alyssadev/configuration.yml

## configuration.yml
# authelia/config/configuration.yml
# run `openssl rand -hex 20` three times and update `jwt_secret`, `session.secret` and `storage.encryption_key`
server:
  host: 0.0.0.0
  port: 9091
log:
  level: info
jwt_secret: TODO
default_redirection_url: https://auth.example.com
totp:
  issuer: example.com
  period: 30
  skew: 1

#duo_api:     ## If you want push notifictions of login attempts you can pay for this feature
#  hostname: api-123456789.example.com
#  integration_key: ABCDEF
#  secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols

authentication_backend:
  password_reset:
    disable: false
  file:
    path: /config/users_database.yml # Make sure this file exists
    password:
      algorithm: argon2
      argon2:
        variant: argon2id
        iterations: 3
        salt_length: 16
        parallelism: 4
        memory: 65536
        key_length: 32

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain:
        - "auth.example.com"
        - "nextcloud.home.example.com"
        - "plex.home.example.com"
      policy: bypass
    - domain: # Proxies only requiring username and password
        - "*.example.com"
        - "*.*.example.com"
      policy: two_factor
#      networks:
#        - 192.168.1.0/24

session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
  secret: TODO
  expiration: 3600 # 1 hour
  inactivity: 7200 # 2 hours
  remember_me_duration: 1M
  domain: example.com # Needs to be your root domain

  redis:
    host: redis
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
#    password: authelia

regulation:
  max_retries: 5
  find_time: 2m
  ban_time: 10m

theme: dark   # options: dark, light

storage:
  encryption_key: TODO
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: false
  #filesystem:
  #  filename: /config/notification.txt
  smtp:
    username: APIKEY
    password: SECRET
    host: in-v3.mailjet.com
    port: 587
    sender: auth@example.com
    subject: "[Authelia] {title}"
    startup_check_address: admin@example.com

## docker-compose.yml
# authelia/docker-compose.yml
# update TZ=
version: '3.3'
services:
  authelia:
    image: authelia/authelia
    volumes:
      - ./config:/config
    ports:
      - 127.0.0.1:9091:9091
    restart: unless-stopped
    healthcheck:
      disable: true
    environment:
      - TZ=<SET>
    depends_on:
      - redis

  redis:
    image: redis:alpine
    volumes:
      - ./redis:/data
    expose:
      - 6379
    restart: unless-stopped
    environment:
      - TZ=<SET>

## nginx.md

      
    Raw
  

              nginx.md
            
          
    # /etc/nginx/sites-available/home.conf
server {
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    server_name home.example.com *.home.example.com;
    include /etc/nginx/snippets/authloc.conf;
    location / {
        include /etc/nginx/snippets/authinc.conf;
        proxy_pass http://10.8.0.2:80;
    }
}

# /etc/nginx/sites-available/auth.conf
server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name auth.example.com;
    include /etc/nginx/snippets/ssl-examplecom.conf;
    location / {
        proxy_pass http://localhost:9091;
        include /etc/nginx/snippets/proxy.conf;
    }
}

# /etc/nginx/snippets/proxy.conf
# global proxy conf
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $host:$server_port;
proxy_set_header X-Forwarded-Port $server_port;
proxy_redirect off;
client_body_buffer_size 128k;
client_max_body_size 0;
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;
# websocket support
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;

# /etc/nginx/snippets/authproxy.conf
include /etc/nginx/snippets/proxy.conf;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 4 32k;

# /etc/nginx/snippets/authloc.conf
location /auth {
    internal;
    proxy_pass_request_body off;
    proxy_pass http://localhost:9091/api/verify;
    proxy_set_header Content-Length "";
    include /etc/nginx/snippets/authproxy.conf;
}

# /etc/nginx/snippets/authinc.conf
auth_request /auth;
auth_request_set $target_url $scheme://$http_host$request_uri;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
error_page 401 =302 https://auth.example.com/?rd=$target_url;

# /etc/nginx/snippets/ssl.conf
    # OCSP stapling
    ssl_stapling on;
    ssl_stapling_verify on;

    add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always;

