diff --git a/docs/drafts/timeweb-migration-log.md b/docs/drafts/timeweb-migration-log.md index fb5baae..1ac3f99 100644 --- a/docs/drafts/timeweb-migration-log.md +++ b/docs/drafts/timeweb-migration-log.md @@ -8,6 +8,245 @@ --- +## Шаг 13 — приложения подняты на target, cutover завершён (2026-05-23, выполнено) + +После rsync'а (Шаг 12) — финальный прогон ансибла без `--skip-tags`, +поэтапно по приложениям. К ~16:30 DNS уже указывал на target (Шаг +переключения 15:45 + TTL 20 мин, пропагация подтверждена в 16:20), +так что Caddy при старте сразу пошёл за LE-сертификатами без задержек. + +Прогоны делал поштучно через `inv pl -- ` (после Шага +переключения `HOSTS_FILE = "timeweb.yml"` в `tasks.py`), не всем +сразу — чтобы видеть каждый плейбук чисто. + +### Что подтверждено работающим в браузере + +- `vakhrushev.me` — homepage отдаёт страницу. +- `auth.vakhrushev.me` — Authelia, логин работает. +- `matrix.vakhrushev.me` — Tuwunel поднялся, Element подключается. +- `git.vakhrushev.me` — Gitea, репозитории и issue tracker на месте. +- `outline.vakhrushev.me` — документы видны. +- `gramps.vakhrushev.me` — генеалогическое дерево открывается. +- `wakapi.vakhrushev.me` — статистика времени видна. +- `status.vakhrushev.me` — Netdata собирает и рисует метрики. + +Точечно зашёл в outline / gramps / wakapi / gitea — данные на месте, +ничего не потерялось при rsync'е. + +### Отложенные на «потом по ходу дела» проверки + +- `miniflux`, `memos`, `remembos`, `wanderer`, `calibre`, `rssbridge`, + `dozzle`, `goaccess` — открыть и убедиться, что отдают свои данные. +- **SMTP-test** — reset-password из gitea/authelia. Проверит, что + Postbox после разблокировки в панели Timeweb принимает наши письма. +- **Backup-cron в 1:00** — самый поздний smoke-тест системы. Покажет, + что `backup-all.py` отработал на target, restic пишет в S3 с новым + `host_name`, apprise шлёт уведомление. +- `docker pull cr.yandex/...` руками — повторная проверка + OAuth-аутентификации. + +### Отклонения от плана сегодня + +1. **VPS пересоздан в СПб** (Шаг 8) — первая выдача попала на + гипервизор с битой сетью. +2. **Docker Hub rate limit** на pull'е netdata — anonymous лимит + подсети Timeweb уже выбран соседями. Лечится ручным + `sudo docker login` на target (через free-аккаунт + PAT). + **Backlog:** добавить `community.docker.docker_login` для + `docker.io` в `playbook-docker.yml`, по аналогии с cr.yandex (Шаг + 3). Креды в vault как `dockerhub_username` / `dockerhub_token`. +3. **Postbox SMTP не доступен извне YC** — оказалось, что в плане + (`timeweb.md:81`) предпосылка «Postbox доступен извне YC по тем же + credentials» неверна. Yandex Cloud Postbox дропает SMTP от не-YC + источников; 443 при этом отвечает. Дополнительно Timeweb по + умолчанию **сам** блокирует egress SMTP (25/465/587) — toggle в + панели Timeweb снимает блок, после чего Postbox отвечает баннером. + Authelia в exit-loop'е поднялась после рестарта. Запись в auto- + memory `project_timeweb_smtp_block.md` — пригодится при следующих + миграциях. +4. **Bug ordering в `playbook-goaccess.yml`** (см. Шаг 9, фикс + зашит) — латентный bug, проявившийся только на чистой машине. + +### Что осталось до полной заморозки + +По плану (`timeweb.md:464-473`): + +- **≥ 24 часа** держим источник в выключенном состоянии (docker уже + остановлен, daemon отключён через `disable`), как горячее запасное. +- Если за сутки ничего не всплыло — выключить VM в YC. +- Подождать ещё неделю-две — на всякий случай. +- Удалить VM и связанные compute-ресурсы. **S3-бакет с + restic-бэкапами и Container Registry — оставляем**, они продолжают + использоваться. +- Удалить `production.yml`, переименовать `timeweb.yml` → + `production.yml`, откатить `HOSTS_FILE = "production.yml"` в + `tasks.py`. Закоммитить. + +--- + +## Шаг 12 — rsync данных с источника на target (2026-05-23, выполнено) + +Перенос `/mnt/applications/` на YC → `/srv/applications/` на Timeweb +после заморозки источника (Шаг 11). Это финальный канал переноса +данных — основной для всех приложений, единственный для `caddyproxy`, +`remembos`, `transcriber` (у которых нет backup-механизма, см. Шаг 7b). + +### Пилотный прогон на remembos + +Прежде чем гнать всё дерево, проверил рецепт на самом маленьком +приложении (~35 КБ всего): + +```bash +sudo -E rsync -aAX --info=progress2 --delete --rsync-path="sudo rsync" \ + -e "ssh -o StrictHostKeyChecking=accept-new" \ + major@158.160.46.255:/mnt/applications/remembos/ \ + /srv/applications/remembos/ +``` + +Проверка после прогона: + +``` +$ sudo ls -la /srv/applications/remembos/ +drwxr-x--- 4 remembos remembos 4096 Apr 30 13:22 . +drwxr-x--- 2 remembos remembos 4096 Feb 12 17:22 config +drwxr-x--- 2 remembos remembos 4096 May 23 12:41 data +-rw-r----- 1 remembos remembos 494 Apr 30 13:22 docker-compose.yml +``` + +Owner отрисован именами (`remembos:remembos`, не numeric `1103:1103`) +— значит на обеих сторонах ансибл создал юзера с одним и тем же uid, +mapping сошёлся. Mode (750) и mtime сохранены. + +### Засада с agent-forwarding'ом под sudo + +Первая попытка упала с `Permission denied (publickey)`. Причина: +rsync запускается через `sudo` на target, а sudo по дефолту чистит +`SSH_AUTH_SOCK` из env (`Defaults env_reset` в /etc/sudoers) — ssh +внутри sudo не видит проброшенный agent, пытается парольную +аутентификацию, проваливается. + +Лечится разрешением sudo проносить именно эту переменную: + +```bash +echo 'Defaults env_keep += "SSH_AUTH_SOCK"' | sudo tee -a /etc/sudoers.d/major +sudo visudo -cf /etc/sudoers.d/major +``` + +Безопасно: сокет агента принадлежит `major`, root к нему имеет доступ +по определению; мы просто говорим sudo не вычищать переменную с путём +к нему. После этого `sudo -E rsync …` отрабатывает. + +### Полный прогон по всем приложениям + +```bash +sudo -E rsync -aAX --info=progress2 --delete --exclude='lost+found' \ + --rsync-path="sudo rsync" \ + -e "ssh -o StrictHostKeyChecking=accept-new" \ + major@158.160.46.255:/mnt/applications/ \ + /srv/applications/ +``` + +### Что делает каждый флаг + +- **`sudo -E`** — локальный rsync на target запускается под root + (нужно, чтобы писать файлы с любым owner'ом / mode); `-E` сохраняет + env, в первую очередь `SSH_AUTH_SOCK` для agent forwarding. +- **`-a`** (`--archive`) — собирательный флаг `-rlptgoD`: recursive + + symlinks как symlinks + permissions + times + group + owner + + special files. Базовое «копировать всё как есть». +- **`-A`** — сохранить POSIX ACL. +- **`-X`** — сохранить extended attributes (xattrs), включая + security-атрибуты типа capabilities или SELinux-меток. +- **`--info=progress2`** — совокупный прогресс по всему transfer'у, + а не per-file (для больших деревьев читабельнее). +- **`--delete`** — стереть на target всё, чего нет на источнике. + Безопасно в нашем случае: после rsync'а