authentication_backend: file: path: /config/users.yaml watch: true access_control: default_policy: deny networks: - name: 'internal' networks: - '10.0.0.0/8' - '172.16.0.0/12' - '192.168.0.0/18' rules: # go from most to least specific ###### bypasses ###### # CORS preflight - domain: '*.knravish.me' methods: 'OPTIONS' policy: 'bypass' ### status endpoints ### # https://auth.knravish.me/api/health - status - domain: 'auth.knravish.me' resources: '^\/api\/health$' policy: 'bypass' # https://budget.knravish.me/info - info - domain: 'budget.knravish.me' resources: '^\/info$' policy: 'bypass' # https://blog.knravish.me/ghost/api/admin/site - info - domain: 'blog.knravish.me' resources: '^\/ghost\/api\/admin\/site$' policy: 'bypass' # # https://git.knravish.me/api/healthz - health # - domain: 'git.knravish.me' # resources: '^\/api\/healthz$' # policy: 'bypass' # https://notes.knravish.me/api/v1/workspace/profile - info - domain: 'notes.knravish.me' resources: '^\/api\/v1\/workspace\/profile$' policy: 'bypass' # https://pdf.knravish.me/api/v1/info/status - status - domain: 'pdf.knravish.me' resources: '^\/api\/v1\/info\/status$' policy: 'bypass' # https://planning.knravish.me/manifest.webmanifest - PWA # for the homepage widget # https://planning.knravish.me/api/v1/projects # https://planning.knravish.me/api/v1/tasks/all?filter=done%3Dfalse&sort_by=due_date - domain: 'planning.knravish.me' resources: - '^\/manifest.webmanifest$' - '^\/api\/v1\/projects$' - '^\/api\/v1\/tasks\/all\?filter=done%3Dfalse&sort_by=due_date$' policy: 'bypass' # https://recipes.knravish.me/api/app/about - status - domain: 'recipes.knravish.me' resources: - '^\/api\/households\/statistics$' # homepage widget - '^\/api\/app\/about$' policy: 'bypass' # https://syncthing.knravish.me/rest/noauth/health - domain: 'syncthing.knravish.me' resources: '^\/rest\/noauth\/health$' policy: 'bypass' # https://vpn.knravish.me/api/release - status - domain: 'vpn.knravish.me' resources: - '^\/api\/wireguard\/client$' # homepage widget - '^\/api\/release$' policy: 'bypass' # https://vtt.knravish.me/api/status - domain: 'vtt.knravish.me' resources: '^\/api\/status$' policy: 'bypass' ###### 1FA ###### # sensitive data - only self - domain: - 'budget.knravish.me' subject: - 'user:self' policy: 'one_factor' # sensitive admin - only self - domain: - 'vpn.knravish.me' - 'syncthing.knravish.me' subject: - 'user:self' policy: 'one_factor' # ghost blog admin - domain: 'blog.knravish.me' resources: '^\/ghost([\/?].*)?$' subject: - 'group:admin' policy: 'one_factor' # foundry VTT - domain: 'vtt.knravish.me' subject: - 'group:admin' - 'group:foundry' policy: 'one_factor' # mealie recipes - domain: 'recipes.knravish.me' subject: - 'group:admin' - 'group:mealie' policy: 'one_factor' ###### 2FA ###### # master bypass - super_admin (currently only self) - domain: '*.knravish.me' subject: - 'group:super_admin' policy: 'two_factor' password_policy: zxcvbn: enabled: true # SECRET # identity_validation: # reset_password: # jwt_secret: '' session: # SECRET # secret: '' redis: host: 'authelia-redis' inactivity: '1w' expiration: '2w' remember_me: '3M' cookies: - domain: 'knravish.me' authelia_url: 'https://auth.knravish.me' storage: # SECRET # encryption_key: '' local: path: '/config/db.sqlite3' notifier: smtp: address: 'smtp://smtp.purelymail.com:587' timeout: '15s' username: 'noreply@knravish.me' # SECRET # password: '' sender: 'Authelia ' identifier: 'knravish.me' subject: '[Authelia] {title}' theme: 'auto' server: endpoints: authz: auth-request: implementation: 'AuthRequest' authn_strategies: - name: 'HeaderAuthorization' schemes: - 'Basic' - name: 'CookieSession'