mirror of
https://github.com/auricom/home-cluster.git
synced 2025-09-17 18:24:14 +02:00
161 lines
5.7 KiB
YAML
161 lines
5.7 KiB
YAML
---
|
|
authentication_backend:
|
|
ldap:
|
|
address: ldap://lldap.default.svc.cluster.local:5389
|
|
implementation: custom
|
|
timeout: 5s
|
|
start_tls: false
|
|
base_dn: dc=home,dc=arpa
|
|
additional_users_dn: ou=people
|
|
users_filter: (&({username_attribute}={input})(objectClass=person))
|
|
additional_groups_dn: ou=groups
|
|
groups_filter: (member={dn})
|
|
user: uid=admin,ou=people,dc=home,dc=arpa
|
|
attributes:
|
|
username: uid
|
|
display_name: displayName
|
|
group_name: cn
|
|
mail: mail
|
|
member_of: memberOf
|
|
password_reset:
|
|
disable: true
|
|
refresh_interval: 1m
|
|
|
|
session:
|
|
name: authelia-home-ops
|
|
same_site: lax
|
|
inactivity: 5m
|
|
expiration: 1h
|
|
remember_me: 1M
|
|
cookies:
|
|
- name: authelia_session
|
|
domain: ${SECRET_EXTERNAL_DOMAIN}
|
|
authelia_url: https://auth.${SECRET_EXTERNAL_DOMAIN}
|
|
default_redirection_url: https://${SECRET_EXTERNAL_DOMAIN}
|
|
redis:
|
|
host: dragonfly.database.svc.cluster.local.
|
|
port: 6379
|
|
database_index: 2
|
|
|
|
notifier:
|
|
disable_startup_check: true
|
|
smtp:
|
|
address: smtp-relay.default.svc.cluster.local.:2525
|
|
disable_require_tls: true
|
|
|
|
duo_api:
|
|
disable: true
|
|
|
|
access_control:
|
|
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
|
|
## resource if there is no policy to be applied to the user.
|
|
default_policy: two_factor
|
|
networks:
|
|
- name: private
|
|
networks: [10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16]
|
|
- name: vpn
|
|
networks: [10.10.0.0/16]
|
|
rules:
|
|
# bypass Authelia WAN + LAN
|
|
- domain:
|
|
- auth.${SECRET_EXTERNAL_DOMAIN}
|
|
policy: bypass
|
|
# One factor auth for LAN
|
|
- domain:
|
|
- "*.${SECRET_EXTERNAL_DOMAIN}"
|
|
policy: one_factor
|
|
subject: [group:admins, group:users]
|
|
networks:
|
|
- private
|
|
# Deny public resources
|
|
- domain: ["navidrome.${SECRET_EXTERNAL_DOMAIN}"]
|
|
resources: [^/metrics.*$]
|
|
policy: deny
|
|
|
|
identity_providers:
|
|
oidc:
|
|
# jwks:
|
|
# - key: {{ secret "/config/secret/OIDC_JWKS_KEY" | mindent 10 "|" | msquote }}
|
|
cors:
|
|
endpoints: [authorization, token, revocation, introspection]
|
|
allowed_origins_from_client_redirect_uris: true
|
|
clients:
|
|
# Genereate client_secret
|
|
# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
|
|
- client_id: freshrss
|
|
client_name: freshrss
|
|
client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: two_factor
|
|
redirect_uris: ["https://freshrss.${SECRET_EXTERNAL_DOMAIN}:443/i/oidc/"]
|
|
scopes: [openid, profile, groups, email]
|
|
userinfo_signed_response_alg: none
|
|
token_endpoint_auth_method: client_secret_basic
|
|
- client_name: grafana
|
|
client_id: grafana
|
|
client_secret: "$${GRAFANA_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: two_factor
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, groups, email]
|
|
redirect_uris: ["https://grafana.${SECRET_EXTERNAL_DOMAIN}/login/generic_oauth"]
|
|
userinfo_signed_response_alg: none
|
|
- client_name: jellyfin
|
|
client_id: jellyfin
|
|
client_secret: "$${JELLYFIN_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: two_factor
|
|
require_pkce: true
|
|
pkce_challenge_method: S256
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, groups]
|
|
redirect_uris: [ "https://jellyfin.${SECRET_EXTERNAL_DOMAIN}/sso/OID/redirect/authelia"]
|
|
userinfo_signed_response_alg: none
|
|
token_endpoint_auth_method: client_secret_post
|
|
- client_id: komga
|
|
client_name: Komga
|
|
client_secret: "$${KOMGA_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: two_factor
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, email]
|
|
redirect_uris: ['https://komga.${SECRET_EXTERNAL_DOMAIN}/login/oauth2/code/authelia']
|
|
grant_types: authorization_code
|
|
userinfo_signed_response_alg: none
|
|
- client_id: outline
|
|
client_name: Outline
|
|
client_secret: "$${OUTLINE_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: two_factor
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, email, offline_access]
|
|
redirect_uris: ["https://docs.${SECRET_EXTERNAL_DOMAIN}/auth/oidc.callback"]
|
|
userinfo_signed_response_alg: none
|
|
token_endpoint_auth_method: client_secret_post
|
|
- client_id: paperless
|
|
client_name: Paperless
|
|
client_secret: "$${PAPERLESS_OAUTH_DIGEST}"
|
|
public: false
|
|
authorization_policy: one_factor
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, groups, email]
|
|
redirect_uris: ['https://paperless.${SECRET_EXTERNAL_DOMAIN}/accounts/oidc/authelia/login/callback']
|
|
userinfo_signed_response_alg: none
|
|
- client_id: pgadmin
|
|
client_name: pgAdmin
|
|
client_secret: '$${PGADMIN_OAUTH_DIGEST}'
|
|
public: false
|
|
authorization_policy: two_factor
|
|
pre_configured_consent_duration: 1y
|
|
scopes: [openid, profile, email]
|
|
redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
|
|
userinfo_signed_response_alg: none
|
|
token_endpoint_auth_method: client_secret_basic
|
|
- client_id: windmill
|
|
client_name: Windmill
|
|
client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}'
|
|
authorization_policy: two_factor
|
|
redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
|
|
scopes: [openid, profile, groups, email]
|
|
userinfo_signed_response_alg: none
|