прогоняем ансибл, он + перерендерит конфиги и пересоздаст любые отсутствующие структурные + каталоги. Стирается, по сути, только содержимое, отрендеренное + плейбуком на Шаге 9 без `run-app`. +- **`--exclude='lost+found'`** — на YC `/mnt/applications/` это mount + point внешнего диска, в его корне может лежать системный + `lost+found`. Нам он не нужен и на target такого монтирования + больше нет (`mount_external_storage: false`). +- **`--rsync-path="sudo rsync"`** — критично: на удалённой стороне + (источнике) rsync запускается через sudo. Иначе он стартует под + `major`, у которого нет прав читать чужие `/mnt/applications//` + (mode 750, owner — приложение). У `major` на источнике NOPASSWD + sudo, так что sudo прокатывает молча. +- **`-e "ssh -o StrictHostKeyChecking=accept-new"`** — кастомная + команда транспорта. По умолчанию rsync запускает чистый `ssh`; мы + добавляем флаг для автопринятия host key источника (на target + `known_hosts` ещё пустой). +- **`major@158.160.46.255:/mnt/applications/`** — источник. Trailing + slash важен: «копировать содержимое каталога», а не сам каталог. + Без слэша получили бы `/srv/applications/applications/...`. +- **`/srv/applications/`** — назначение. Trailing slash для + симметрии — содержимое кладётся в существующий каталог, + созданный ансиблом на Шаге 9. + +### Результат + +``` +22,613,081,829 99% 7.11MB/s 0:50:34 (xfr#21837, to-chk=0/31024) +``` + +- Объём — ~22.6 ГБ, файлов — 31 024. +- Длительность — 50 минут 34 секунды, средняя скорость ~7 МБ/с + (предсказуемо для YC↔Timeweb). +- `du -s` после прогона: источник 22 088 224 КБ, target 22 164 172 КБ + — разница ~76 МБ (0.34%). Это не рассинхрон данных, а разница в + аллокации блоков ФС и метаданных между источником и target (разные + inode-таблицы, journal, group descriptors). Содержимое файлов + совпадает — rsync'у на это указали checksum'ы, errors не было. + +Окно даунтайма с момента стопа docker'а (Шаг 11) до конца rsync'а — +около часа. С учётом параллельно запущенного DNS-переключения +(Шаг между 11 и 12, 15:45) к моменту запуска приложений на target +пропагация уже прошла (16:20). + +--- + +## Шаг 11 — источник заморожен (docker + cron остановлены) (2026-05-23, выполнено) + +Сразу после финального бэкапа (Шаг 10) — отключил docker и cron на +источнике, чтобы зафиксировать состояние данных перед rsync'ом и +исключить случайные записи в `/mnt/applications/` во время переноса. + +```bash +sudo systemctl stop docker.service docker.socket +sudo systemctl disable docker.service docker.socket +sudo systemctl stop cron +``` + +`disable` — страховка от автостарта docker'а при возможной +перезагрузке источника (если вернёмся для отката или проверки). +`cron stop` — чтобы ночной `backup-all.py` не запустился впустую без +работающего daemon'а. + +С этого момента источник «мёртв» для пользователей — окно даунтайма +открыто. Следующий шаг — переключить DNS и параллельно гнать rsync. + +--- + +## Шаг 10 — финальный бэкап на источнике (2026-05-23, выполнено) + +Прогнал `backup-all.py` на источнике, пока docker ещё жив (он нужен +для `pg_dump` и других in-container backup-команд внутри +`backup.sh`-скриптов отдельных приложений). + +```bash +sudo /usr/local/sbin/backup-all.py 2>&1 | tee /tmp/final-backup.log +``` + +Свежий restic-снапшот в `yandex_cloud_s3` зафиксирован — страховочный +канал на случай, если rsync пойдёт криво (для приложений с +`backup.sh` можно будет восстановить из S3; для `caddyproxy`, +`remembos`, `transcriber` страховки нет, для них только rsync). + +После прогона можно гасить docker без риска потерять backup-окно. + +--- + ## Шаг 9 — раскатана база и приложения без запуска (2026-05-23, выполнено) На свежей Timeweb-машине прогнаны два плейбука без даунтайма источника diff --git a/files/authelia/configuration.template.yml b/files/authelia/configuration.template.yml index f9ed018..be9da45 100644 --- a/files/authelia/configuration.template.yml +++ b/files/authelia/configuration.template.yml @@ -51,46 +51,46 @@ server: ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour. # tls: - ## The path to the DER base64/PEM format private key. - # key: '' + ## The path to the DER base64/PEM format private key. + # key: '' - ## The path to the DER base64/PEM format public certificate. - # certificate: '' + ## The path to the DER base64/PEM format public certificate. + # certificate: '' - ## The list of certificates for client authentication. - # client_certificates: [] + ## The list of certificates for client authentication. + # client_certificates: [] ## Server headers configuration/customization. # headers: - ## The CSP Template. Read the docs. - # csp_template: '' + ## The CSP Template. Read the docs. + # csp_template: '' ## Server Buffers configuration. # buffers: - ## Buffers usually should be configured to be the same value. - ## Explanation at https://www.authelia.com/c/server#buffer-sizes - ## Read buffer size adjusts the server's max incoming request size in bytes. - ## Write buffer size does the same for outgoing responses. + ## Buffers usually should be configured to be the same value. + ## Explanation at https://www.authelia.com/c/server#buffer-sizes + ## Read buffer size adjusts the server's max incoming request size in bytes. + ## Write buffer size does the same for outgoing responses. - ## Read buffer. - # read: 4096 + ## Read buffer. + # read: 4096 - ## Write buffer. - # write: 4096 + ## Write buffer. + # write: 4096 ## Server Timeouts configuration. # timeouts: - ## Read timeout in the duration common syntax. - # read: '6 seconds' + ## Read timeout in the duration common syntax. + # read: '6 seconds' - ## Write timeout in the duration common syntax. - # write: '6 seconds' + ## Write timeout in the duration common syntax. + # write: '6 seconds' - ## Idle timeout in the duration common syntax. - # idle: '30 seconds' + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' ## Server Endpoints configuration. ## This section is considered advanced and it SHOULD NOT be configured unless you've read the relevant documentation. @@ -104,27 +104,27 @@ server: ## Configure the authz endpoints. authz: forward-auth: - implementation: 'ForwardAuth' + implementation: "ForwardAuth" # authn_strategies: [] # ext-authz: - # implementation: 'ExtAuthz' - # authn_strategies: [] + # implementation: 'ExtAuthz' + # authn_strategies: [] # auth-request: - # implementation: 'AuthRequest' - # authn_strategies: [] + # implementation: 'AuthRequest' + # authn_strategies: [] # legacy: - # implementation: 'Legacy' - # authn_strategies: [] + # implementation: 'Legacy' + # authn_strategies: [] ## ## Log Configuration ## log: ## Level of verbosity for logs: info, debug, trace. - level: 'debug' + level: "debug" ## Format the logs are written as: json, text. - format: 'json' + format: "json" ## File path where the logs will be written. If not set logs are written to stdout. # file_path: '/config/authelia.log' @@ -136,7 +136,6 @@ log: ## Telemetry Configuration ## telemetry: - ## ## Metrics Configuration ## @@ -151,156 +150,156 @@ telemetry: ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', 'unix', or 'fd'. ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '9959'. ## If the path is not specified it defaults to `/metrics`. - address: 'tcp://:9959/metrics' + address: "tcp://:9959/metrics" ## Metrics Server Buffers configuration. # buffers: - ## Read buffer. - # read: 4096 + ## Read buffer. + # read: 4096 - ## Write buffer. - # write: 4096 + ## Write buffer. + # write: 4096 ## Metrics Server Timeouts configuration. # timeouts: - ## Read timeout in the duration common syntax. - # read: '6 seconds' + ## Read timeout in the duration common syntax. + # read: '6 seconds' - ## Write timeout in the duration common syntax. - # write: '6 seconds' + ## Write timeout in the duration common syntax. + # write: '6 seconds' - ## Idle timeout in the duration common syntax. - # idle: '30 seconds' + ## Idle timeout in the duration common syntax. + # idle: '30 seconds' ## ## TOTP Configuration ## ## Parameters used for TOTP generation. # totp: - ## Disable TOTP. - # disable: false +## Disable TOTP. +# disable: false - ## The issuer name displayed in the Authenticator application of your choice. - # issuer: 'authelia.com' +## The issuer name displayed in the Authenticator application of your choice. +# issuer: 'authelia.com' - ## The TOTP algorithm to use. - ## It is CRITICAL you read the documentation before changing this option: - ## https://www.authelia.com/c/totp#algorithm - # algorithm: 'SHA1' +## The TOTP algorithm to use. +## It is CRITICAL you read the documentation before changing this option: +## https://www.authelia.com/c/totp#algorithm +# algorithm: 'SHA1' - ## The number of digits a user has to input. Must either be 6 or 8. - ## Changing this option only affects newly generated TOTP configurations. - ## It is CRITICAL you read the documentation before changing this option: - ## https://www.authelia.com/c/totp#digits - # digits: 6 +## The number of digits a user has to input. Must either be 6 or 8. +## Changing this option only affects newly generated TOTP configurations. +## It is CRITICAL you read the documentation before changing this option: +## https://www.authelia.com/c/totp#digits +# digits: 6 - ## The period in seconds a Time-based One-Time Password is valid for. - ## Changing this option only affects newly generated TOTP configurations. - # period: 30 +## The period in seconds a Time-based One-Time Password is valid for. +## Changing this option only affects newly generated TOTP configurations. +# period: 30 - ## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid. - ## Warning: before changing skew read the docs link below. - # skew: 1 - ## See: https://www.authelia.com/c/totp#input-validation to read - ## the documentation. +## The skew controls number of Time-based One-Time Passwords either side of the current one that are valid. +## Warning: before changing skew read the docs link below. +# skew: 1 +## See: https://www.authelia.com/c/totp#input-validation to read +## the documentation. - ## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. - # secret_size: 32 +## The size of the generated shared secrets. Default is 32 and is sufficient in most use cases, minimum is 20. +# secret_size: 32 - ## The allowed algorithms for a user to pick from. - # allowed_algorithms: - # - 'SHA1' +## The allowed algorithms for a user to pick from. +# allowed_algorithms: +# - 'SHA1' - ## The allowed digits for a user to pick from. - # allowed_digits: - # - 6 +## The allowed digits for a user to pick from. +# allowed_digits: +# - 6 - ## The allowed periods for a user to pick from. - # allowed_periods: - # - 30 +## The allowed periods for a user to pick from. +# allowed_periods: +# - 30 - ## Disable the reuse security policy which prevents replays of one-time password code values. - # disable_reuse_security_policy: false +## Disable the reuse security policy which prevents replays of one-time password code values. +# disable_reuse_security_policy: false ## ## WebAuthn Configuration ## ## Parameters used for WebAuthn. # webauthn: - ## Disable WebAuthn. - # disable: false +## Disable WebAuthn. +# disable: false - ## Enables logins via a Passkey. - # enable_passkey_login: false +## Enables logins via a Passkey. +# enable_passkey_login: false - ## The display name the browser should show the user for when using WebAuthn to login/register. - # display_name: 'Authelia' +## The display name the browser should show the user for when using WebAuthn to login/register. +# display_name: 'Authelia' - ## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. - ## Options are none, indirect, direct. - # attestation_conveyance_preference: 'indirect' +## Conveyance preference controls if we collect the attestation statement including the AAGUID from the device. +## Options are none, indirect, direct. +# attestation_conveyance_preference: 'indirect' - ## The interaction timeout for WebAuthn dialogues in the duration common syntax. - # timeout: '60 seconds' +## The interaction timeout for WebAuthn dialogues in the duration common syntax. +# timeout: '60 seconds' - ## Authenticator Filtering. - # filtering: - ## Prohibits registering Authenticators that claim they can export their credentials in some way. - # prohibit_backup_eligibility: false +## Authenticator Filtering. +# filtering: +## Prohibits registering Authenticators that claim they can export their credentials in some way. +# prohibit_backup_eligibility: false - ## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's. - # permitted_aaguids: [] +## Permitted AAGUID's. If configured specifically only allows the listed AAGUID's. +# permitted_aaguids: [] - ## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's. - # prohibited_aaguids: [] +## Prohibited AAGUID's. If configured prohibits the use of specific AAGUID's. +# prohibited_aaguids: [] - ## Selection Criteria controls the preferences for registration. - # selection_criteria: - ## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded - ## authenticators. - # attachment: 'cross-platform' +## Selection Criteria controls the preferences for registration. +# selection_criteria: +## The attachment preference. Either 'cross-platform' for dedicated authenticators, or 'platform' for embedded +## authenticators. +# attachment: 'cross-platform' - ## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'. - # discoverability: 'discouraged' +## The discoverability preference. Options are 'discouraged', 'preferred', and 'required'. +# discoverability: 'discouraged' - ## User verification controls if the user must make a gesture or action to confirm they are present. - ## Options are required, preferred, discouraged. - # user_verification: 'preferred' +## User verification controls if the user must make a gesture or action to confirm they are present. +## Options are required, preferred, discouraged. +# user_verification: 'preferred' - ## Metadata Service validation via MDS3. - # metadata: +## Metadata Service validation via MDS3. +# metadata: - ## Enable the metadata fetch behaviour. - # enabled: false +## Enable the metadata fetch behaviour. +# enabled: false - ## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It - ## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that - ## issued the attestation certificate. - # validate_trust_anchor: true +## Enable Validation of the Trust Anchor. This generally should be enabled if you're using the metadata. It +## ensures the attestation certificate presented by the authenticator is valid against the MDS3 certificate that +## issued the attestation certificate. +# validate_trust_anchor: true - ## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled - ## attestation certificates which are not formally registered will be skipped. This may potentially exclude some - ## virtual authenticators. - # validate_entry: true +## Enable Validation of the Entry. This ensures that the MDS3 actually contains the metadata entry. If not enabled +## attestation certificates which are not formally registered will be skipped. This may potentially exclude some +## virtual authenticators. +# validate_entry: true - ## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do - ## use non-conformant authenticators like Apple ID. - # validate_entry_permit_zero_aaguid: false +## Enabling this allows attestation certificates with a zero AAGUID to pass validation. This is important if you do +## use non-conformant authenticators like Apple ID. +# validate_entry_permit_zero_aaguid: false - ## Enable Validation of the Authenticator Status. - # validate_status: true +## Enable Validation of the Authenticator Status. +# validate_status: true - ## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is - ## recommended that this is not configured as any other status the authenticator's metadata has will result in an - ## error. This option is ineffectual if validate_status is false. - # validate_status_permitted: ~ +## List of statuses which are considered permitted when validating an authenticator's metadata. Generally it is +## recommended that this is not configured as any other status the authenticator's metadata has will result in an +## error. This option is ineffectual if validate_status is false. +# validate_status_permitted: ~ - ## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is - ## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status - ## is false, or validate_status_permitted has values. - # validate_status_prohibited: ~ +## List of statuses that should be prohibited when validating an authenticator's metadata. Generally it is +## recommended that this is not configured as there are safe defaults. This option is ineffectual if validate_status +## is false, or validate_status_permitted has values. +# validate_status_prohibited: ~ ## ## Duo Push API Configuration @@ -308,19 +307,18 @@ telemetry: ## Parameters used to contact the Duo API. Those are generated when you protect an application of type ## "Partner Auth API" in the management panel. # duo_api: - # disable: false - # hostname: 'api-123456789.example.com' - # integration_key: 'ABCDEF' - ## Secret can also be set using a secret: https://www.authelia.com/c/secrets - # secret_key: 'secret' - # enable_self_enrollment: false +# disable: false +# hostname: 'api-123456789.example.com' +# integration_key: 'ABCDEF' +## Secret can also be set using a secret: https://www.authelia.com/c/secrets +# secret_key: 'secret' +# enable_self_enrollment: false ## ## Identity Validation Configuration ## ## This configuration tunes the identity validation flows. identity_validation: - ## Reset Password flow. Adjusts how the reset password flow operates. reset_password: ## Maximum allowed time before the JWT is generated and when the user uses it in the duration common syntax. @@ -330,53 +328,53 @@ identity_validation: # jwt_algorithm: 'HS256' ## The secret key used to sign and verify the JWT. - jwt_secret: '{{ identity_validation__jwt_secret }}' + jwt_secret: "{{ identity_validation__jwt_secret }}" ## Elevated Session flows. Adjusts the flow which require elevated sessions for example managing credentials, adding, ## removing, etc. # elevated_session: - ## Maximum allowed lifetime after the One-Time Code is generated that it is considered valid. - # code_lifespan: '5 minutes' + ## Maximum allowed lifetime after the One-Time Code is generated that it is considered valid. + # code_lifespan: '5 minutes' - ## Maximum allowed lifetime after the user uses the One-Time Code and the user must perform the validation again in - ## the duration common syntax. - # elevation_lifespan: '10 minutes' + ## Maximum allowed lifetime after the user uses the One-Time Code and the user must perform the validation again in + ## the duration common syntax. + # elevation_lifespan: '10 minutes' - ## Number of characters the one-time password contains. - # characters: 8 + ## Number of characters the one-time password contains. + # characters: 8 - ## In addition to the One-Time Code requires the user performs a second factor authentication. - # require_second_factor: false + ## In addition to the One-Time Code requires the user performs a second factor authentication. + # require_second_factor: false - ## Skips the elevation requirement and entry of the One-Time Code if the user has performed second factor - ## authentication. - # skip_second_factor: false + ## Skips the elevation requirement and entry of the One-Time Code if the user has performed second factor + ## authentication. + # skip_second_factor: false ## ## NTP Configuration ## ## This is used to validate the servers time is accurate enough to validate TOTP. # ntp: - ## The address of the NTP server to connect to in the address common syntax. - ## Format: [://][:]. - ## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'. - ## The default scheme is 'udp'. The default port is '123'. - # address: 'udp://time.cloudflare.com:123' +## The address of the NTP server to connect to in the address common syntax. +## Format: [://][:]. +## Square brackets indicate optional portions of the format. Scheme must be 'udp', 'udp4', or 'udp6'. +## The default scheme is 'udp'. The default port is '123'. +# address: 'udp://time.cloudflare.com:123' - ## NTP version. - # version: 4 +## NTP version. +# version: 4 - ## Maximum allowed time offset between the