--- authentication_backend: ldap: address: ldap://lldap.default.svc.cluster.local:5389 implementation: custom timeout: 5s start_tls: false base_dn: dc=home,dc=arpa additional_users_dn: ou=people users_filter: (&({username_attribute}={input})(objectClass=person)) additional_groups_dn: ou=groups groups_filter: (member={dn}) user: uid=admin,ou=people,dc=home,dc=arpa attributes: username: uid display_name: displayName group_name: cn mail: mail member_of: memberOf password_reset: disable: true refresh_interval: 1m session: name: authelia-home-ops same_site: lax inactivity: 5m expiration: 1h remember_me: 1M cookies: - name: authelia_session domain: ${SECRET_EXTERNAL_DOMAIN} authelia_url: https://auth.${SECRET_EXTERNAL_DOMAIN} default_redirection_url: https://${SECRET_EXTERNAL_DOMAIN} redis: host: dragonfly.database.svc.cluster.local. port: 6379 database_index: 2 notifier: disable_startup_check: true smtp: address: smtp-relay.default.svc.cluster.local.:2525 disable_require_tls: true duo_api: disable: true access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. default_policy: two_factor networks: - name: private networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16] - name: vpn networks: [10.10.0.0/16] rules: # bypass Authelia WAN + LAN - domain: - auth.${SECRET_EXTERNAL_DOMAIN} policy: bypass # One factor auth for LAN - domain: - "*.${SECRET_EXTERNAL_DOMAIN}" policy: one_factor subject: [group:admins, group:users] networks: - private # Deny public resources - domain: ["navidrome.${SECRET_EXTERNAL_DOMAIN}"] resources: [^/metrics.*$] policy: deny identity_providers: oidc: jwks: - key: | {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }} cors: endpoints: [authorization, token, revocation, introspection] allowed_origins_from_client_redirect_uris: true clients: # Genereate client_secret # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret - client_name: grafana client_id: grafana client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: [openid, profile, groups, email] redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"] userinfo_signed_response_alg: none - client_name: jellyfin client_id: jellyfin client_secret: '{{ secret "/config/secret/JELLYFIN_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor require_pkce: true pkce_challenge_method: S256 pre_configured_consent_duration: 1y scopes: [openid, profile, groups] redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"] userinfo_signed_response_alg: none token_endpoint_auth_method: client_secret_post - client_id: komga client_name: Komga client_secret: '{{ secret "/config/secret/KOMGA_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: [openid, profile, email] redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia'] grant_types: authorization_code userinfo_signed_response_alg: none - client_id: outline client_name: Outline client_secret: '{{ secret "/config/secret/OUTLINE_OAUTH_DIGEST" }}' public: false authorization_policy: two_factor pre_configured_consent_duration: 1y scopes: [openid, profile, email, offline_access] redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"] userinfo_signed_response_alg: none token_endpoint_auth_method: client_secret_post - client_id: paperless client_name: Paperless client_secret: '{{ secret "/config/secret/PAPERLESS_OAUTH_DIGEST" }}' public: false authorization_policy: one_factor pre_configured_consent_duration: 1y scopes: [openid, profile, groups, email] redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback'] userinfo_signed_response_alg: none