first commit

2025-12-01 14:58:40 +00:00
commit 2866bff217
28 changed files with 5515 additions and 0 deletions
--- a/authelia/configuration.yml.filesystem.template
+++ b/authelia/configuration.yml.filesystem.template
@@ -0,0 +1,105 @@
+---
+theme: light
+
+server:
+  address: 'tcp://0.0.0.0:9091'
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+log:
+  level: info
+
+totp:
+  issuer: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+
+authentication_backend:
+  ldap:
+    address: 'ldap://lldap:3890'
+    implementation: lldap
+    timeout: 5s
+    start_tls: false
+    base_dn: ${LDAP_BASE_DN}
+    user: uid=admin,ou=people,${LDAP_BASE_DN}
+    # Password read from AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: ${WIKI_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+    - domain: ${LLDAP_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+      subject:
+        - ['group:lldap_admin']
+    - domain: ${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN}
+      resources:
+        - '^/admin(/.*)?$'
+      policy: ${AUTH_POLICY}
+      subject:
+        - ['group:lldap_admin']
+    - domain: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: bypass
+
+session:
+  # Secret read from AUTHELIA_SESSION_SECRET_FILE
+  expiration: ${SESSION_EXPIRATION}
+  inactivity: ${SESSION_INACTIVITY}
+  remember_me: ${SESSION_REMEMBER_ME}
+  cookies:
+    - domain: ${BASE_DOMAIN}
+      authelia_url: https://${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      default_redirection_url: https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+
+regulation:
+  max_retries: ${MAX_RETRIES}
+  find_time: ${FIND_TIME}
+  ban_time: ${BAN_TIME}
+
+storage:
+  # Encryption key read from AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+  local:
+    path: /data/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: /data/notification.txt
+
+identity_validation:
+  reset_password:
+    # JWT secret read from AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+
+identity_providers:
+  oidc:
+    # HMAC secret read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+    # Issuer private key read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+    enable_client_debug_messages: false
+    enforce_pkce: public_clients_only
+    lifespans:
+      access_token: ${ACCESS_TOKEN_LIFESPAN}
+      authorize_code: ${AUTHORIZE_CODE_LIFESPAN}
+      id_token: ${ID_TOKEN_LIFESPAN}
+      refresh_token: ${REFRESH_TOKEN_LIFESPAN}
+    cors:
+      endpoints:
+        - authorization
+        - token
+        - revocation
+        - introspection
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - client_id: gitea
+        client_name: Gitea
+        client_secret: '${GITEA_OIDC_CLIENT_SECRET_HASH}'
+        public: false
+        authorization_policy: ${AUTH_POLICY}
+        redirect_uris:
+          - https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
--- a/authelia/configuration.yml.smtp.template
+++ b/authelia/configuration.yml.smtp.template
@@ -0,0 +1,114 @@
+---
+theme: light
+
+server:
+  address: 'tcp://0.0.0.0:9091'
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+log:
+  level: info
+
+totp:
+  issuer: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+
+authentication_backend:
+  ldap:
+    address: 'ldap://lldap:3890'
+    implementation: lldap
+    timeout: 5s
+    start_tls: false
+    base_dn: ${LDAP_BASE_DN}
+    user: uid=admin,ou=people,${LDAP_BASE_DN}
+    # Password read from AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: ${WIKI_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+    - domain: ${LLDAP_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+      subject:
+        - ['group:lldap_admin']
+    - domain: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: bypass
+    - domain: ${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN}
+      resources:
+        - '^/admin(/.*)?$'
+      policy: ${AUTH_POLICY}
+      subject:
+        - ['group:lldap_admin']
+
+session:
+  # Secret read from AUTHELIA_SESSION_SECRET_FILE
+  expiration: ${SESSION_EXPIRATION}
+  inactivity: ${SESSION_INACTIVITY}
+  remember_me: ${SESSION_REMEMBER_ME}
+  cookies:
+    - domain: ${BASE_DOMAIN}
+      authelia_url: https://${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      default_redirection_url: https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+
+regulation:
+  max_retries: ${MAX_RETRIES}
+  find_time: ${FIND_TIME}
+  ban_time: ${BAN_TIME}
+
+storage:
+  # Encryption key read from AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+  local:
+    path: /data/db.sqlite3
+
+notifier:
+  smtp:
+    address: ${SMTP_HOST}:${SMTP_PORT}
+    timeout: 5s
+    username: ${SMTP_USER}
+    password: ${SMTP_PASSWORD}
