auricom-home-cluster/kubernetes/apps/default/authelia/app/config/configuration.yaml

---
authentication_backend:
  ldap:
    address: ldap://lldap.default.svc.cluster.local:5389
    implementation: custom
    timeout: 5s
    start_tls: false
    base_dn: dc=home,dc=arpa
    additional_users_dn: ou=people
    users_filter: (&({username_attribute}={input})(objectClass=person))
    additional_groups_dn: ou=groups
    groups_filter: (member={dn})
    user: uid=admin,ou=people,dc=home,dc=arpa
    attributes:
      username: uid
      display_name: displayName
      group_name: cn
      mail: mail
      member_of: memberOf
  password_reset:
    disable: true
  refresh_interval: 1m

session:
  name: authelia-home-ops
  same_site: lax
  inactivity: 5m
  expiration: 1h
  remember_me: 1M
  cookies:
    - name: authelia_session
      domain: ${SECRET_EXTERNAL_DOMAIN}
      authelia_url: https://auth.${SECRET_EXTERNAL_DOMAIN}
      default_redirection_url: https://${SECRET_EXTERNAL_DOMAIN}
  redis:
    host: dragonfly.database.svc.cluster.local.
    port: 6379
    database_index: 2

notifier:
  disable_startup_check: true
  smtp:
    address: smtp-relay.default.svc.cluster.local.:2525
    disable_require_tls: true

duo_api:
  disable: true

access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
  default_policy: two_factor
  networks:
    - name: private
      networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
    - name: vpn
      networks: [10.10.0.0/16]
  rules:
    # bypass Authelia WAN + LAN
    - domain:
        - auth.${SECRET_EXTERNAL_DOMAIN}
      policy: bypass
    # One factor auth for LAN
    - domain:
        - "*.${SECRET_EXTERNAL_DOMAIN}"
      policy: one_factor
      subject: [group:admins, group:users]
      networks:
        - private
    # Deny public resources
    - domain: ["navidrome.${SECRET_EXTERNAL_DOMAIN}"]
      resources: [^/metrics.*$]
      policy: deny

identity_providers:
  oidc:
    jwks:
      - key: |
          {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
    cors:
      endpoints: [authorization, token, revocation, introspection]
      allowed_origins_from_client_redirect_uris: true
    clients:
    # Genereate client_secret
    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
      - client_name: grafana
        client_id: grafana
        client_secret: '{{ secret "/config/secret/GRAFANA_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, groups, email]
        redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"]
        userinfo_signed_response_alg: none
      - client_name: jellyfin
        client_id: jellyfin
        client_secret: '{{ secret "/config/secret/JELLYFIN_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        require_pkce: true
        pkce_challenge_method: S256
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, groups]
        redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"]
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_post
      - client_id: komga
        client_name: Komga
        client_secret: '{{ secret "/config/secret/KOMGA_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, email]
        redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia']
        grant_types: authorization_code
        userinfo_signed_response_alg: none
      - client_id: outline
        client_name: Outline
        client_secret: '{{ secret "/config/secret/OUTLINE_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, email, offline_access]
        redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_post
      - client_id: paperless
        client_name: Paperless
        client_secret: '{{ secret "/config/secret/PAPERLESS_OAUTH_DIGEST" }}'
        public: false
        authorization_policy: one_factor
        pre_configured_consent_duration: 1y
        scopes: [openid, profile, groups, email]
        redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
        userinfo_signed_response_alg: none