ipv4_address: 192.168.240.201 ipv4_address: 192.168.240.201
client-2: client-2:
image: sameersbn/squid:3.5.27-1 image: 'sameersbn/squid:3.5.27-1'
volumes: volumes:
- ./example/compose/squid/squid.conf:/etc/squid/squid.conf - ./example/compose/squid/squid.conf:/etc/squid/squid.conf
networks: networks:

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
traefik: traefik:
image: traefik:v1.7.34-alpine image: 'traefik:v1.7.34-alpine'
volumes: volumes:
- '/var/run/docker.sock:/var/run/docker.sock' - '/var/run/docker.sock:/var/run/docker.sock'
labels: labels:

View File

@ -2,7 +2,7 @@
version: '3' version: '3'
services: services:
traefik: traefik:
image: traefik:v2.10.1 image: 'traefik:v2.10.1'
volumes: volumes:
- '/var/run/docker.sock:/var/run/docker.sock' - '/var/run/docker.sock:/var/run/docker.sock'
labels: labels:
@ -29,9 +29,9 @@ services:
networks: networks:
authelianet: authelianet:
aliases: aliases:
- public.example.com - 'public.example.com'
- secure.example.com - 'secure.example.com'
- login.example.com - 'login.example.com'
# Set the IP to be able to query on port 8080 # Set the IP to be able to query on port 8080
ipv4_address: 192.168.240.100 ipv4_address: 192.168.240.100
... ...

View File

@ -1,138 +1,138 @@
--- ---
apiVersion: apps/v1 apiVersion: 'apps/v1'
kind: Deployment kind: 'Deployment'
metadata: metadata:
name: nginx-backend name: 'nginx-backend'
namespace: authelia namespace: 'authelia'
labels: labels:
app: nginx-backend app: 'nginx-backend'
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: nginx-backend app: 'nginx-backend'
template: template:
metadata: metadata:
labels: labels:
app: nginx-backend app: 'nginx-backend'
spec: spec:
containers: containers:
- name: nginx-backend - name: 'nginx-backend'
image: nginx:alpine image: 'nginx:alpine'
ports: ports:
- containerPort: 80 - containerPort: 80
volumeMounts: volumeMounts:
- name: nginx-config - name: 'nginx-config'
mountPath: /etc/nginx/nginx.conf mountPath: '/etc/nginx/nginx.conf'
- name: nginx-html - name: 'nginx-html'
mountPath: /usr/share/nginx/html mountPath: '/usr/share/nginx/html'
volumes: volumes:
- name: nginx-config - name: 'nginx-config'
hostPath: hostPath:
path: /configmaps/nginx-backend/nginx.conf path: '/configmaps/nginx-backend/nginx.conf'
type: File type: 'File'
- name: nginx-html - name: 'nginx-html'
hostPath: hostPath:
path: /configmaps/nginx-backend/html path: '/configmaps/nginx-backend/html'
type: Directory type: 'Directory'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Service kind: 'Service'
metadata: metadata:
name: nginx-backend-service name: 'nginx-backend-service'
namespace: authelia namespace: 'authelia'
labels: labels:
app: nginx-backend app: 'nginx-backend'
spec: spec:
selector: selector:
app: nginx-backend app: 'nginx-backend'
ports: ports:
- port: 80 - port: 80
name: http name: 'http'
- port: 443 - port: 443
name: https name: 'https'
... ...
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: 'networking.k8s.io/v1'
kind: Ingress kind: 'Ingress'
metadata: metadata:
name: nginx-backend-ingress name: 'nginx-backend-ingress'
namespace: authelia namespace: 'authelia'
annotations: annotations:
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
traefik.ingress.kubernetes.io/router.middlewares: authelia-forwardauth-authelia@kubernetescrd traefik.ingress.kubernetes.io/router.middlewares: 'authelia-forwardauth-authelia@kubernetescrd'
spec: spec:
rules: rules:
- host: home.example.com - host: 'home.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: public.example.com - host: 'public.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: admin.example.com - host: 'admin.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: dev.example.com - host: 'dev.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: mx1.mail.example.com - host: 'mx1.mail.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: mx2.mail.example.com - host: 'mx2.mail.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
- host: singlefactor.example.com - host: 'singlefactor.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: nginx-backend-service name: 'nginx-backend-service'
port: port:
number: 80 number: 80
... ...

