Zoneminder and Authelia example - with gmail smtp notifier (you must setup insecure app access and token for sending emails from authelia using gmail)

configuration.yml

###############################################################
#                   Authelia configuration                    #
###############################################################
 
server.host: 0.0.0.0
server.port: 9091
log.level: debug
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET_FILE
jwt_secret: DO_SECRET_HERE # get secret from here https://www.grc.com/passwords.htm
default_redirection_url: https://auth.EXAMPLE.com
totp:
  issuer: authelia.com
  period: 30
  skew: 1
 
#duo_api:
#  hostname: api-123456789.example.com
#  integration_key: ABCDEF
#   This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY_FILE
#  secret_key: 1234567890abcdefghifjkl
 
authentication_backend:
  file:
    path: /config/users_database.yml
#    password:
#      algorithm: argon2id
#      iterations: 1
#      key_length: 32
#      salt_length: 16
#      memory: 1024
#      parallelism: 8
 
# RULES are top to bottom and the first match is what happens so be aware of how you order them
access_control:
  default_policy: deny
  networks:
  - name: internal
    networks:
    - 10.0.0.0/8
    - 172.16.0.0/12
    - 192.168.0.0/18
#    - fe80:0:dddd:123a::/64  # IPv6 example
  rules:
    # Rules applied to everyone
    - domain: 
        - "auth.EXAMPLE.com"  # our auth portal for authelia
        - "hass.EXAMPLE.com"  # has its own TOTP/MFA
      policy: bypass
    - domain:  # zmNinja rules so it can work (could refine with networks or ips if you know your mobile provider IPs or subnets exclusivly
        - "zm.EXAMPLE.com"
      policy: bypass
      resources: # endpoints using regex
        - "/zm/api.*"
        - "/zm/cgi.*"
        - "/zm/index.php.*"
        - "/api/verify.*"
        - "/authelia.*"
    - domain: # setup TOTP for the rest of the zm subdomain
        - "zm.EXAMPLE.com"
      policy: two_factor
      networks: # internal networks can bypass the authelia logins, comment this out at first so you can test TOTP from your LAN
      - internal

 
session:
  name: authelia_session
  # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE
 # secret: hu*gUOi!My>p5w\*:KquGW`!c#TG!0/%zNp(s~>"eU#LROa3y)~R3y\Pf>%-y;I # get secret from here https://www.grc.com/passwords.htm
  expiration: 3600 # 1 hour
  inactivity: 300 # 5 minutes
  domain: EXAMPLE.com # Should match whatever your root protected domain is
 
  redis:
    host: redis
    port: 6379
    # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE
    #password: authelia
 
regulation:
  max_retries: 3
  find_time: 1200
  ban_time: 36000
 
storage:
  local:
    path: /config/db.sqlite3
 
notifier:

#   filesystem:
#    filename: /config/notification.txt
#using google or gmail as your email here is a PITA you have to setup Insecure Apps and if using a google workspace there are extra steps involved
#so if you use gmail as your email provider for your EXAMPLE.com domain it is a few steps
  smtp:
    username: admin@EXAMPLE.com
   # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE
    password: MY_INSECURE_APP_KEY
    host: smtp.gmail.com
    port: 587
    sender: totp@EXAMPLE.com
    identifier: EXAMPLE.com
    subject: "[Authelia] {title}"
    startup_check_address: test@authelia.com
    disable_require_tls: true
    disable_html_emails: false
#    tls:
#      server_name: smtp.example.com
#      skip_verify: false
#      minimum_version: TLS1.2


log:
  level: debug