poprhythm
5e91f0c68b
- Switch from unsupported \${VAR} substitution to {{ secret "..." }} template syntax
- Enable X_AUTHELIA_CONFIG_FILTERS=template in compose
- Client secrets now loaded from /config/secrets/oidc_* files on host
- Use PBKDF2-SHA512 hashes (not bcrypt, not plaintext)
94 lines
2.3 KiB
YAML
94 lines
2.3 KiB
YAML
server:
|
|
address: 0.0.0.0:9091
|
|
|
|
log:
|
|
level: info
|
|
|
|
totp:
|
|
issuer: kolpacksoftware.com
|
|
|
|
webauthn:
|
|
disable: true
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: /config/users_database.yaml
|
|
password:
|
|
algorithm: argon2id
|
|
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
- domain: auth.kolpacksoftware.com
|
|
policy: bypass
|
|
- domain: ultralytics.kolpacksoftware.com
|
|
policy: one_factor
|
|
- domain: "*.kolpacksoftware.com"
|
|
policy: one_factor
|
|
subject: "group:admins"
|
|
|
|
session:
|
|
cookies:
|
|
- domain: kolpacksoftware.com
|
|
authelia_url: https://auth.kolpacksoftware.com
|
|
default_redirection_url: https://kolpacksoftware.com
|
|
name: authelia_session
|
|
expiration: 1h
|
|
inactivity: 5m
|
|
redis:
|
|
host: authelia-redis
|
|
port: 6379
|
|
|
|
storage:
|
|
local:
|
|
path: /config/db.sqlite3
|
|
|
|
notifier:
|
|
filesystem:
|
|
filename: /config/notifications.txt
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
identity_providers:
|
|
oidc:
|
|
hmac_secret: ${AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET}
|
|
jwks:
|
|
- key_id: main
|
|
algorithm: RS256
|
|
use: sig
|
|
# key: HOST-MANAGED — inline /srv/authelia/config/oidc.key contents here in the
|
|
# host copy (/srv/authelia/config/configuration.yml). Never commit the key to git.
|
|
# Generate with: openssl genrsa -out /srv/authelia/config/oidc.key 4096
|
|
clients:
|
|
- client_id: open-webui
|
|
client_name: Open WebUI
|
|
client_secret: '{{ secret "/config/secrets/oidc_open_webui" }}'
|
|
public: false
|
|
authorization_policy: one_factor
|
|
token_endpoint_auth_method: client_secret_post
|
|
redirect_uris:
|
|
- https://open-webui.kolpacksoftware.com/oauth/oidc/callback
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
userinfo_signed_response_alg: none
|
|
|
|
- client_id: linkding
|
|
client_name: Linkding
|
|
client_secret: '{{ secret "/config/secrets/oidc_linkding" }}'
|
|
public: false
|
|
authorization_policy: one_factor
|
|
token_endpoint_auth_method: client_secret_post
|
|
redirect_uris:
|
|
- https://linkding.kolpacksoftware.com/oidc/callback/
|
|
scopes:
|
|
- openid
|
|
- profile
|
|
- email
|
|
- groups
|
|
userinfo_signed_response_alg: none
|