View File

@ -1,145 +1,145 @@
--- ---
apiVersion: apps/v1 apiVersion: 'apps/v1'
kind: Deployment kind: 'Deployment'
metadata: metadata:
name: authelia name: 'authelia'
namespace: authelia namespace: 'authelia'
labels: labels:
app: authelia app: 'authelia'
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: authelia app: 'authelia'
template: template:
metadata: metadata:
labels: labels:
app: authelia app: 'authelia'
spec: spec:
containers: containers:
- name: authelia - name: 'authelia'
image: authelia:dist image: 'authelia:dist'
ports: ports:
- containerPort: 443 - containerPort: 443
readinessProbe: readinessProbe:
httpGet: httpGet:
scheme: HTTPS scheme: 'HTTPS'
path: /api/health path: '/api/health'
port: 443 port: 443
initialDelaySeconds: 3 initialDelaySeconds: 3
periodSeconds: 3 periodSeconds: 3
volumeMounts: volumeMounts:
- name: authelia-config - name: 'authelia-config'
mountPath: /config/configuration.yml mountPath: '/config/configuration.yml'
readOnly: true readOnly: true
- name: authelia-ssl - name: 'authelia-ssl'
mountPath: /pki mountPath: '/pki'
readOnly: true readOnly: true
- name: secrets - name: 'secrets'
mountPath: /config/secrets mountPath: '/config/secrets'
readOnly: true readOnly: true
env: env:
# We set secrets directly here for ease of deployment but all secrets # We set secrets directly here for ease of deployment but all secrets
# should be stored in the Kube Vault in production. # should be stored in the Kube Vault in production.
- name: AUTHELIA_JWT_SECRET_FILE - name: 'AUTHELIA_JWT_SECRET_FILE'
value: /config/secrets/jwt_secret value: '/config/secrets/jwt_secret'
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - name: 'AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE'
value: /config/secrets/ldap_password value: '/config/secrets/ldap_password'
- name: AUTHELIA_SESSION_SECRET_FILE - name: 'AUTHELIA_SESSION_SECRET_FILE'
value: /config/secrets/session value: '/config/secrets/session'
- name: AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE - name: 'AUTHELIA_STORAGE_MYSQL_PASSWORD_FILE'
value: /config/secrets/sql_password value: '/config/secrets/sql_password'
- name: AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE - name: 'AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE'
value: /config/secrets/encryption_key value: '/config/secrets/encryption_key'
- name: ENVIRONMENT - name: 'ENVIRONMENT'
value: dev value: 'dev'
volumes: volumes:
- name: authelia-config - name: 'authelia-config'
hostPath: hostPath:
path: /configmaps/authelia/configuration.yml path: '/configmaps/authelia/configuration.yml'
type: File type: 'File'
- name: authelia-ssl - name: 'authelia-ssl'
hostPath: hostPath:
path: /configmaps/authelia/ssl path: '/configmaps/authelia/ssl'
type: Directory type: 'Directory'
- name: secrets - name: 'secrets'
secret: secret:
secretName: authelia secretName: 'authelia'
items: items:
- key: jwt_secret - key: 'jwt_secret'
path: jwt_secret path: 'jwt_secret'
- key: session - key: 'session'
path: session path: 'session'
- key: sql_password - key: 'sql_password'
path: sql_password path: 'sql_password'
- key: ldap_password - key: 'ldap_password'
path: ldap_password path: 'ldap_password'
- key: encryption_key - key: 'encryption_key'
path: encryption_key path: 'encryption_key'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Service kind: 'Service'
metadata: metadata:
name: authelia-service name: 'authelia-service'
namespace: authelia namespace: 'authelia'
annotations: annotations:
traefik.ingress.kubernetes.io/service.serverstransport: authelia-skipverify@kubernetescrd traefik.ingress.kubernetes.io/service.serverstransport: 'authelia-skipverify@kubernetescrd'
spec: spec:
selector: selector:
app: authelia app: 'authelia'
ports: ports:
- protocol: TCP - protocol: 'TCP'
port: 443 port: 443
targetPort: 443 targetPort: 443
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Secret kind: 'Secret'
type: Opaque type: 'Opaque'
metadata: metadata:
name: authelia name: 'authelia'
namespace: authelia namespace: 'authelia'
labels: labels:
app: authelia app: 'authelia'
data: data:
jwt_secret: YW5fdW5zZWN1cmVfc2VjcmV0 # an_unsecure_secret jwt_secret: 'YW5fdW5zZWN1cmVfc2VjcmV0' # an_unsecure_secret
ldap_password: cGFzc3dvcmQ= # password ldap_password: 'cGFzc3dvcmQ=' # password
session: dW5zZWN1cmVfcGFzc3dvcmQ= # unsecure_password session: 'dW5zZWN1cmVfcGFzc3dvcmQ=' # unsecure_password
sql_password: cGFzc3dvcmQ= # password sql_password: 'cGFzc3dvcmQ=' # password
encryption_key: YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5 encryption_key: 'YV9ub3Rfc29fc2VjdXJlX2VuY3J5cHRpb25fa2V5'
... ...
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: 'networking.k8s.io/v1'
kind: Ingress kind: 'Ingress'
metadata: metadata:
name: authelia-ingress name: 'authelia-ingress'
namespace: authelia namespace: 'authelia'
annotations: annotations:
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
spec: spec:
rules: rules:
- host: login.example.com - host: 'login.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: authelia-service name: 'authelia-service'
port: port:
number: 443 number: 443
... ...
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: 'traefik.containo.us/v1alpha1'
kind: Middleware kind: 'Middleware'
metadata: metadata:
name: forwardauth-authelia name: 'forwardauth-authelia'
namespace: authelia namespace: 'authelia'
labels: labels:
app.kubernetes.io/instance: authelia app.kubernetes.io/instance: 'authelia'
app.kubernetes.io/name: authelia app.kubernetes.io/name: 'authelia'
spec: spec:
forwardAuth: forwardAuth:
address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth' address: 'https://authelia-service.authelia.svc.cluster.local/api/authz/forward-auth'