    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
    ssl_prefer_server_ciphers off;

    resolver 1.1.1.1;

    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;  # about 40000 sessions
    ssl_session_tickets off;

    ssl_dhparam /etc/nginx/dhparam.pem;

# /etc/nginx/snippets/ssl-home.conf
    ssl_certificate /etc/letsencrypt/live/home.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/home.example.com/privkey.pem;
    ssl_trusted_certificate /etc/letsencrypt/live/home.example.com/fullchain.pem;
    include /etc/nginx/snippets/ssl.conf;

  
## users-database.yml
# authelia/config/users-database.yml
# docker run -v ./config:/config authelia/authelia:latest authelia -c /config/configuration.yml hash-password PASSWORD
users:
  admin:
    displayname: "Admin"
    password: "$argon2id$v=19$m=65536,t=3,p=4$uHJg6OCfd/OjwzwXu8SIbQ$BUeIp60Ay0mZOn1byhjYFwkdixsf4dWPqfx5C367B2o"
    email: admin@example.com
    groups:
      - admins
      - dev
	# authelia/config/configuration.yml
	# run `openssl rand -hex 20` three times and update `jwt_secret`, `session.secret` and `storage.encryption_key`
	server:
	host: 0.0.0.0
	port: 9091
	log:
	level: info
	jwt_secret: TODO
	default_redirection_url: https://auth.example.com
	totp:
	issuer: example.com
	period: 30
	skew: 1

	#duo_api: ## If you want push notifictions of login attempts you can pay for this feature
	# hostname: api-123456789.example.com
	# integration_key: ABCDEF
	# secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols

	authentication_backend:
	password_reset:
	disable: false
	file:
	path: /config/users_database.yml # Make sure this file exists
	password:
	algorithm: argon2
	argon2:
	variant: argon2id
	iterations: 3
	salt_length: 16
	parallelism: 4
	memory: 65536
	key_length: 32

	access_control:
	default_policy: deny
	rules:
	# Rules applied to everyone
	- domain:
	- "auth.example.com"
	- "nextcloud.home.example.com"
	- "plex.home.example.com"
	policy: bypass
	- domain: # Proxies only requiring username and password
	- "*.example.com"
	- "..example.com"
	policy: two_factor
	# networks:
	# - 192.168.1.0/24

	session:
	name: authelia_session
	# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
	secret: TODO
	expiration: 3600 # 1 hour
	inactivity: 7200 # 2 hours
	remember_me_duration: 1M
	domain: example.com # Needs to be your root domain

	redis:
	host: redis
	port: 6379
	# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
	# password: authelia

	regulation:
	max_retries: 5
	find_time: 2m
	ban_time: 10m

	theme: dark # options: dark, light

	storage:
	encryption_key: TODO
	local:
	path: /config/db.sqlite3

	notifier:
	disable_startup_check: false
	#filesystem:
	# filename: /config/notification.txt
	smtp:
	username: APIKEY
	password: SECRET
	host: in-v3.mailjet.com
	port: 587
	sender: auth@example.com
	subject: "[Authelia] {title}"
	startup_check_address: admin@example.com
	# authelia/docker-compose.yml
	# update TZ=
	version: '3.3'
	services:
	authelia:
	image: authelia/authelia
	volumes:
	- ./config:/config
	ports:
	- 127.0.0.1:9091:9091
	restart: unless-stopped
	healthcheck:
	disable: true
	environment:
	- TZ=<SET>
	depends_on:
	- redis

	redis:
	image: redis:alpine
	volumes:
	- ./redis:/data
	expose:
	- 6379
	restart: unless-stopped
	environment:
	- TZ=<SET>
	# authelia/config/users-database.yml
	# docker run -v ./config:/config authelia/authelia:latest authelia -c /config/configuration.yml hash-password PASSWORD
	users:
	admin:
	displayname: "Admin"
	password: "$argon2id$v=19$m=65536,t=3,p=4$uHJg6OCfd/OjwzwXu8SIbQ$BUeIp60Ay0mZOn1byhjYFwkdixsf4dWPqfx5C367B2o"
	email: admin@example.com
	groups:
	- admins
	- dev