Alyssa Smith revised this gist . Go to revision
1 file changed, 10 insertions, 10 deletions
configuration.yml
| @@ -77,13 +77,13 @@ storage: | |||
| 77 | 77 | ||
| 78 | 78 | notifier: | |
| 79 | 79 | disable_startup_check: false | |
| 80 | - | filesystem: | |
| 81 | - | filename: /config/notification.txt | |
| 82 | - | #smtp: | |
| 83 | - | # username: username | |
| 84 | - | # password: password | |
| 85 | - | # host: smtp | |
| 86 | - | # port: 587 | |
| 87 | - | # sender: auth@example.com | |
| 88 | - | # subject: "[Authelia] {title}" | |
| 89 | - | # startup_check_address: admin@example.com | |
| 80 | + | #filesystem: | |
| 81 | + | # filename: /config/notification.txt | |
| 82 | + | smtp: | |
| 83 | + | username: APIKEY | |
| 84 | + | password: SECRET | |
| 85 | + | host: in-v3.mailjet.com | |
| 86 | + | port: 587 | |
| 87 | + | sender: auth@example.com | |
| 88 | + | subject: "[Authelia] {title}" | |
| 89 | + | startup_check_address: admin@example.com | |
Alyssa Smith revised this gist . Go to revision
No changes
Alyssa Smith revised this gist . Go to revision
2 files changed, 2 insertions, 2 deletions
configuration.yml
| @@ -55,7 +55,7 @@ session: | |||
| 55 | 55 | expiration: 3600 # 1 hour | |
| 56 | 56 | inactivity: 7200 # 2 hours | |
| 57 | 57 | remember_me_duration: 1M | |
| 58 | - | domain: aly.pet # Needs to be your root domain | |
| 58 | + | domain: example.com # Needs to be your root domain | |
| 59 | 59 | ||
| 60 | 60 | redis: | |
| 61 | 61 | host: redis | |
nginx.md
| @@ -70,7 +70,7 @@ auth_request_set $user $upstream_http_remote_user; | |||
| 70 | 70 | auth_request_set $groups $upstream_http_remote_groups; | |
| 71 | 71 | proxy_set_header Remote-User $user; | |
| 72 | 72 | proxy_set_header Remote-Groups $groups; | |
| 73 | - | error_page 401 =302 https://auth.aly.pet/?rd=$target_url; | |
| 73 | + | error_page 401 =302 https://auth.example.com/?rd=$target_url; | |
| 74 | 74 | ||
| 75 | 75 | # /etc/nginx/snippets/ssl.conf | |
| 76 | 76 | # OCSP stapling | |
Alyssa Smith revised this gist . Go to revision
4 files changed, 225 insertions
configuration.yml(file created)
| @@ -0,0 +1,89 @@ | |||
| 1 | + | # authelia/config/configuration.yml | |
| 2 | + | # run `openssl rand -hex 20` three times and update `jwt_secret`, `session.secret` and `storage.encryption_key` | |
| 3 | + | server: | |
| 4 | + | host: 0.0.0.0 | |
| 5 | + | port: 9091 | |
| 6 | + | log: | |
| 7 | + | level: info | |
| 8 | + | jwt_secret: TODO | |
| 9 | + | default_redirection_url: https://auth.example.com | |
| 10 | + | totp: | |
| 11 | + | issuer: example.com | |
| 12 | + | period: 30 | |
| 13 | + | skew: 1 | |
| 14 | + | ||
| 15 | + | #duo_api: ## If you want push notifictions of login attempts you can pay for this feature | |
| 16 | + | # hostname: api-123456789.example.com | |
| 17 | + | # integration_key: ABCDEF | |
| 18 | + | # secret_key: yet-another-long-string-of-characters-and-numbers-and-symbols | |
| 19 | + | ||
| 20 | + | authentication_backend: | |
| 21 | + | password_reset: | |
| 22 | + | disable: false | |
| 23 | + | file: | |
| 24 | + | path: /config/users_database.yml # Make sure this file exists | |
| 25 | + | password: | |
| 26 | + | algorithm: argon2 | |
| 27 | + | argon2: | |
| 28 | + | variant: argon2id | |
| 29 | + | iterations: 3 | |
| 30 | + | salt_length: 16 | |
| 31 | + | parallelism: 4 | |
| 32 | + | memory: 65536 | |
| 33 | + | key_length: 32 | |
| 34 | + | ||
| 35 | + | access_control: | |
| 36 | + | default_policy: deny | |
| 37 | + | rules: | |
| 38 | + | # Rules applied to everyone | |
| 39 | + | - domain: | |
| 40 | + | - "auth.example.com" | |
| 41 | + | - "nextcloud.home.example.com" | |
| 42 | + | - "plex.home.example.com" | |