View File

@ -3,108 +3,108 @@
# Authelia configuration # # Authelia configuration #
############################################################### ###############################################################
default_redirection_url: https://home.example.com:8080 default_redirection_url: 'https://home.example.com:8080'
server: server:
address: 'tcp://:443' address: 'tcp://:443'
tls: tls:
certificate: /pki/public.backend.crt certificate: '/pki/public.backend.crt'
key: /pki/private.backend.pem key: '/pki/private.backend.pem'
log: log:
level: debug level: 'debug'
authentication_backend: authentication_backend:
ldap: ldap:
address: 'ldaps://ldap-service' address: 'ldaps://ldap-service'
tls: tls:
skip_verify: true skip_verify: true
base_dn: dc=example,dc=com base_dn: 'dc=example,dc=com'
username_attribute: uid username_attribute: 'uid'
additional_users_dn: ou=users additional_users_dn: 'ou=users'
users_filter: (&({username_attribute}={input})(objectClass=person)) users_filter: '(&({username_attribute}={input})(objectClass=person))'
additional_groups_dn: ou=groups additional_groups_dn: 'ou=groups'
groups_filter: (&(member={dn})(objectClass=groupOfNames)) groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
group_name_attribute: cn group_name_attribute: 'cn'
mail_attribute: mail mail_attribute: 'mail'
display_name_attribute: displayName display_name_attribute: 'displayName'
user: cn=admin,dc=example,dc=com user: 'cn=admin,dc=example,dc=com'
access_control: access_control:
default_policy: deny default_policy: 'deny'
rules: rules:
# Rules applied to everyone # Rules applied to everyone
- domain: home.example.com - domain: 'home.example.com'
policy: bypass policy: 'bypass'
- domain: public.example.com - domain: 'public.example.com'
policy: bypass policy: 'bypass'
- domain: secure.example.com - domain: 'secure.example.com'
policy: two_factor policy: 'two_factor'
- domain: singlefactor.example.com - domain: 'singlefactor.example.com'
policy: one_factor policy: 'one_factor'
# Rules applied to 'admins' group # Rules applied to 'admins' group
- domain: "mx2.mail.example.com" - domain: 'mx2.mail.example.com'
subject: "group:admins" subject: 'group:admins'
policy: deny policy: 'deny'
- domain: "*.example.com" - domain: '*.example.com'
subject: "group:admins" subject: 'group:admins'
policy: two_factor policy: 'two_factor'
# Rules applied to 'dev' group # Rules applied to 'dev' group
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/groups/dev/.*$" - '^/groups/dev/.*$'
subject: "group:dev" subject: 'group:dev'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'john' # Rules applied to user 'john'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/john/.*$" - '^/users/john/.*$'
subject: "user:john" subject: 'user:john'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'harry' # Rules applied to user 'harry'
- domain: dev.example.com - domain: 'dev.example.com'
resources: resources:
- "^/users/harry/.*$" - '^/users/harry/.*$'
subject: "user:harry" subject: 'user:harry'
policy: two_factor policy: 'two_factor'
# Rules applied to user 'bob' # Rules applied to user 'bob'
- domain: "*.mail.example.com" - domain: '*.mail.example.com'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
- domain: "dev.example.com" - domain: 'dev.example.com'
resources: resources:
- "^/users/bob/.*$" - '^/users/bob/.*$'
subject: "user:bob" subject: 'user:bob'
policy: two_factor policy: 'two_factor'
session: session:
expiration: 3600 # 1 hour expiration: '1h' # 1 hour
inactivity: 300 # 5 minutes inactivity: '5m' # 5 minutes
remember_me: 1y remember_me: '1y'
cookies: cookies:
- domain: 'example.com' - domain: 'example.com'
authelia_url: 'https://login.example.com:8080' authelia_url: 'https://login.example.com:8080'
redis: redis:
host: redis-service host: 'redis-service'
port: 6379 port: 6379
regulation: regulation:
max_retries: 3 max_retries: 3
find_time: 120 find_time: '2m'
ban_time: 300 ban_time: '5m'
storage: storage:
mysql: mysql:
address: 'tcp://mariadb-service:3306' address: 'tcp://mariadb-service:3306'
database: authelia database: 'authelia'
username: admin username: 'admin'
notifier: notifier:
smtp: smtp:

View File

@ -1,194 +1,194 @@
# Kubernetes Dashboard # Kubernetes Dashboard
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Namespace kind: 'Namespace'
metadata: metadata:
name: kubernetes-dashboard name: 'kubernetes-dashboard'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: ServiceAccount kind: 'ServiceAccount'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
kind: Service kind: 'Service'
apiVersion: v1 apiVersion: 'v1'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
spec: spec:
ports: ports:
- port: 443 - port: 443
targetPort: 8443 targetPort: 8443
selector: selector:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Secret kind: 'Secret'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard-certs name: 'kubernetes-dashboard-certs'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
type: Opaque type: 'Opaque'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Secret kind: 'Secret'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard-csrf name: 'kubernetes-dashboard-csrf'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
type: Opaque type: 'Opaque'
data: data:
csrf: "" csrf: ''
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Secret kind: 'Secret'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard-key-holder name: 'kubernetes-dashboard-key-holder'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
type: Opaque type: 'Opaque'
... ...
--- ---
kind: ConfigMap kind: 'ConfigMap'
apiVersion: v1 apiVersion: 'v1'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard-settings name: 'kubernetes-dashboard-settings'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
kind: Role kind: 'Role'
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: 'rbac.authorization.k8s.io/v1'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
rules: rules:
# Allow Dashboard to get, update and delete Dashboard exclusive secrets. # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
- apiGroups: [""] - apiGroups: [""]
resources: ["secrets"] resources: ['secrets']
resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"] resourceNames: ['kubernetes-dashboard-key-holder', 'kubernetes-dashboard-certs', 'kubernetes-dashboard-csrf']
verbs: ["get", "update", "delete"] verbs: ['get', 'update', 'delete']
# Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map. # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
- apiGroups: [""] - apiGroups: [""]
resources: ["configmaps"] resources: ['configmaps']
resourceNames: ["kubernetes-dashboard-settings"] resourceNames: ['kubernetes-dashboard-settings']
verbs: ["get", "update"] verbs: ['get', 'update']
# Allow Dashboard to get metrics. # Allow Dashboard to get metrics.
- apiGroups: [""] - apiGroups: [""]
resources: ["services"] resources: ['services']
resourceNames: ["heapster", "dashboard-metrics-scraper"] resourceNames: ['heapster', 'dashboard-metrics-scraper']
verbs: ["proxy"] verbs: ['proxy']
- apiGroups: [""] - apiGroups: [""]
resources: ["services/proxy"] resources: ['services/proxy']
resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"] # yamllint disable-line rule:line-length resourceNames: ['heapster', 'http:heapster:', 'https:heapster:', 'dashboard-metrics-scraper', 'http:dashboard-metrics-scraper'] # yamllint disable-line rule:line-length
verbs: ["get"] verbs: ['get']
... ...
--- ---
kind: ClusterRole kind: 'ClusterRole'
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: 'rbac.authorization.k8s.io/v1'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
rules: rules:
# Allow Metrics Scraper to get metrics from the Metrics server # Allow Metrics Scraper to get metrics from the Metrics server
- apiGroups: ["metrics.k8s.io"] - apiGroups: ['metrics.k8s.io']
resources: ["pods", "nodes"] resources: ['pods', 'nodes']
verbs: ["get", "list", "watch"] verbs: ['get', 'list', 'watch']
... ...
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: 'rbac.authorization.k8s.io/v1'
kind: RoleBinding kind: 'RoleBinding'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: 'rbac.authorization.k8s.io'
kind: Role kind: 'Role'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