host and the NTP server in the duration common syntax. - # max_desync: '3 seconds' +## Maximum allowed time offset between the host and the NTP server in the duration common syntax. +# max_desync: '3 seconds' - ## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you - ## set this to true, and can operate in a truly offline mode. - # disable_startup_check: false +## Disables the NTP check on startup entirely. This means Authelia will not contact a remote service at all if you +## set this to true, and can operate in a truly offline mode. +# disable_startup_check: false - ## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with - ## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup - ## will continue regardless of results. - # disable_failure: false +## The default of false will prevent startup only if we can contact the NTP server and the time is out of sync with +## the NTP server more than the configured max_desync. If you set this to true, an error will be logged but startup +## will continue regardless of results. +# disable_failure: false ## ## Definitions @@ -384,22 +382,22 @@ identity_validation: ## The definitions are used in other areas as reference points to reduce duplication. ## # definitions: - ## The user attribute definitions. - # user_attributes: - ## The name of the definition. - # definition_name: - ## The common expression language expression for this definition. - # expression: '' +## The user attribute definitions. +# user_attributes: +## The name of the definition. +# definition_name: +## The common expression language expression for this definition. +# expression: '' - ## The network definitions. - # network: - ## The name of the definition followed by the list of CIDR network addresses in this definition. - # internal: - # - '10.10.0.0/16' - # - '172.16.0.0/12' - # - '192.168.2.0/24' - # VPN: - # - '10.9.0.0/16' +## The network definitions. +# network: +## The name of the definition followed by the list of CIDR network addresses in this definition. +# internal: +# - '10.10.0.0/16' +# - '172.16.0.0/12' +# - '192.168.2.0/24' +# VPN: +# - '10.9.0.0/16' ## ## Authentication Backend Provider Configuration @@ -408,7 +406,6 @@ identity_validation: ## ## The available providers are: `file`, `ldap`. You must use only one of these providers. authentication_backend: - ## Password Change Options. password_change: ## Disable both the HTML element and the API for password change functionality. @@ -438,160 +435,160 @@ authentication_backend: ## because it allows Authelia to offload the stateful operations ## onto the LDAP service. # ldap: - ## The address of the directory server to connect to in the address common syntax. - ## Format: [://][:]. - ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`. - ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'. - ## The default port is '636', unless the scheme is 'ldap' in which case it's '389'. - # address: 'ldaps://127.0.0.1:636' + ## The address of the directory server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'ldap', 'ldaps', or 'ldapi`. + ## The default scheme is 'ldapi' if the address is an absolute path otherwise it's 'ldaps'. + ## The default port is '636', unless the scheme is 'ldap' in which case it's '389'. + # address: 'ldaps://127.0.0.1:636' - ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. - ## Acceptable options are as follows: - ## - 'activedirectory' - for Microsoft Active Directory. - ## - 'freeipa' - for FreeIPA. - ## - 'lldap' - for lldap. - ## - 'custom' - for custom specifications of attributes and filters. - ## This currently defaults to 'custom' to maintain existing behaviour. - ## - ## Depending on the option here certain other values in this section have a default value, notably all of the - ## attribute mappings have a default value that this config overrides, you can read more about these default values - ## at https://www.authelia.com/c/ldap#defaults - # implementation: 'custom' + ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password. + ## Acceptable options are as follows: + ## - 'activedirectory' - for Microsoft Active Directory. + ## - 'freeipa' - for FreeIPA. + ## - 'lldap' - for lldap. + ## - 'custom' - for custom specifications of attributes and filters. + ## This currently defaults to 'custom' to maintain existing behaviour. + ## + ## Depending on the option here certain other values in this section have a default value, notably all of the + ## attribute mappings have a default value that this config overrides, you can read more about these default values + ## at https://www.authelia.com/c/ldap#defaults + # implementation: 'custom' - ## The dial timeout for LDAP in the duration common syntax. - # timeout: '20 seconds' + ## The dial timeout for LDAP in the duration common syntax. + # timeout: '20 seconds' - ## Use StartTLS with the LDAP connection. - # start_tls: false + ## Use StartTLS with the LDAP connection. + # start_tls: false - ## TLS configuration. - # tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the address options hostname. - # server_name: 'ldap.example.com' + ## TLS configuration. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'ldap.example.com' - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - # skip_verify: false + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false - ## Minimum TLS version for the connection. - # minimum_version: 'TLS1.2' + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' - ## Maximum TLS version for the connection. - # maximum_version: 'TLS1.3' + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' - ## The certificate chain used with the private_key if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- - ## The private key used with the certificate_chain if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- - ## Connection Pooling configuration. - # pooling: - ## Enable Pooling. - # enable: false + ## Connection Pooling configuration. + # pooling: + ## Enable Pooling. + # enable: false - ## Pool count. - # count: 5 + ## Pool count. + # count: 5 - ## Retries to obtain a connection during the timeout. - # retries: 2 + ## Retries to obtain a connection during the timeout. + # retries: 2 - ## Timeout before the attempt to obtain a connection fails. - # timeout: '10 seconds' + ## Timeout before the attempt to obtain a connection fails. + # timeout: '10 seconds' - ## The distinguished name of the container searched for objects in the directory information tree. - ## See also: additional_users_dn, additional_groups_dn. - # base_dn: 'dc=example,dc=com' + ## The distinguished name of the container searched for objects in the directory information tree. + ## See also: additional_users_dn, additional_groups_dn. + # base_dn: 'dc=example,dc=com' - ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. - ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users. - # additional_users_dn: 'ou=users' + ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users. + ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users. + # additional_users_dn: 'ou=users' - ## The users filter used in search queries to find the user profile based on input filled in login form. - ## Various placeholders are available in the user filter which you can read about in the documentation which can - ## be found at: https://www.authelia.com/c/ldap#users-filter-replacements - ## - ## Recommended settings are as follows: - ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) - ## - OpenLDAP: - ## - (&({username_attribute}={input})(objectClass=person)) - ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) - ## - ## To allow sign in both with username and email, one can use a filter like - ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) - # users_filter: '(&({username_attribute}={input})(objectClass=person))' + ## The users filter used in search queries to find the user profile based on input filled in login form. + ## Various placeholders are available in the user filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#users-filter-replacements + ## + ## Recommended settings are as follows: + ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user)) + ## - OpenLDAP: + ## - (&({username_attribute}={input})(objectClass=person)) + ## - (&({username_attribute}={input})(objectClass=inetOrgPerson)) + ## + ## To allow sign in both with username and email, one can use a filter like + ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person)) + # users_filter: '(&({username_attribute}={input})(objectClass=person))' - ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups. - ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups. - # additional_groups_dn: 'ou=groups' + ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups. + ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups. + # additional_groups_dn: 'ou=groups' - ## The groups filter used in search queries to find the groups based on relevant authenticated user. - ## Various placeholders are available in the groups filter which you can read about in the documentation which can - ## be found at: https://www.authelia.com/c/ldap#groups-filter-replacements - ## - ## If your groups use the `groupOfUniqueNames` structure use this instead: - ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) - # groups_filter: '(&(member={dn})(objectClass=groupOfNames))' + ## The groups filter used in search queries to find the groups based on relevant authenticated user. + ## Various placeholders are available in the groups filter which you can read about in the documentation which can + ## be found at: https://www.authelia.com/c/ldap#groups-filter-replacements + ## + ## If your groups use the `groupOfUniqueNames` structure use this instead: + ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames)) + # groups_filter: '(&(member={dn})(objectClass=groupOfNames))' - ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to - ## use 'memberof'. Also 'filter' is the best choice for most use cases. - # group_search_mode: 'filter' + ## The group search mode to use. Options are 'filter' or 'memberof'. It's essential to read the docs if you wish to + ## use 'memberof'. Also 'filter' is the best choice for most use cases. + # group_search_mode: 'filter' - ## Follow referrals returned by the server. - ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. - # permit_referrals: false + ## Follow referrals returned by the server. + ## This is especially useful for environments where read-only servers exist. Only implemented for write operations. + # permit_referrals: false - ## The username and password of the admin user. - # user: 'cn=admin,dc=example,dc=com' - ## Password can also be set using a secret: https://www.authelia.com/c/secrets - # password: 'password' + ## The username and password of the admin user. + # user: 'cn=admin,dc=example,dc=com' + ## Password can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'password' - ## The attributes for users and objects from the directory server. - # attributes: + ## The attributes for users and objects from the directory server. + # attributes: - ## The distinguished name attribute if your directory server supports it. Users should read the docs before - ## configuring. Only used for the 'memberof' group search mode. - # distinguished_name: '' + ## The distinguished name attribute if your directory server supports it. Users should read the docs before + ## configuring. Only used for the 'memberof' group search mode. + # distinguished_name: '' - ## The attribute holding the username of the user. This attribute is used to populate the username in the session - ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP - ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and - ## the configuration stored in database; therefore only single value attributes are allowed and the value must - ## never be changed once attributed to a user otherwise it would break the configuration for that user. - ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead - ## advise to use a filter to perform alternative lookups and the attributes mentioned above - ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307. - # username: 'uid' + ## The attribute holding the username of the user. This attribute is used to populate the username in the session + ## information. For your information, Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP + ## usually uses 'uid'. Beware that this attribute holds the unique identifiers for the users binding the user and + ## the configuration stored in database; therefore only single value attributes are allowed and the value must + ## never be changed once attributed to a user otherwise it would break the configuration for that user. + ## Technically non-unique attributes like 'mail' can also be used but we don't recommend using them, we instead + ## advise to use a filter to perform alternative lookups and the attributes mentioned above + ## (sAMAccountName and uid) to follow https://datatracker.ietf.org/doc/html/rfc2307. + # username: 'uid' - ## The attribute holding the display name of the user. This will be used to greet an authenticated user. - # display_name: 'displayName' + ## The attribute holding the display name of the user. This will be used to greet an authenticated user. + # display_name: 'displayName' - ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only - ## the first one returned by the directory server is used. - # mail: 'mail' + ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only + ## the first one returned by the directory server