| 43 | + | policy: bypass | |
| 44 | + | - domain: # Proxies only requiring username and password | |
| 45 | + | - "*.example.com" | |
| 46 | + | - "*.*.example.com" | |
| 47 | + | policy: two_factor | |
| 48 | + | # networks: | |
| 49 | + | # - 192.168.1.0/24 | |
| 50 | + | ||
| 51 | + | session: | |
| 52 | + | name: authelia_session | |
| 53 | + | # This secret can also be set using the env variables AUTHELIA_SESSION_SECRET_FILE | |
| 54 | + | secret: TODO | |
| 55 | + | expiration: 3600 # 1 hour | |
| 56 | + | inactivity: 7200 # 2 hours | |
| 57 | + | remember_me_duration: 1M | |
| 58 | + | domain: aly.pet # Needs to be your root domain | |
| 59 | + | ||
| 60 | + | redis: | |
| 61 | + | host: redis | |
| 62 | + | port: 6379 | |
| 63 | + | # This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD_FILE | |
| 64 | + | # password: authelia | |
| 65 | + | ||
| 66 | + | regulation: | |
| 67 | + | max_retries: 5 | |
| 68 | + | find_time: 2m | |
| 69 | + | ban_time: 10m | |
| 70 | + | ||
| 71 | + | theme: dark # options: dark, light | |
| 72 | + | ||
| 73 | + | storage: | |
| 74 | + | encryption_key: TODO | |
| 75 | + | local: | |
| 76 | + | path: /config/db.sqlite3 | |
| 77 | + | ||
| 78 | + | notifier: | |
| 79 | + | disable_startup_check: false | |
| 80 | + | filesystem: | |
| 81 | + | filename: /config/notification.txt | |
| 82 | + | #smtp: | |
| 83 | + | # username: username | |
| 84 | + | # password: password | |
| 85 | + | # host: smtp | |
| 86 | + | # port: 587 | |
| 87 | + | # sender: auth@example.com | |
| 88 | + | # subject: "[Authelia] {title}" | |
| 89 | + | # startup_check_address: admin@example.com | |
docker-compose.yml(file created)
| @@ -0,0 +1,27 @@ | |||
| 1 | + | # authelia/docker-compose.yml | |
| 2 | + | # update TZ= | |
| 3 | + | version: '3.3' | |
| 4 | + | services: | |
| 5 | + | authelia: | |
| 6 | + | image: authelia/authelia | |
| 7 | + | volumes: | |
| 8 | + | - ./config:/config | |
| 9 | + | ports: | |
| 10 | + | - 127.0.0.1:9091:9091 | |
| 11 | + | restart: unless-stopped | |
| 12 | + | healthcheck: | |
| 13 | + | disable: true | |
| 14 | + | environment: | |
| 15 | + | - TZ=<SET> | |
| 16 | + | depends_on: | |
| 17 | + | - redis | |
| 18 | + | ||
| 19 | + | redis: | |
| 20 | + | image: redis:alpine | |
| 21 | + | volumes: | |
| 22 | + | - ./redis:/data | |
| 23 | + | expose: | |
| 24 | + | - 6379 | |
| 25 | + | restart: unless-stopped | |
| 26 | + | environment: | |
| 27 | + | - TZ=<SET> | |
nginx.md(file created)
| @@ -0,0 +1,99 @@ | |||
| 1 | + | ```nginx | |
| 2 | + | # /etc/nginx/sites-available/home.conf | |
| 3 | + | server { | |
| 4 | + | listen 443 ssl http2; | |
| 5 | + | listen [::]:443 ssl http2; | |
| 6 | + | server_name home.example.com *.home.example.com; | |
| 7 | + | include /etc/nginx/snippets/authloc.conf; | |
| 8 | + | location / { | |
| 9 | + | include /etc/nginx/snippets/authinc.conf; | |
| 10 | + | proxy_pass http://10.8.0.2:80; | |
| 11 | + | } | |
| 12 | + | } | |
| 13 | + | ||
| 14 | + | # /etc/nginx/sites-available/auth.conf | |
| 15 | + | server { | |
| 16 | + | listen [::]:443 ssl http2; | |
| 17 | + | listen 443 ssl http2; | |
| 18 | + | server_name auth.example.com; | |
| 19 | + | include /etc/nginx/snippets/ssl-examplecom.conf; | |
| 20 | + | location / { | |
| 21 | + | proxy_pass http://localhost:9091; | |
| 22 | + | include /etc/nginx/snippets/proxy.conf; | |
| 23 | + | } | |
| 24 | + | } | |
| 25 | + | ||
| 26 | + | # /etc/nginx/snippets/proxy.conf | |
| 27 | + | # global proxy conf | |
| 28 | + | proxy_set_header Host $host; | |
| 29 | + | proxy_set_header X-Real-IP $remote_addr; | |
| 30 | + | proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| 31 | + | proxy_set_header X-Forwarded-Proto $scheme; | |