subjects: subjects:
- kind: ServiceAccount - kind: 'ServiceAccount'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: 'rbac.authorization.k8s.io/v1'
kind: ClusterRoleBinding kind: 'ClusterRoleBinding'
metadata: metadata:
name: kubernetes-dashboard name: 'kubernetes-dashboard'
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: 'rbac.authorization.k8s.io'
kind: ClusterRole kind: 'ClusterRole'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
subjects: subjects:
- kind: ServiceAccount - kind: 'ServiceAccount'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
kind: Deployment kind: 'Deployment'
apiVersion: apps/v1 apiVersion: 'apps/v1'
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
name: kubernetes-dashboard name: 'kubernetes-dashboard'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
spec: spec:
replicas: 1 replicas: 1
revisionHistoryLimit: 10 revisionHistoryLimit: 10
selector: selector:
matchLabels: matchLabels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
template: template:
metadata: metadata:
labels: labels:
k8s-app: kubernetes-dashboard k8s-app: 'kubernetes-dashboard'
spec: spec:
securityContext: securityContext:
seccompProfile: seccompProfile:
type: RuntimeDefault type: 'RuntimeDefault'
containers: containers:
- name: kubernetes-dashboard - name: 'kubernetes-dashboard'
image: kubernetesui/dashboard:v2.7.0 image: 'kubernetesui/dashboard:v2.7.0'
imagePullPolicy: Always imagePullPolicy: 'Always'
ports: ports:
- containerPort: 8443 - containerPort: 8443
protocol: TCP protocol: 'TCP'
args: args:
- --auto-generate-certificates - '--auto-generate-certificates'
- --namespace=kubernetes-dashboard - '--namespace=kubernetes-dashboard'
# Uncomment the following line to manually specify Kubernetes API server Host # Uncomment the following line to manually specify Kubernetes API server Host
# If not specified, Dashboard will attempt to auto discover the API server and connect # If not specified, Dashboard will attempt to auto discover the API server and connect
# to it. Uncomment only if the default does not work. # to it. Uncomment only if the default does not work.
# - --apiserver-host=http://my-address:port # - --apiserver-host=http://my-address:port
volumeMounts: volumeMounts:
- name: kubernetes-dashboard-certs - name: 'kubernetes-dashboard-certs'
mountPath: /certs mountPath: '/certs'
# Create on-disk volume to store exec logs # Create on-disk volume to store exec logs
- mountPath: /tmp - mountPath: '/tmp'
name: tmp-volume name: 'tmp-volume'
livenessProbe: livenessProbe:
httpGet: httpGet:
scheme: HTTPS scheme: 'HTTPS'
path: / path: '/'
port: 8443 port: 8443
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 30 timeoutSeconds: 30
@ -198,149 +198,149 @@ spec:
runAsUser: 1001 runAsUser: 1001
runAsGroup: 2001 runAsGroup: 2001
volumes: volumes:
- name: kubernetes-dashboard-certs - name: 'kubernetes-dashboard-certs'
secret: secret:
secretName: kubernetes-dashboard-certs secretName: 'kubernetes-dashboard-certs'
- name: tmp-volume - name: 'tmp-volume'
emptyDir: {} emptyDir: {}
serviceAccountName: kubernetes-dashboard serviceAccountName: 'kubernetes-dashboard'
nodeSelector: nodeSelector:
"kubernetes.io/os": linux "kubernetes.io/os": 'linux'
# Comment the following tolerations if Dashboard must not be deployed on master # Comment the following tolerations if Dashboard must not be deployed on master
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: 'node-role.kubernetes.io/master'
effect: NoSchedule effect: 'NoSchedule'
... ...
--- ---
kind: Service kind: 'Service'
apiVersion: v1 apiVersion: 'v1'
metadata: metadata:
labels: labels:
k8s-app: dashboard-metrics-scraper k8s-app: 'dashboard-metrics-scraper'
name: dashboard-metrics-scraper name: 'dashboard-metrics-scraper'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
spec: spec:
ports: ports:
- port: 8000 - port: 8000
targetPort: 8000 targetPort: 8000
selector: selector:
k8s-app: dashboard-metrics-scraper k8s-app: 'dashboard-metrics-scraper'
... ...
--- ---
kind: Deployment kind: 'Deployment'
apiVersion: apps/v1 apiVersion: 'apps/v1'
metadata: metadata:
labels: labels:
