---
###############################################################
# Authelia configuration #
###############################################################
server:
host: 0.0.0.0
port: 9091
log:
level: debug
theme: dark
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
identity_validation.reset_password.jwt_secret: VsZh6gYEtxoc2rCcpGgV.....2qFeJXcpk6GaGbbSmnKRKWc
default_redirection_url: https://mfa.jozeftan.com #address of authelia deployment
totp:
issuer: authelia.com
# duo_api:
# hostname: api-123456789.example.com
# integration_key: ABCDEF
# # This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
# secret_key: 1234567890abcdefghifjkl
authentication_backend:
file:
path: /config/users.yml
password:
# algorithm: argon2
algorithm: sha512
# Recommended Parameters
# Uses 2 GiB memory, then immediately releases it.
# See https://www.authelia.com/reference/guides/passwords/#recommended-parameters-argon2
# See https://www.rfc-editor.org/rfc/rfc9106.html#section-4 for details on tuning the parameters for your hardware.
# After saving configuration file, password hash can be generated by running: docker run -v ./configuration.yml:/configuration.yml --rm authelia/authelia:latest authelia crypto hash generate --config /configuration.yml --password 'yourpassword'
# argon2:
# variant: argon2id
# iterations: 1
# memory: 2097152
# parallelism: 4
# key_length: 32
# salt_length: 16
# Recommended Parameters when constrained by low memory or low powered hardware. Uses 64 KiB memory, then immediately releases it.
# argon2:
# variant: argon2id
# iterations: 3
# memory: 65536
# parallelism: 4
# key_length: 32
# salt_length: 16
# I had a special use case where I wanted notes.jozeftan.com to be secure, but trilium had a notes share feature, where I could enable files to be shared and it would generate a link like: notes.jozeftan.com/share/SHARE_DETAILS
# Because I don't want shared links to require users to log in, I had to further use regex (with the help of chatgpt) to authorise these sign ins.
access_control:
default_policy: bypass
rules:
- domain:
- 'subdomain1.jozeftan.com'
policy: ‘bypass’
- domain: 'notes.jozeftan.com'
resources:
- '^/share/.*$'
policy: ‘bypass’
- domain:
- 'subdomain2.jozeftan.com'
policy: ‘one_factor’
- domain:
- 'subdomain3.jozeftan.com'
- 'subdomain4.jozeftan.com'
policy: ‘two_factor’
- domain: 'notes.jozeftan.com'
resources:
- '^/.*$'
policy: ‘two_factor’
session:
name: authelia_session
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
secret: DZXy4XtfzcawmaCNiQS3k2gO.............DLZdg9JdIN9Y3a79ZIj
expiration: 21600 # 6 hours
inactivity: 300 # 5 minutes
domain: jozeftan.com # Should match whatever your root protected domain is
# redis:
# host: redis
# port: 6379
# # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
# # password: authelia
regulation:
max_retries: 3
find_time: 120
ban_time: 300
storage:
encryption_key: a_very_important_secret # Now required, authelia sets a placeholder for now.
#encryption_key: VsZh6gYEtxoc2rCcpG..........JXcpk6GaGbbSmnKRKWd
local:
path: /config/db.sqlite3
notifier:
# I use brevo
smtp:
username: 'BREVO_API_EMAIL'
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
password: 'KEY_FROM_BREVO'
host: smtp-relay.brevo.com
port: 587
sender: [email protected]
# if no email service alternatively use text output, just comment out smtp section.
# filesystem:
# filename: /config/notification.txt