+    sender: ${SMTP_FROM}
+    identifier: ${AUTH_SUBDOMAIN}.${BASE_DOMAIN}
+    subject: "[Authelia] {title}"
+    startup_check_address: ${REGISTRATION_ADMIN_EMAIL}
+    disable_require_tls: false
+    disable_html_emails: false
+
+identity_validation:
+  reset_password:
+    # JWT secret read from AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+
+identity_providers:
+  oidc:
+    # HMAC secret read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+    # Issuer private key read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+    enable_client_debug_messages: false
+    enforce_pkce: public_clients_only
+    lifespans:
+      access_token: ${ACCESS_TOKEN_LIFESPAN}
+      authorize_code: ${AUTHORIZE_CODE_LIFESPAN}
+      id_token: ${ID_TOKEN_LIFESPAN}
+      refresh_token: ${REFRESH_TOKEN_LIFESPAN}
+    cors:
+      endpoints:
+        - authorization
+        - token
+        - revocation
+        - introspection
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - client_id: gitea
+        client_name: Gitea
+        client_secret: '${GITEA_OIDC_CLIENT_SECRET_HASH}'
+        public: false
+        authorization_policy: ${AUTH_POLICY}
+        redirect_uris:
+          - https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic
--- a/authelia/configuration.yml.template
+++ b/authelia/configuration.yml.template
@@ -0,0 +1,114 @@
+---
+theme: light
+
+server:
+  address: 'tcp://0.0.0.0:9091'
+  endpoints:
+    authz:
+      forward-auth:
+        implementation: 'ForwardAuth'
+
+log:
+  level: info
+
+totp:
+  issuer: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+
+authentication_backend:
+  ldap:
+    address: 'ldap://lldap:3890'
+    implementation: lldap
+    timeout: 5s
+    start_tls: false
+    base_dn: ${LDAP_BASE_DN}
+    user: uid=admin,ou=people,${LDAP_BASE_DN}
+    # Password read from AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
+
+access_control:
+  default_policy: deny
+  rules:
+    - domain: ${WIKI_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+    - domain: ${LLDAP_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+    - domain: ${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: ${AUTH_POLICY}
+    - domain: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      policy: bypass
+
+session:
+  # Secret read from AUTHELIA_SESSION_SECRET_FILE
+  expiration: ${SESSION_EXPIRATION}
+  inactivity: ${SESSION_INACTIVITY}
+  remember_me: ${SESSION_REMEMBER_ME}
+  cookies:
+    - domain: ${BASE_DOMAIN}
+      authelia_url: https://${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
+      default_redirection_url: https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
+
+regulation:
+  max_retries: ${MAX_RETRIES}
+  find_time: ${FIND_TIME}
+  ban_time: ${BAN_TIME}
+
+storage:
+  # Encryption key read from AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
+  local:
+    path: /data/db.sqlite3
+
+notifier:
+  # Filesystem notifier (for testing/development - writes to /data/notification.txt)
+  # Uncomment below for email notifications via SMTP
+  # smtp:
+  #   address: ${SMTP_HOST}:${SMTP_PORT}
+  #   timeout: 5s
+  #   username: ${SMTP_USER}
+  #   password: ${SMTP_PASSWORD}
+  #   sender: ${SMTP_FROM}
+  #   identifier: ${AUTH_SUBDOMAIN}.${BASE_DOMAIN}
+  #   subject: "[Authelia] {title}"
+  #   startup_check_address: ${REGISTRATION_ADMIN_EMAIL}
+  #   disable_require_tls: false
+  #   disable_html_emails: false
+
+  # Using filesystem for now - switch to SMTP when configured (see SMTP_SETUP.md)
+  filesystem:
+    filename: /data/notification.txt
+
+identity_validation:
+  reset_password:
+    # JWT secret read from AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
+
+identity_providers:
+  oidc:
+    # HMAC secret read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
+    # Issuer private key read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
+    enable_client_debug_messages: false
+    enforce_pkce: public_clients_only
+    lifespans:
+      access_token: ${ACCESS_TOKEN_LIFESPAN}
+      authorize_code: ${AUTHORIZE_CODE_LIFESPAN}
+      id_token: ${ID_TOKEN_LIFESPAN}
+      refresh_token: ${REFRESH_TOKEN_LIFESPAN}
+    cors:
+      endpoints:
+        - authorization
+        - token
+        - revocation
+        - introspection
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - client_id: gitea
+        client_name: Gitea
+        client_secret: '${GITEA_OIDC_CLIENT_SECRET_HASH}'
+        public: false
+        authorization_policy: ${AUTH_POLICY}
+        redirect_uris:
+          - https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - profile
+          - email
+          - groups
+        userinfo_signed_response_alg: none
+        token_endpoint_auth_method: client_secret_basic