k8s-app: dashboard-metrics-scraper k8s-app: 'dashboard-metrics-scraper'
name: dashboard-metrics-scraper name: 'dashboard-metrics-scraper'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
spec: spec:
replicas: 1 replicas: 1
revisionHistoryLimit: 10 revisionHistoryLimit: 10
selector: selector:
matchLabels: matchLabels:
k8s-app: dashboard-metrics-scraper k8s-app: 'dashboard-metrics-scraper'
template: template:
metadata: metadata:
labels: labels:
k8s-app: dashboard-metrics-scraper k8s-app: 'dashboard-metrics-scraper'
spec: spec:
securityContext: securityContext:
seccompProfile: seccompProfile:
type: RuntimeDefault type: 'RuntimeDefault'
containers: containers:
- name: dashboard-metrics-scraper - name: 'dashboard-metrics-scraper'
image: kubernetesui/metrics-scraper:v1.0.9 image: 'kubernetesui/metrics-scraper:v1.0.9'
ports: ports:
- containerPort: 8000 - containerPort: 8000
protocol: TCP protocol: 'TCP'
livenessProbe: livenessProbe:
httpGet: httpGet:
scheme: HTTP scheme: 'HTTP'
path: / path: '/'
port: 8000 port: 8000
initialDelaySeconds: 30 initialDelaySeconds: 30
timeoutSeconds: 30 timeoutSeconds: 30
volumeMounts: volumeMounts:
- mountPath: /tmp - mountPath: '/tmp'
name: tmp-volume name: 'tmp-volume'
securityContext: securityContext:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
runAsUser: 1001 runAsUser: 1001
runAsGroup: 2001 runAsGroup: 2001
serviceAccountName: kubernetes-dashboard serviceAccountName: 'kubernetes-dashboard'
nodeSelector: nodeSelector:
"kubernetes.io/os": linux "kubernetes.io/os": 'linux'
# Comment the following tolerations if Dashboard must not be deployed on master # Comment the following tolerations if Dashboard must not be deployed on master
tolerations: tolerations:
- key: node-role.kubernetes.io/master - key: 'node-role.kubernetes.io/master'
effect: NoSchedule effect: 'NoSchedule'
volumes: volumes:
- name: tmp-volume - name: 'tmp-volume'
emptyDir: {} emptyDir: {}
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: ServiceAccount kind: 'ServiceAccount'
metadata: metadata:
name: admin-user name: 'admin-user'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: 'rbac.authorization.k8s.io/v1'
kind: ClusterRoleBinding kind: 'ClusterRoleBinding'
metadata: metadata:
name: admin-user name: 'admin-user'
roleRef: roleRef:
apiGroup: rbac.authorization.k8s.io apiGroup: 'rbac.authorization.k8s.io'
kind: ClusterRole kind: 'ClusterRole'
name: cluster-admin name: 'cluster-admin'
subjects: subjects:
- kind: ServiceAccount - kind: 'ServiceAccount'
name: admin-user name: 'admin-user'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
... ...
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: 'traefik.containo.us/v1alpha1'
kind: IngressRouteTCP kind: 'IngressRouteTCP'
metadata: metadata:
name: kubernetes-dashboard-ingress name: 'kubernetes-dashboard-ingress'
namespace: kubernetes-dashboard namespace: 'kubernetes-dashboard'
spec: spec:
entryPoints: entryPoints:
- websecure - 'websecure'
routes: routes:
- match: HostSNI(`kubernetes.example.com`) - match: 'HostSNI(`kubernetes.example.com`)'
services: services:
- name: kubernetes-dashboard - name: 'kubernetes-dashboard'
port: 443 port: 443
tls: tls:
passthrough: true passthrough: true
... ...
# Traefik Dashboard # Traefik Dashboard
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: 'traefik.containo.us/v1alpha1'
kind: IngressRoute kind: 'IngressRoute'
metadata: metadata:
name: traefik-dashboard-ingress name: 'traefik-dashboard-ingress'
namespace: authelia namespace: 'authelia'
spec: spec:
entryPoints: entryPoints:
- websecure - 'websecure'
routes: routes:
- match: Host(`traefik.example.com`) - match: 'Host(`traefik.example.com`)'
kind: Rule kind: 'Rule'
services: services:
- name: api@internal - name: 'api@internal'
kind: TraefikService kind: 'TraefikService'
... ...
--- ---
apiVersion: traefik.containo.us/v1alpha1 apiVersion: 'traefik.containo.us/v1alpha1'
kind: ServersTransport kind: 'ServersTransport'
metadata: metadata:
name: skipverify name: 'skipverify'
namespace: authelia namespace: 'authelia'
spec: spec:
insecureSkipVerify: true insecureSkipVerify: true
... ...

