2024-11-10 12:53:45 +01:00
|
|
|
---
|
|
|
|
# geklaut von: https://ruanbekker.hashnode.dev/sso-with-authelia-using-traefik-on-docker + https://www.reddit.com/r/selfhosted/comments/158quyz/authelia_ldap_groups/
|
|
|
|
|
|
|
|
server.address: "0.0.0.0:9091"
|
|
|
|
|
2024-11-10 17:29:04 +01:00
|
|
|
theme: auto
|
|
|
|
|
2024-11-10 12:53:45 +01:00
|
|
|
log:
|
|
|
|
level: debug
|
|
|
|
|
|
|
|
identity_validation:
|
|
|
|
reset_password:
|
2024-11-10 15:44:41 +01:00
|
|
|
jwt_secret: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_jwt_secret', 'password') }}
|
2024-11-10 12:53:45 +01:00
|
|
|
totp:
|
|
|
|
issuer: totp.mgrote.net
|
|
|
|
|
|
|
|
access_control:
|
|
|
|
default_policy: deny
|
|
|
|
rules:
|
|
|
|
- domain: wiki.mgrote.net
|
|
|
|
policy: one_factor
|
|
|
|
subject:
|
|
|
|
- 'group:authelia_wiki'
|
2024-11-10 17:29:04 +01:00
|
|
|
- domain: rui.mgrote.net
|
|
|
|
policy: one_factor
|
|
|
|
subject:
|
|
|
|
- 'group:authelia_registry-ui'
|
2024-11-10 12:53:45 +01:00
|
|
|
|
|
|
|
session:
|
|
|
|
name: authelia_session
|
2024-11-10 15:44:41 +01:00
|
|
|
secret: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_session_secret', 'password') }}
|
2024-11-10 12:53:45 +01:00
|
|
|
expiration: 3600
|
|
|
|
inactivity: 300
|
|
|
|
cookies:
|
|
|
|
- name: mgrote.net
|
|
|
|
domain: mgrote.net
|
|
|
|
authelia_url: https://auth.mgrote.net
|
|
|
|
|
|
|
|
redis:
|
|
|
|
host: authelia-redis
|
|
|
|
port: 6379
|
|
|
|
|
|
|
|
regulation:
|
|
|
|
max_retries: 3
|
|
|
|
find_time: 120
|
|
|
|
ban_time: 300
|
|
|
|
|
|
|
|
storage:
|
2024-11-10 15:44:41 +01:00
|
|
|
encryption_key: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_storage_encryption_key', 'password') }}
|
2024-11-10 12:53:45 +01:00
|
|
|
mysql:
|
|
|
|
database: authelia
|
|
|
|
address: 'tcp://authelia-db:3306'
|
|
|
|
username: authelia
|
2024-11-10 15:44:41 +01:00
|
|
|
password: {{ lookup('viczem.keepass.keepass', 'authelia/authelia_mysql_password', 'password') }}
|
2024-11-10 12:53:45 +01:00
|
|
|
|
|
|
|
notifier:
|
|
|
|
smtp:
|
|
|
|
address: postfix:25
|
|
|
|
sender: no-reply-authelia@mgrote.net
|
|
|
|
disable_require_tls: true
|
|
|
|
|
|
|
|
# ldap
|
|
|
|
# https://github.com/lldap/lldap/blob/main/example_configs/authelia_config.yml
|
|
|
|
authentication_backend:
|
|
|
|
password_reset:
|
|
|
|
disable: true
|
|
|
|
refresh_interval: 1m
|
|
|
|
ldap:
|
|
|
|
implementation: custom
|
2024-11-15 20:53:26 +01:00
|
|
|
address: ldap://lldap:3890
|
2024-11-10 12:53:45 +01:00
|
|
|
timeout: 5s
|
|
|
|
start_tls: false
|
|
|
|
base_dn: dc=mgrote,dc=net
|
|
|
|
additional_users_dn: ou=people
|
|
|
|
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
|
|
|
additional_groups_dn: ou=groups
|
|
|
|
groups_filter: "(&(member={dn})(objectclass=groupOfUniqueNames))"
|
|
|
|
attributes:
|
|
|
|
display_name: displayName
|
|
|
|
username: uid
|
|
|
|
group_name: cn
|
|
|
|
mail: mail
|
|
|
|
user: uid=authelia_bind_user,ou=people,dc=mgrote,dc=net
|
2024-11-10 15:44:41 +01:00
|
|
|
password: '{{ lookup('viczem.keepass.keepass', 'authelia/lldap_authelia_bind_user', 'password') }}'
|
2024-11-10 12:53:45 +01:00
|
|
|
|
|
|
|
# Details/Doku: https://wiki.mgrote.net/pages/_Technik/hardware/rest/fpv/software/rest/ldap/
|