Initial commit (I feel unsafe)
This commit is contained in:
164
authelia_server-configuration.yaml
Normal file
164
authelia_server-configuration.yaml
Normal file
@@ -0,0 +1,164 @@
|
||||
authentication_backend:
|
||||
file:
|
||||
path: /config/users.yaml
|
||||
watch: true
|
||||
|
||||
access_control:
|
||||
default_policy: deny
|
||||
networks:
|
||||
- name: 'internal'
|
||||
networks:
|
||||
- '10.0.0.0/8'
|
||||
- '172.16.0.0/12'
|
||||
- '192.168.0.0/18'
|
||||
rules:
|
||||
# go from most to least specific
|
||||
###### bypasses ######
|
||||
# CORS preflight
|
||||
- domain: '*.knravish.me'
|
||||
methods: 'OPTIONS'
|
||||
policy: 'bypass'
|
||||
### status endpoints ###
|
||||
# https://auth.knravish.me/api/health - status
|
||||
- domain: 'auth.knravish.me'
|
||||
resources: '^\/api\/health$'
|
||||
policy: 'bypass'
|
||||
# https://budget.knravish.me/info - info
|
||||
- domain: 'budget.knravish.me'
|
||||
resources: '^\/info$'
|
||||
policy: 'bypass'
|
||||
# https://blog.knravish.me/ghost/api/admin/site - info
|
||||
- domain: 'blog.knravish.me'
|
||||
resources: '^\/ghost\/api\/admin\/site$'
|
||||
policy: 'bypass'
|
||||
# # https://git.knravish.me/api/healthz - health
|
||||
# - domain: 'git.knravish.me'
|
||||
# resources: '^\/api\/healthz$'
|
||||
# policy: 'bypass'
|
||||
# https://notes.knravish.me/api/v1/workspace/profile - info
|
||||
- domain: 'notes.knravish.me'
|
||||
resources: '^\/api\/v1\/workspace\/profile$'
|
||||
policy: 'bypass'
|
||||
# https://pdf.knravish.me/api/v1/info/status - status
|
||||
- domain: 'pdf.knravish.me'
|
||||
resources: '^\/api\/v1\/info\/status$'
|
||||
policy: 'bypass'
|
||||
# https://planning.knravish.me/manifest.webmanifest - PWA
|
||||
# for the homepage widget
|
||||
# https://planning.knravish.me/api/v1/projects
|
||||
# https://planning.knravish.me/api/v1/tasks/all?filter=done%3Dfalse&sort_by=due_date
|
||||
- domain: 'planning.knravish.me'
|
||||
resources:
|
||||
- '^\/manifest.webmanifest$'
|
||||
- '^\/api\/v1\/projects$'
|
||||
- '^\/api\/v1\/tasks\/all\?filter=done%3Dfalse&sort_by=due_date$'
|
||||
policy: 'bypass'
|
||||
# https://recipes.knravish.me/api/app/about - status
|
||||
- domain: 'recipes.knravish.me'
|
||||
resources:
|
||||
- '^\/api\/households\/statistics$' # homepage widget
|
||||
- '^\/api\/app\/about$'
|
||||
policy: 'bypass'
|
||||
# https://syncthing.knravish.me/rest/noauth/health
|
||||
- domain: 'syncthing.knravish.me'
|
||||
resources: '^\/rest\/noauth\/health$'
|
||||
policy: 'bypass'
|
||||
# https://vpn.knravish.me/api/release - status
|
||||
- domain: 'vpn.knravish.me'
|
||||
resources:
|
||||
- '^\/api\/wireguard\/client$' # homepage widget
|
||||
- '^\/api\/release$'
|
||||
policy: 'bypass'
|
||||
# https://vtt.knravish.me/api/status
|
||||
- domain: 'vtt.knravish.me'
|
||||
resources: '^\/api\/status$'
|
||||
policy: 'bypass'
|
||||
###### 1FA ######
|
||||
# sensitive data - only self
|
||||
- domain:
|
||||
- 'budget.knravish.me'
|
||||
subject:
|
||||
- 'user:self'
|
||||
policy: 'one_factor'
|
||||
# sensitive admin - only self
|
||||
- domain:
|
||||
- 'vpn.knravish.me'
|
||||
- 'syncthing.knravish.me'
|
||||
subject:
|
||||
- 'user:self'
|
||||
policy: 'one_factor'
|
||||
# ghost blog admin
|
||||
- domain: 'blog.knravish.me'
|
||||
resources: '^\/ghost([\/?].*)?$'
|
||||
subject:
|
||||
- 'group:admin'
|
||||
policy: 'one_factor'
|
||||
# foundry VTT
|
||||
- domain: 'vtt.knravish.me'
|
||||
subject:
|
||||
- 'group:admin'
|
||||
- 'group:foundry'
|
||||
policy: 'one_factor'
|
||||
# mealie recipes
|
||||
- domain: 'recipes.knravish.me'
|
||||
subject:
|
||||
- 'group:admin'
|
||||
- 'group:mealie'
|
||||
policy: 'one_factor'
|
||||
###### 2FA ######
|
||||
# master bypass - super_admin (currently only self)
|
||||
- domain: '*.knravish.me'
|
||||
subject:
|
||||
- 'group:super_admin'
|
||||
policy: 'two_factor'
|
||||
|
||||
password_policy:
|
||||
zxcvbn:
|
||||
enabled: true
|
||||
|
||||
# SECRET
|
||||
# identity_validation:
|
||||
# reset_password:
|
||||
# jwt_secret: ''
|
||||
|
||||
session:
|
||||
# SECRET
|
||||
# secret: ''
|
||||
redis:
|
||||
host: 'authelia-redis'
|
||||
inactivity: '1w'
|
||||
expiration: '2w'
|
||||
remember_me: '3M'
|
||||
cookies:
|
||||
- domain: 'knravish.me'
|
||||
authelia_url: 'https://auth.knravish.me'
|
||||
|
||||
storage:
|
||||
# SECRET
|
||||
# encryption_key: ''
|
||||
local:
|
||||
path: '/config/db.sqlite3'
|
||||
|
||||
notifier:
|
||||
smtp:
|
||||
address: 'smtp://smtp.purelymail.com:587'
|
||||
timeout: '15s'
|
||||
username: 'noreply@knravish.me'
|
||||
# SECRET
|
||||
# password: ''
|
||||
sender: 'Authelia <noreply@knravish.me>'
|
||||
identifier: 'knravish.me'
|
||||
subject: '[Authelia] {title}'
|
||||
|
||||
theme: 'auto'
|
||||
|
||||
server:
|
||||
endpoints:
|
||||
authz:
|
||||
auth-request:
|
||||
implementation: 'AuthRequest'
|
||||
authn_strategies:
|
||||
- name: 'HeaderAuthorization'
|
||||
schemes:
|
||||
- 'Basic'
|
||||
- name: 'CookieSession'
|
||||
Reference in New Issue
Block a user