115 lines
3.2 KiB
Plaintext
115 lines
3.2 KiB
Plaintext
---
|
|
theme: light
|
|
|
|
server:
|
|
address: 'tcp://0.0.0.0:9091'
|
|
endpoints:
|
|
authz:
|
|
forward-auth:
|
|
implementation: 'ForwardAuth'
|
|
|
|
log:
|
|
level: info
|
|
|
|
totp:
|
|
issuer: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
|
|
|
|
authentication_backend:
|
|
ldap:
|
|
address: 'ldap://lldap:3890'
|
|
implementation: lldap
|
|
timeout: 5s
|
|
start_tls: false
|
|
base_dn: ${LDAP_BASE_DN}
|
|
user: uid=admin,ou=people,${LDAP_BASE_DN}
|
|
# Password read from AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
|
|
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
- domain: ${WIKI_SUBDOMAIN}.${BASE_DOMAIN}
|
|
policy: ${AUTH_POLICY}
|
|
- domain: ${LLDAP_SUBDOMAIN}.${BASE_DOMAIN}
|
|
policy: ${AUTH_POLICY}
|
|
- domain: ${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN}
|
|
policy: ${AUTH_POLICY}
|
|
- domain: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
|
|
policy: bypass
|
|
|
|
session:
|
|
# Secret read from AUTHELIA_SESSION_SECRET_FILE
|
|
expiration: ${SESSION_EXPIRATION}
|
|
inactivity: ${SESSION_INACTIVITY}
|
|
remember_me: ${SESSION_REMEMBER_ME}
|
|
cookies:
|
|
- domain: ${BASE_DOMAIN}
|
|
authelia_url: https://${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
|
|
default_redirection_url: https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}
|
|
|
|
regulation:
|
|
max_retries: ${MAX_RETRIES}
|
|
find_time: ${FIND_TIME}
|
|
ban_time: ${BAN_TIME}
|
|
|
|
storage:
|
|
# Encryption key read from AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
|
|
local:
|
|
path: /data/db.sqlite3
|
|
|
|
notifier:
|
|
# Filesystem notifier (for testing/development - writes to /data/notification.txt)
|
|
# Uncomment below for email notifications via SMTP
|
|
# smtp:
|
|
# address: ${SMTP_HOST}:${SMTP_PORT}
|
|
# timeout: 5s
|
|
# username: ${SMTP_USER}
|
|
# password: ${SMTP_PASSWORD}
|
|
# sender: ${SMTP_FROM}
|
|
# identifier: ${AUTH_SUBDOMAIN}.${BASE_DOMAIN}
|
|
# subject: "[Authelia] {title}"
|
|
# startup_check_address: ${REGISTRATION_ADMIN_EMAIL}
|
|
# disable_require_tls: false
|
|
# disable_html_emails: false
|
|
|
|
# Using filesystem for now - switch to SMTP when configured (see SMTP_SETUP.md)
|
|
filesystem:
|
|
filename: /data/notification.txt
|
|
|
|
identity_validation:
|
|
reset_password:
|
|
# JWT secret read from AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE
|
|
|
|
identity_providers:
|
|
oidc:
|
|
# HMAC secret read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
|
|
# Issuer private key read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
|
|
enable_client_debug_messages: false
|
|
enforce_pkce: public_clients_only
|
|
lifespans:
|
|
access_token: ${ACCESS_TOKEN_LIFESPAN}
|
|
authorize_code: ${AUTHORIZE_CODE_LIFESPAN}
|
|
id_token: ${ID_TOKEN_LIFESPAN}
|
|
refresh_token: ${REFRESH_TOKEN_LIFESPAN}
|
|
cors:
|
|
endpoints:
|
|
- authorization
|
|
- token
|
|
- revocation
|
|
- introspection
|
|
allowed_origins_from_client_redirect_uris: true
|
|
clients:
|
|
- client_id: gitea
|
|
client_name: Gitea
|
|
client_secret: '${GITEA_OIDC_CLIENT_SECRET_HASH}'
|
|
public: false
|
|
authorization_policy: ${AUTH_POLICY}
|
|
redirect_uris:
|
|
- https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}/user/oauth2/authelia/callback
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
userinfo_signed_response_alg: none
|
|
token_endpoint_auth_method: client_secret_basic
|