# yamllint disable rule:comments-indentation---#############################

1. # yamllint disable rule:comments-indentation
2. ---
3. ###############################################################################
4. # Authelia Configuration #
5. ###############################################################################
6.  
7. ## Note: the container by default expects to find this file at /config/configuration.yml.
8.  
9. ## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to
10. ## the system certificates store.
11. ## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem.
12. # certificates_directory: /config/certificates/
13.  
14. ## The theme to display: light, dark, grey, auto.
15. theme: dark
16.  
17. ## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
18. ## set using a secret: https://www.authelia.com/docs/configuration/secrets.html
19. #jwt_secret: a_very_important_secret
20.  
21. ## Default redirection URL
22. ##
23. ## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
24. ## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
25. ## in such a case.
26. ##
27. ## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
28. default_redirection_url: https://yourdomain.nl
29.  
30. ##
31. ## Server Configuration
32. ##
33. server:
34.  
35. ## The address to listen on.
36. host: 0.0.0.0
37.  
38. ## The port to listen on.
39. port: 9091
40.  
41. ## Set the single level path Authelia listens on.
42. ## Must be alphanumeric chars and should not contain any slashes.
43. path: "authelia"
44.  
45. ## Set the path on disk to Authelia assets.
46. ## Useful to allow overriding of specific static assets.
47. # asset_path: /config/assets/
48.  
49. ## Buffers usually should be configured to be the same value.
50. ## Explanation at https://www.authelia.com/docs/configuration/server.html
51. ## Read buffer size adjusts the server's max incoming request size in bytes.
52. ## Write buffer size does the same for outgoing responses.
53. read_buffer_size: 4096
54. write_buffer_size: 4096
55. ##
56. ## Log Configuration
57. ##
58. log:
59. ## Level of verbosity for logs: info, debug, trace.
60. level: debug
61.  
62. ##
63. ## TOTP Configuration
64. ##
65. ## Parameters used for TOTP generation.
66. totp:
67. ## The issuer name displayed in the Authenticator application of your choice.
68. issuer: name
69.  
70. ## The TOTP algorithm to use.
71. ## It is CRITICAL you read the documentation before changing this option:
72. ## https://www.authelia.com/docs/configuration/one-time-password.html#algorithm
73. algorithm: sha256
74.  
75. ## The number of digits a user has to input. Must either be 6 or 8.
76. ## Changing this option only affects newly generated TOTP configurations.
77. ## It is CRITICAL you read the documentation before changing this option:
78. ## https://www.authelia.com/docs/configuration/one-time-password.html#digits
79. digits: 6
80.  
81. ## The period in seconds a one-time password is valid for.
82. ## Changing this option only affects newly generated TOTP configurations.
83. period: 30
84.  
85. ## The skew controls number of one-time passwords either side of the current one that are valid.
86. ## Warning: before changing skew read the docs link below.
87. skew: 1
88. ## See: https://www.authelia.com/docs/configuration/one-time-password.html#input-validation to read the documentation.
89.  
90. ##
91. ## NTP Configuration
92. ##
93. ## This is used to validate the servers time is accurate enough to validate TOTP.
94. ntp:
95. ## NTP server address.
96. address: "time.cloudflare.com:123"
97.  
98. ## NTP version.
99. version: 4
100.  
101. ## Maximum allowed time offset between the host and the NTP server.
102. max_desync: 3s
103.  
104. ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you
105. ## set this to true, and can operate in a truly offline mode.
106. disable_startup_check: false
107.  
108. ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with
109. ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup
110. ## will continue regardless of results.
111. disable_failure: false
112.  
113. ##
114. ## Authentication Backend Provider Configuration
115. ##
116. ## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
117. ##
118. ## The available providers are: `file`, `ldap`. You must use only one of these providers.
119. authentication_backend:
120. ## Disable both the HTML element and the API for reset password functionality.
121. disable_reset_password: false
122.  
123. ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
124. ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
125. ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
126. ## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
127. ## See the below documentation for more information.
128. ## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
129. ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval
130. refresh_interval: 5m
131.  
132. ##
133. ## File (Authentication Provider)
134. ##
135. ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
136. ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
137. ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
138. ## implications it is highly recommended you leave the default values. Before considering changing these settings
139. ## please read the docs page below:
140. ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning
141. ##
142. ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
143. ##
144. file:
145. path: /config/users_database.yml
146. password:
147. algorithm: argon2id
148. iterations: 1
149. salt_length: 16
150. parallelism: 8
151. memory: 1024
152. ##
153. ## Access Control Configuration
154. ##
155. ## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
156. ##
157. ## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
158. ## to anyone. Otherwise restrictions follow the rules defined.
159. ##
160. ## Note: One can use the wildcard * to match any subdomain.