is used. + # mail: 'mail' - ## The attribute which provides distinguished names of groups an object is a member of. - ## Only used for the 'memberof' group search mode. - # member_of: 'memberOf' + ## The attribute which provides distinguished names of groups an object is a member of. + ## Only used for the 'memberof' group search mode. + # member_of: 'memberOf' - ## The attribute holding the name of the group. - # group_name: 'cn' + ## The attribute holding the name of the group. + # group_name: 'cn' ## ## File (Authentication Provider) @@ -606,71 +603,71 @@ authentication_backend: ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness ## file: - path: '/config/users.yml' + path: "/config/users.yml" # watch: false # search: - # email: false - # case_insensitive: false + # email: false + # case_insensitive: false # password: - # algorithm: 'argon2' - # argon2: - # variant: 'argon2id' - # iterations: 3 - # memory: 65536 - # parallelism: 4 - # key_length: 32 - # salt_length: 16 - # scrypt: - # iterations: 16 - # block_size: 8 - # parallelism: 1 - # key_length: 32 - # salt_length: 16 - # pbkdf2: - # variant: 'sha512' - # iterations: 310000 - # salt_length: 16 - # sha2crypt: - # variant: 'sha512' - # iterations: 50000 - # salt_length: 16 - # bcrypt: - # variant: 'standard' - # cost: 12 + # algorithm: 'argon2' + # argon2: + # variant: 'argon2id' + # iterations: 3 + # memory: 65536 + # parallelism: 4 + # key_length: 32 + # salt_length: 16 + # scrypt: + # iterations: 16 + # block_size: 8 + # parallelism: 1 + # key_length: 32 + # salt_length: 16 + # pbkdf2: + # variant: 'sha512' + # iterations: 310000 + # salt_length: 16 + # sha2crypt: + # variant: 'sha512' + # iterations: 50000 + # salt_length: 16 + # bcrypt: + # variant: 'standard' + # cost: 12 ## ## Password Policy Configuration. ## # password_policy: - ## The standard policy allows you to tune individual settings manually. - # standard: - # enabled: false +## The standard policy allows you to tune individual settings manually. +# standard: +# enabled: false - ## Require a minimum length for passwords. - # min_length: 8 +## Require a minimum length for passwords. +# min_length: 8 - ## Require a maximum length for passwords. - # max_length: 0 +## Require a maximum length for passwords. +# max_length: 0 - ## Require uppercase characters. - # require_uppercase: true +## Require uppercase characters. +# require_uppercase: true - ## Require lowercase characters. - # require_lowercase: true +## Require lowercase characters. +# require_lowercase: true - ## Require numeric characters. - # require_number: true +## Require numeric characters. +# require_number: true - ## Require special characters. - # require_special: true +## Require special characters. +# require_special: true - ## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. - # zxcvbn: - # enabled: false +## zxcvbn is a well known and used password strength algorithm. It does not have tunable settings. +# zxcvbn: +# enabled: false - ## Configures the minimum score allowed. - # min_score: 3 +## Configures the minimum score allowed. +# min_score: 3 ## ## Privacy Policy Configuration @@ -678,16 +675,16 @@ authentication_backend: ## Parameters used for displaying the privacy policy link and drawer. # privacy_policy: - ## Enables the display of the privacy policy using the policy_url. - # enabled: false +## Enables the display of the privacy policy using the policy_url. +# enabled: false - ## Enables the display of the privacy policy drawer which requires users accept the privacy policy - ## on a per-browser basis. - # require_user_acceptance: false +## Enables the display of the privacy policy drawer which requires users accept the privacy policy +## on a per-browser basis. +# require_user_acceptance: false - ## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme. - ## If the privacy policy enabled option is true, this MUST be provided. - # policy_url: '' +## The URL of the privacy policy document. Must be an absolute URL and must have the 'https://' scheme. +## If the privacy policy enabled option is true, this MUST be provided. +# policy_url: '' ## ## Access Control Configuration @@ -719,33 +716,33 @@ authentication_backend: access_control: ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any ## resource if there is no policy to be applied to the user. - default_policy: 'deny' + default_policy: "deny" rules: ## Rules applied to everyone - - domain: 'status.vakhrushev.me' - subject: 'group:admins' - policy: 'two_factor' + - domain: "status.vakhrushev.me" + subject: "group:admins" + policy: "two_factor" - - domain: 'dozzle.vakhrushev.me' - subject: 'group:admins' - policy: 'two_factor' + - domain: "dozzle.vakhrushev.me" + subject: "group:admins" + policy: "two_factor" - - domain: 'goaccess.vakhrushev.me' - subject: 'group:admins' - policy: 'two_factor' + - domain: "goaccess.vakhrushev.me" + subject: "group:admins" + policy: "two_factor" - - domain: 'wanderbase.vakhrushev.me' - subject: 'group:admins' - policy: 'two_factor' + - domain: "wanderbase.vakhrushev.me" + subject: "group:admins" + policy: "two_factor" - - domain: 'remembos.vakhrushev.me' - subject: 'group:admins' - policy: 'two_factor' + - domain: "remembos.vakhrushev.me" + subject: "group:admins" + policy: "two_factor" - - domain: 'rssbridge.vakhrushev.me' - subject: 'group:admins' - policy: 'one_factor' + - domain: "rssbridge.vakhrushev.me" + subject: "group:admins" + policy: "one_factor" ## Domain Regex examples. Generally we recommend just using a standard domain. # - domain_regex: '^(?P\w+)\.example\.com$' @@ -753,8 +750,8 @@ access_control: # - domain_regex: '^(?P\w+)\.example\.com$' # policy: 'one_factor' # - domain_regex: - # - '^appgroup-.*\.example\.com$' - # - '^appgroup2-.*\.example\.com$' + # - '^appgroup-.*\.example\.com$' + # - '^appgroup2-.*\.example\.com$' # policy: 'one_factor' # - domain_regex: '^.*\.example\.com$' # policy: 'two_factor' @@ -763,14 +760,14 @@ access_control: # policy: 'one_factor' ## Network based rule, if not provided any network matches. # networks: - # - 'internal' - # - 'VPN' - # - '192.168.1.0/24' - # - '10.0.0.1' + # - 'internal' + # - 'VPN' + # - '192.168.1.0/24' + # - '10.0.0.1' # - domain: - # - 'secure.example.com' - # - 'private.example.com' + # - 'secure.example.com' + # - 'private.example.com' # policy: 'two_factor' # - domain: 'singlefactor.example.com' @@ -783,28 +780,28 @@ access_control: # - domain: '*.example.com' # subject: - # - 'group:admins' - # - 'group:moderators' + # - 'group:admins' + # - 'group:moderators' # policy: 'two_factor' ## Rules applied to 'dev' group # - domain: 'dev.example.com' # resources: - # - '^/groups/dev/.*$' + # - '^/groups/dev/.*$' # subject: 'group:dev' # policy: 'two_factor' ## Rules applied to user 'john' # - domain: 'dev.example.com' # resources: - # - '^/users/john/.