Created
September 5, 2021 20:10
-
-
Save baudneo/61b1d96740d28ce7bc8d5b8b4e715eba to your computer and use it in GitHub Desktop.
Zoneminder and Authelia example - with gmail smtp notifier (you must setup insecure app access and token for sending emails from authelia using gmail)
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
############################################################### | |
# Authelia configuration # | |
############################################################### | |
server.host: 0.0.0.0 | |
server.port: 9091 | |
log.level: debug | |
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE | |
jwt_secret: DO_SECRET_HERE # get secret from here https://www.grc.com/passwords.htm | |
default_redirection_url: https://auth.EXAMPLE.com | |
totp: | |
issuer: authelia.com | |
period: 30 | |
skew: 1 | |
#duo_api: | |
# hostname: api-123456789.example.com | |
# integration_key: ABCDEF | |
# This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE | |
# secret_key: 1234567890abcdefghifjkl | |
authentication_backend: | |
file: | |
path: /config/users_database.yml | |
# password: | |
# algorithm: argon2id | |
# iterations: 1 | |
# key_length: 32 | |
# salt_length: 16 | |
# memory: 1024 | |
# parallelism: 8 | |
# RULES are top to bottom and the first match is what happens so be aware of how you order them | |
access_control: | |
default_policy: deny | |
networks: | |
- name: internal | |
networks: | |
- 10.0.0.0/8 | |
- 172.16.0.0/12 | |
- 192.168.0.0/18 | |
# - fe80:0:dddd:123a::/64 # IPv6 example | |
rules: | |
# Rules applied to everyone | |
- domain: | |
- "auth.EXAMPLE.com" # our auth portal for authelia | |
- "hass.EXAMPLE.com" # has its own TOTP/MFA | |
policy: bypass | |
- domain: # zmNinja rules so it can work (could refine with networks or ips if you know your mobile provider IPs or subnets exclusivly | |
- "zm.EXAMPLE.com" | |
policy: bypass | |
resources: # endpoints using regex | |
- "/zm/api.*" | |
- "/zm/cgi.*" | |
- "/zm/index.php.*" | |
- "/api/verify.*" | |
- "/authelia.*" | |
- domain: # setup TOTP for the rest of the zm subdomain | |
- "zm.EXAMPLE.com" | |
policy: two_factor | |
networks: # internal networks can bypass the authelia logins, comment this out at first so you can test TOTP from your LAN | |
- internal | |
session: | |
name: authelia_session | |
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE | |
# secret: hu*gUOi!My>p5w\*:KquGW`!c#TG!0/%zNp(s~>"eU#LROa3y)~R3y\Pf>%-y;I # get secret from here https://www.grc.com/passwords.htm | |
expiration: 3600 # 1 hour | |
inactivity: 300 # 5 minutes | |
domain: EXAMPLE.com # Should match whatever your root protected domain is | |
redis: | |
host: redis | |
port: 6379 | |
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE | |
#password: authelia | |
regulation: | |
max_retries: 3 | |
find_time: 1200 | |
ban_time: 36000 | |
storage: | |
local: | |
path: /config/db.sqlite3 | |
notifier: | |
# filesystem: | |
# filename: /config/notification.txt | |
#using google or gmail as your email here is a PITA you have to setup Insecure Apps and if using a google workspace there are extra steps involved | |
#so if you use gmail as your email provider for your EXAMPLE.com domain it is a few steps | |
smtp: | |
username: admin@EXAMPLE.com | |
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE | |
password: MY_INSECURE_APP_KEY | |
host: smtp.gmail.com | |
port: 587 | |
sender: totp@EXAMPLE.com | |
identifier: EXAMPLE.com | |
subject: "[Authelia] {title}" | |
startup_check_address: test@authelia.com | |
disable_require_tls: true | |
disable_html_emails: false | |
# tls: | |
# server_name: smtp.example.com | |
# skip_verify: false | |
# minimum_version: TLS1.2 | |
log: | |
level: debug |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment