ShogunIsHere/instance-setup-stuff
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
d69daa37bf2a249ed8d1fa1a0a768f6200e689fe
instance-setup-stuff/authelia_server-configuration.yaml

165 lines
4.3 KiB
YAML
Raw Blame History

authentication_backend:
file:
path: /config/users.yaml
watch: true
access_control:
default_policy: deny
networks:
- name: 'internal'
networks:
- '10.0.0.0/8'
- '172.16.0.0/12'
- '192.168.0.0/18'
rules:
# go from most to least specific
###### bypasses ######
# CORS preflight
- domain: '*.knravish.me'
methods: 'OPTIONS'
policy: 'bypass'
### status endpoints ###
# https://auth.knravish.me/api/health - status
- domain: 'auth.knravish.me'
resources: '^\/api\/health$'
policy: 'bypass'
# https://budget.knravish.me/info - info
- domain: 'budget.knravish.me'
resources: '^\/info$'
policy: 'bypass'
# https://blog.knravish.me/ghost/api/admin/site - info
- domain: 'blog.knravish.me'
resources: '^\/ghost\/api\/admin\/site$'
policy: 'bypass'
# # https://git.knravish.me/api/healthz - health
# - domain: 'git.knravish.me'
# resources: '^\/api\/healthz$'
# policy: 'bypass'
# https://notes.knravish.me/api/v1/workspace/profile - info
- domain: 'notes.knravish.me'
resources: '^\/api\/v1\/workspace\/profile$'
policy: 'bypass'
# https://pdf.knravish.me/api/v1/info/status - status
- domain: 'pdf.knravish.me'
resources: '^\/api\/v1\/info\/status$'
policy: 'bypass'
# https://planning.knravish.me/manifest.webmanifest - PWA
# for the homepage widget
# https://planning.knravish.me/api/v1/projects
# https://planning.knravish.me/api/v1/tasks/all?filter=done%3Dfalse&sort_by=due_date
- domain: 'planning.knravish.me'
resources:
- '^\/manifest.webmanifest$'
- '^\/api\/v1\/projects$'
- '^\/api\/v1\/tasks\/all\?filter=done%3Dfalse&sort_by=due_date$'
policy: 'bypass'
# https://recipes.knravish.me/api/app/about - status
- domain: 'recipes.knravish.me'
resources:
- '^\/api\/households\/statistics$' # homepage widget
- '^\/api\/app\/about$'
policy: 'bypass'
# https://syncthing.knravish.me/rest/noauth/health
- domain: 'syncthing.knravish.me'
resources: '^\/rest\/noauth\/health$'
policy: 'bypass'
# https://vpn.knravish.me/api/release - status
- domain: 'vpn.knravish.me'
resources:
- '^\/api\/wireguard\/client$' # homepage widget
- '^\/api\/release$'
policy: 'bypass'
# https://vtt.knravish.me/api/status
- domain: 'vtt.knravish.me'
resources: '^\/api\/status$'
policy: 'bypass'
###### 1FA ######
# sensitive data - only self
- domain:
- 'budget.knravish.me'
subject:
- 'user:self'
policy: 'one_factor'
# sensitive admin - only self
- domain:
- 'vpn.knravish.me'
- 'syncthing.knravish.me'
subject:
- 'user:self'
policy: 'one_factor'
# ghost blog admin
- domain: 'blog.knravish.me'
resources: '^\/ghost([\/?].*)?$'
subject:
- 'group:admin'
policy: 'one_factor'
# foundry VTT
- domain: 'vtt.knravish.me'
subject:
- 'group:admin'
- 'group:foundry'
policy: 'one_factor'
# mealie recipes
- domain: 'recipes.knravish.me'
subject:
- 'group:admin'
- 'group:mealie'
policy: 'one_factor'
###### 2FA ######
# master bypass - super_admin (currently only self)
- domain: '*.knravish.me'
subject:
- 'group:super_admin'
policy: 'two_factor'
password_policy:
zxcvbn:
enabled: true
# SECRET
# identity_validation:
# reset_password:
# jwt_secret: ''
session:
# SECRET
# secret: ''
redis:
host: 'authelia-redis'
inactivity: '1w'
expiration: '2w'
remember_me: '3M'
cookies:
- domain: 'knravish.me'
authelia_url: 'https://auth.knravish.me'
storage:
# SECRET
# encryption_key: ''
local:
path: '/config/db.sqlite3'
notifier:
smtp:
address: 'smtp://smtp.purelymail.com:587'
timeout: '15s'
username: 'noreply@knravish.me'
# SECRET
# password: ''
sender: 'Authelia <noreply@knravish.me>'
identifier: 'knravish.me'
subject: '[Authelia] {title}'
theme: 'auto'
server:
endpoints:
authz:
auth-request:
implementation: 'AuthRequest'
authn_strategies:
- name: 'HeaderAuthorization'
schemes:
- 'Basic'
- name: 'CookieSession'
Reference in New Issue View Git Blame Copy Permalink