| 32 | + | proxy_set_header X-Forwarded-Host $host:$server_port; | |
| 33 | + | proxy_set_header X-Forwarded-Port $server_port; | |
| 34 | + | proxy_redirect off; | |
| 35 | + | client_body_buffer_size 128k; | |
| 36 | + | client_max_body_size 0; | |
| 37 | + | send_timeout 5m; | |
| 38 | + | proxy_read_timeout 240; | |
| 39 | + | proxy_send_timeout 240; | |
| 40 | + | proxy_connect_timeout 240; | |
| 41 | + | # websocket support | |
| 42 | + | proxy_http_version 1.1; | |
| 43 | + | proxy_set_header Upgrade $http_upgrade; | |
| 44 | + | proxy_set_header Connection $connection_upgrade; | |
| 45 | + | ||
| 46 | + | # /etc/nginx/snippets/authproxy.conf | |
| 47 | + | include /etc/nginx/snippets/proxy.conf; | |
| 48 | + | proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; | |
| 49 | + | proxy_set_header X-Forwarded-Host $http_host; | |
| 50 | + | proxy_set_header X-Forwarded-Uri $request_uri; | |
| 51 | + | proxy_set_header X-Forwarded-Ssl on; | |
| 52 | + | proxy_redirect http:// $scheme://; | |
| 53 | + | proxy_cache_bypass $cookie_session; | |
| 54 | + | proxy_no_cache $cookie_session; | |
| 55 | + | proxy_buffers 4 32k; | |
| 56 | + | ||
| 57 | + | # /etc/nginx/snippets/authloc.conf | |
| 58 | + | location /auth { | |
| 59 | + | internal; | |
| 60 | + | proxy_pass_request_body off; | |
| 61 | + | proxy_pass http://localhost:9091/api/verify; | |
| 62 | + | proxy_set_header Content-Length ""; | |
| 63 | + | include /etc/nginx/snippets/authproxy.conf; | |
| 64 | + | } | |
| 65 | + | ||
| 66 | + | # /etc/nginx/snippets/authinc.conf | |
| 67 | + | auth_request /auth; | |
| 68 | + | auth_request_set $target_url $scheme://$http_host$request_uri; | |
| 69 | + | auth_request_set $user $upstream_http_remote_user; | |
| 70 | + | auth_request_set $groups $upstream_http_remote_groups; | |
| 71 | + | proxy_set_header Remote-User $user; | |
| 72 | + | proxy_set_header Remote-Groups $groups; | |
| 73 | + | error_page 401 =302 https://auth.aly.pet/?rd=$target_url; | |
| 74 | + | ||
| 75 | + | # /etc/nginx/snippets/ssl.conf | |
| 76 | + | # OCSP stapling | |
| 77 | + | ssl_stapling on; | |
| 78 | + | ssl_stapling_verify on; | |
| 79 | + | ||
| 80 | + | add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" always; | |
| 81 | + | ||
| 82 | + | ssl_protocols TLSv1.2 TLSv1.3; | |
| 83 | + | ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305; | |
| 84 | + | ssl_prefer_server_ciphers off; | |
| 85 | + | ||
| 86 | + | resolver 1.1.1.1; | |
| 87 | + | ||
| 88 | + | ssl_session_timeout 1d; | |
| 89 | + | ssl_session_cache shared:MozSSL:10m; # about 40000 sessions | |
| 90 | + | ssl_session_tickets off; | |
| 91 | + | ||
| 92 | + | ssl_dhparam /etc/nginx/dhparam.pem; | |
| 93 | + | ||
| 94 | + | # /etc/nginx/snippets/ssl-home.conf | |
| 95 | + | ssl_certificate /etc/letsencrypt/live/home.example.com/fullchain.pem; | |
| 96 | + | ssl_certificate_key /etc/letsencrypt/live/home.example.com/privkey.pem; | |
| 97 | + | ssl_trusted_certificate /etc/letsencrypt/live/home.example.com/fullchain.pem; | |
| 98 | + | include /etc/nginx/snippets/ssl.conf; | |
| 99 | + | ``` | |
users-database.yml(file created)
| @@ -0,0 +1,10 @@ | |||
| 1 | + | # authelia/config/users-database.yml | |
| 2 | + | # docker run -v ./config:/config authelia/authelia:latest authelia -c /config/configuration.yml hash-password PASSWORD | |
| 3 | + | users: | |
| 4 | + | admin: | |
| 5 | + | displayname: "Admin" | |
| 6 | + | password: "$argon2id$v=19$m=65536,t=3,p=4$uHJg6OCfd/OjwzwXu8SIbQ$BUeIp60Ay0mZOn1byhjYFwkdixsf4dWPqfx5C367B2o" | |
| 7 | + | email: admin@example.com | |
| 8 | + | groups: | |
| 9 | + | - admins | |
| 10 | + | - dev | |
Newer
Older