161. ## It must stand at the beginning of the pattern. (example: *.mydomain.com)
162. ##
163. ## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
164. ##
165. ## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
166. ##
167. ## - 'domain' defines which domain or set of domains the rule applies to.
168. ##
169. ## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
170. ## provided. If provided, the parameter represents either a user or a group. It should be of the form
171. ## 'user:<username>' or 'group:<groupname>'.
172. ##
173. ## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
174. ##
175. ## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
176. ## is optional and matches any resource if not provided.
177. ##
178. ## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
179. access_control:
180. ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
181. ## resource if there is no policy to be applied to the user.
182. default_policy: deny
183. rules:
184. - domain: subdomain.yourdomain.nl
185. networks:
186. policy: bypass
187. - domain:
188. - "*.yourdomain.nl"
189. policy: two_factor
190.  
191. ##
192. ## Session Provider Configuration
193. ##
194. ## The session cookies identify the user once logged in.
195. ## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
196. session:
197. ## The name of the session cookie.
198. name: authelia_session
199.  
200. ## The domain to protect.
201. ## Note: the authenticator must also be in that domain.
202. ## If empty, the cookie is restricted to the subdomain of the issuer.
203. domain: homesloth.nl
204.  
205. ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
206. ## Please read https://www.authelia.com/docs/configuration/session/#same_site
207. same_site: lax
208.  
209. ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
210. ## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
211. #secret: insecure_session_secret
212.  
213. ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
214. ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
215. ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
216. ## because a stolen cookie will last longer giving attackers more time to spy or attack.
217.  
218. ## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
219. expiration: 1h
220.  
221. ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user
222. ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time
223. ## Authelia detected user activity.
224. inactivity: 5m
225.  
226. ## The time before the cookie expires and the session is destroyed if remember me IS selected.
227. ## Value of 0 disables remember me.
228. remember_me_duration: 1M
229.  
230. ##
231. ## Regulation Configuration
232. ##
233. ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
234. ## in a short period of time.
235. regulation:
236. ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
237. max_retries: 3
238.  
239. ## The time range during which the user can attempt login before being banned. The user is banned if the
240. ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
241. ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
242. find_time: 2m
243.  
244. ## The length of time before a banned user can login again. Ban Time accepts duration notation.
245. ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
246. ban_time: 5m
247.  
248. ##
249. ## Storage Provider Configuration
250. ##
251. ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
252. storage:
253. ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
254. ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
255. encryption_key: myverysecretencryptionkey
256.  
257. ##
258. ## MySQL / MariaDB (Storage Provider)
259. ##
260. mysql:
261. host: autheliadb
262. port: 3306
263. database: authelia
264. username: dbuser
265. ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
266. #password: mypassword
267. timeout: 5s
268.  
269. ##
270. ## Notification Provider
271. ##
272. ## Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.
273. ## The available providers are: filesystem, smtp. You must use only one of these providers.
274. notifier:
275. ## You can disable the notifier startup check by setting this to true.
276. disable_startup_check: false
277.  
278. ##
279. ## SMTP (Notification Provider)
280. ##
281. ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
282. ## [Security] By default Authelia will:
283. ## - force all SMTP connections over TLS including unauthenticated connections
284. ## - use the disable_require_tls boolean value to disable this requirement
285. ## (only works for unauthenticated connections)
286. ## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
287. ## (configure in tls section)
288. smtp:
289. ## The SMTP host to connect to.
290. host: smtp.gmail.com
291.  
292. ## The port to connect to the SMTP host on.
293. port: 587
294.  
295. ## The connection timeout.
296. timeout: 5s
297.  
298. ## The username used for SMTP authentication.
299. username: youremail@gmail.com
300.  
301. ## The password used for SMTP authentication.
302. ## Can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
303. #password: password
304.  
305. ## The sender is used to is used for the MAIL FROM command and the FROM header.
306. ## If this is not defined and the username is an email, we use the username as this value. This can either be just
307. ## an email address or the RFC5322 'Name <email address>' format.
308. sender: "Authelia <youremail@gmail.com>"
309.  
310. ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
311. identifier: localhost
312.  
313. ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
314. subject: "[Authelia] {title}"
315.  
316. ## This address is used during the startup check to verify the email configuration is correct.
317. ## It's not important what it is except if your email server only allows local delivery.
318. startup_check_address: test@authelia.com
319.  
320. ## By default we require some form of TLS. This disables this check though is not advised.
321. disable_require_tls: false
322.  
323. ## Disables sending HTML formatted emails.
324. disable_html_emails: false
325.  
326. tls:
327. ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
328. server_name: smtp.gmail.com
329.  
330. ## Skip verifying the server certificate (to allow a self-signed certificate).
331. ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
332. ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
333. skip_verify: false
334.  
335. ## Minimum TLS version for either StartTLS or SMTPS.
336. minimum_version: TLS1.2
337.  
338.  
339.