###############################################################
# Authelia configuration #
###############################################################
# The port to listen on
port: 8080
# Log level
#
# Level of verbosity for logs
logs_level: debug
# LDAP configuration
#
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
ldap:
# The url of the ldap server
url: ldap://ipa.actcur.com
# The base dn for every entries
base_dn: dc=actcur,dc=com
# An additional dn to define the scope to all users
additional_users_dn: cn=users,cn=accounts
# The users filter.
# {0} is the matcher replaced by username.
# 'cn={0}' by default.
users_filter: uid={0}
# An additional dn to define the scope of groups
additional_groups_dn: cn=groups,cn=accounts
# The groups filter.
# {0} is the matcher replaced by user dn.
# 'member={0}' by default.
groups_filter: (&(member=uid={0},cn=users,cn=accounts,dc=actcur,dc=com)(objectclass=groupofnames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com
password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}"
# Authentication methods
#
# Authentication methods can be defined per subdomain.
# There are currently two available methods: "single_factor" and "two_factor"
#
# Note: by default a domain uses "two_factor" method.
#
# Note: 'per_subdomain_methods' is a dictionary where keys must be subdomains and
# values must be one of the two possible methods.
#
# Note: 'per_subdomain_methods' is optional.
#
# Note: authentication_methods is optional. If it is not set all sub-domains
# are protected by two factors.
authentication_methods:
default_method: two_factor
# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
# Any (apply to anyone), per-user or per-group rules can be defined.
#
# If 'access_control' is not defined, ACL rules are disabled and the `allow` default
# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put the pattern in simple quotes when using the wildcard for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `policy`
# and `resources`.
# - `domain` defines which domain or set of domains the rule applies to.
# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`.
# - `resources` is a list of regular expressions that matches a set of resources to
# apply the policy to.
#
# Note: Rules follow an order of priority defined as follows:
# In each category (`any`, `groups`, `users`), the latest rules have the highest
# priority. In other words, it means that if a given resource matches two rules in the
# same category, the latest one overrides the first one.
# Each category has also its own priority. That is, `users` has the highest priority, then
# `groups` and `any` has the lowest priority. It means if two rules in different categories
# match a given resource, the one in the category with the highest priority overrides the
# other one.
#
access_control:
# Default policy can either be `allow` or `deny`.
# It is the policy applied to any resource if it has not been overriden
# in the `any`, `groups` or `users` category.
default_policy: deny
# The rules that apply to anyone.
# The value is a list of rules.
any:
- domain: 'x'
policy: deny
# Group-based rules. The key is a group name and the value
# is a list of rules.
groups:
domain_admins:
# All resources in all domains
- domain: '*.actcur.com'
policy: allow
video_admins:
# All resources in all domains
- domain: 'sonarr.actcur.com'
policy: allow
- domain: 'radarr.actcur.com'
policy: allow
- domain: 'rtorrent.actcur.com'
policy: allow
- domain: 'jackett.actcur.com'
policy: allow
users:
none:
- domain: 'none'
policy: deny
# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
# The secret to encrypt the session cookie.
secret: "{%- include 'secure/passwords/authelia_secret_password.txt' -%}"
# The time before the cookie expires.
expiration: 3600000
# The domain to protect.
# Note: the authenticator must also be in that domain. If empty, the cookie
# is restricted to the subdomain of the issuer.
domain: actcur.com
# The redis connection details
redis:
host: 127.0.0.1
port: 6379
# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
# The number of failed login attempts before user is banned.
# Set it to 0 for disabling regulation.
max_retries: 3
# The length of time between login attempts before user is banned.
find_time: 120
# The length of time before a banned user can login again.
ban_time: 300
# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, mongo
storage:
# The directory where the DB files will be saved
#local: /var/lib/authelia/store
# Settings to connect to mongo server
mongo:
url: mongodb://127.0.0.1/
database: authelia
# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail
notifier:
# Use your gmail account to send the notifications. You can use an app password.
#gmail:
# username: username@gmail.com
# password: password
# Use a SMTP server for sending notifications
#smtp:
# username: test
# password: test
# secure: false
# host: 'smtp.zoho.com'
# port: 1025
smtp:
username: notifications@actcur.com
password: "{%- include 'secure/passwords/authelia_notifications_password.txt' -%}"
secure: true
host: 'smtp.zoho.com'
port: 465
sender: 'Actcur Authelia <notifications@actcur.com>'