View File

@ -1,64 +1,64 @@
--- ---
apiVersion: apps/v1 apiVersion: 'apps/v1'
kind: Deployment kind: 'Deployment'
metadata: metadata:
name: ldap name: 'ldap'
namespace: authelia namespace: 'authelia'
labels: labels:
app: ldap app: 'ldap'
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: ldap app: 'ldap'
template: template:
metadata: metadata:
labels: labels:
app: ldap app: 'ldap'
spec: spec:
containers: containers:
- name: ldap - name: 'ldap'
image: osixia/openldap:1.5.0 image: 'osixia/openldap:1.5.0'
ports: ports:
- containerPort: 389 - containerPort: 389
- containerPort: 636 - containerPort: 636
args: ["--copy-service", "--loglevel", "debug"] args: ['--copy-service', '--loglevel', 'debug']
env: env:
- name: LDAP_ORGANISATION - name: 'LDAP_ORGANISATION'
value: MyCompany value: 'MyCompany'
- name: LDAP_DOMAIN - name: 'LDAP_DOMAIN'
value: example.com value: 'example.com'
- name: LDAP_ADMIN_PASSWORD - name: 'LDAP_ADMIN_PASSWORD'
value: password value: 'password'
- name: LDAP_CONFIG_PASSWORD - name: 'LDAP_CONFIG_PASSWORD'
value: password value: 'password'
- name: LDAP_ADDITIONAL_MODULES - name: 'LDAP_ADDITIONAL_MODULES'
value: memberof value: 'memberof'
- name: LDAP_ADDITIONAL_SCHEMAS - name: 'LDAP_ADDITIONAL_SCHEMAS'
value: openldap value: 'openldap'
- name: LDAP_FORCE_RECONFIGURE - name: 'LDAP_FORCE_RECONFIGURE'
value: "true" value: 'true'
- name: LDAP_TLS_VERIFY_CLIENT - name: 'LDAP_TLS_VERIFY_CLIENT'
value: try value: 'try'
volumeMounts: volumeMounts:
- name: ldap-config - name: 'ldap-config'
mountPath: /container/service/slapd/assets/config/bootstrap/ldif/custom mountPath: '/container/service/slapd/assets/config/bootstrap/ldif/custom'
volumes: volumes:
- name: ldap-config - name: 'ldap-config'
hostPath: hostPath:
path: /configmaps/ldap path: '/configmaps/ldap'
type: Directory type: 'Directory'
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Service kind: 'Service'
metadata: metadata:
name: ldap-service name: 'ldap-service'
namespace: authelia namespace: 'authelia'
spec: spec:
selector: selector:
app: ldap app: 'ldap'
ports: ports:
- protocol: TCP - protocol: 'TCP'
port: 636 port: 636
... ...

View File

@ -1,64 +1,64 @@
--- ---
apiVersion: apps/v1 apiVersion: 'apps/v1'
kind: Deployment kind: 'Deployment'
metadata: metadata:
name: mailcatcher name: 'mailcatcher'
namespace: authelia namespace: 'authelia'
labels: labels:
app: mailcatcher app: 'mailcatcher'
spec: spec:
replicas: 1 replicas: 1
selector: selector:
matchLabels: matchLabels:
app: mailcatcher app: 'mailcatcher'
template: template:
metadata: metadata:
labels: labels:
app: mailcatcher app: 'mailcatcher'
spec: spec:
containers: containers:
- name: mailcatcher - name: 'mailcatcher'
image: schickling/mailcatcher image: 'schickling/mailcatcher'
ports: ports:
- containerPort: 1025 - containerPort: 1025
- containerPort: 1080 - containerPort: 1080
... ...
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Service kind: 'Service'
metadata: metadata:
name: mailcatcher-service name: 'mailcatcher-service'
namespace: authelia namespace: 'authelia'
spec: spec:
selector: selector:
app: mailcatcher app: 'mailcatcher'
ports: ports:
- protocol: TCP - protocol: 'TCP'
port: 1080 port: 1080
name: ui name: 'ui'
- protocol: TCP - protocol: 'TCP'
port: 1025 port: 1025
name: smtp name: 'smtp'
... ...
--- ---
apiVersion: networking.k8s.io/v1 apiVersion: 'networking.k8s.io/v1'
kind: Ingress kind: 'Ingress'
metadata: metadata:
name: mailcatcher-ingress name: 'mailcatcher-ingress'
namespace: authelia namespace: 'authelia'
annotations: annotations:
kubernetes.io/ingress.class: traefik kubernetes.io/ingress.class: 'traefik'
traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.entrypoints: 'websecure'
spec: spec:
rules: rules:
- host: mail.example.com - host: 'mail.example.com'
http: http:
paths: paths:
- path: / - path: '/'
pathType: Prefix pathType: 'Prefix'
backend: backend:
service: service:
name: mailcatcher-service name: 'mailcatcher-service'
port: port:
number: 1080 number: 1080
... ...

View File

@ -1,6 +1,6 @@
--- ---
apiVersion: v1 apiVersion: 'v1'
kind: Namespace kind: 'Namespace'
metadata: metadata:
name: authelia name: 'authelia'
... ...

Some files were not shown because too many files have changed in this diff Show More