*$' + # - '^/users/john/.*$' # subject: 'user:john' # policy: 'two_factor' ## Rules applied to user 'harry' # - domain: 'dev.example.com' # resources: - # - '^/users/harry/.*$' + # - '^/users/harry/.*$' # subject: 'user:harry' # policy: 'two_factor' @@ -826,18 +823,17 @@ access_control: session: ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel. ## Secret can also be set using a secret: https://www.authelia.com/c/secrets - secret: '{{ session__secret }}' + secret: "{{ session__secret }}" ## Cookies configures the list of allowed cookie domains for sessions to be created on. ## Undefined values will default to the values below. cookies: - - - ## The name of the session cookie. - name: 'authelia_session' + - ## The name of the session cookie. + name: "authelia_session" ## The domain to protect. ## Note: the Authelia portal must also be in that domain. - domain: 'vakhrushev.me' + domain: "vakhrushev.me" ## Required. The fully qualified URI of the portal to redirect users to on proxies that support redirections. ## Rules: @@ -845,7 +841,7 @@ session: ## - The above 'domain' option MUST either: ## - Match the host portion of this URI. ## - Match the suffix of the host portion when prefixed with '.'. - authelia_url: 'https://auth.vakhrushev.me' + authelia_url: "https://auth.vakhrushev.me" ## Optional. The fully qualified URI used as the redirection location if the portal is accessed directly. Not ## configuring this option disables the automatic redirection behaviour. @@ -904,7 +900,7 @@ session: ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness ## redis: - host: 'authelia_redis' + host: "authelia_redis" port: 6379 ## Use a unix socket instead # host: '/var/run/redis/redis.sock' @@ -932,67 +928,67 @@ session: ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s). # tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the host option. - # server_name: 'myredis.example.com' + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the host option. + # server_name: 'myredis.example.com' - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - # skip_verify: false + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false - ## Minimum TLS version for the connection. - # minimum_version: 'TLS1.2' + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' - ## Maximum TLS version for the connection. - # maximum_version: 'TLS1.3' + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' - ## The certificate chain used with the private_key if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- - ## The private key used with the certificate_chain if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- ## The Redis HA configuration options. ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name). # high_availability: - ## Sentinel Name / Master Name. - # sentinel_name: 'mysentinel' + ## Sentinel Name / Master Name. + # sentinel_name: 'mysentinel' - ## Specific username for Redis Sentinel. The node username and password is configured above. - # sentinel_username: 'sentinel_specific_user' + ## Specific username for Redis Sentinel. The node username and password is configured above. + # sentinel_username: 'sentinel_specific_user' - ## Specific password for Redis Sentinel. The node username and password is configured above. - # sentinel_password: 'sentinel_specific_pass' + ## Specific password for Redis Sentinel. The node username and password is configured above. + # sentinel_password: 'sentinel_specific_pass' - ## The additional nodes to pre-seed the redis provider with (for sentinel). - ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. - ## For high availability to be used you must have either defined; the host above or at least one node below. - # nodes: - # - host: 'sentinel-node1' - # port: 6379 - # - host: 'sentinel-node2' - # port: 6379 + ## The additional nodes to pre-seed the redis provider with (for sentinel). + ## If the host in the above section is defined, it will be combined with this list to connect to sentinel. + ## For high availability to be used you must have either defined; the host above or at least one node below. + # nodes: + # - host: 'sentinel-node1' + # port: 6379 + # - host: 'sentinel-node2' + # port: 6379 - ## Choose the host with the lowest latency. - # route_by_latency: false + ## Choose the host with the lowest latency. + # route_by_latency: false - ## Choose the host randomly. - # route_randomly: false + ## Choose the host randomly. + # route_randomly: false ## ## Regulation Configuration @@ -1000,19 +996,19 @@ session: ## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made ## in a short period of time. # regulation: - ## Regulation Mode. - # modes: - # - 'user' +## Regulation Mode. +# modes: +# - 'user' - ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. - # max_retries: 3 +## The number of failed login attempts before user is banned. Set it to 0 to disable regulation. +# max_retries: 3 - ## The time range during which the user can attempt login before being banned in the duration common syntax. The user - ## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. - # find_time: '2 minutes' +## The time range during which the user can attempt login before being banned in the duration common syntax. The user +## is banned if the authentication failed 'max_retries' times in a 'find_time' seconds window. +# find_time: '2 minutes' - ## The length of time before a banned user can login again in the duration common syntax. - # ban_time: '5 minutes' +## The length of time before a banned user can login again in the duration common syntax. +# ban_time: '5 minutes' ## ## Storage Provider Configuration @@ -1022,7 +1018,7 @@ storage: ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it, you MUST use ## the CLI to change this in the database if you want to change it from a previously configured value. - encryption_key: '{{ storage__encryption_key }}' + encryption_key: "{{ storage__encryption_key }}" ## ## Local (Storage Provider) @@ -1034,154 +1030,154 @@ storage: ## local: ## Path to the SQLite3 Database. - path: '/data/authelia_storage.sqlite3' + path: "/data/authelia_storage.sqlite3" ## ## MySQL / MariaDB (Storage Provider) ## # mysql: - ## The address of the MySQL server to connect to in the address common syntax. - ## Format: [://][:]. - ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. - ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'. - # address: 'tcp://127.0.0.1:3306' + ## The address of the MySQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '3306'. + # address: 'tcp://127.0.0.1:3306' - ## The database name to use. - # database: 'authelia' + ## The database name to use. + # database: 'authelia' - ## The username used for SQL authentication. - # username: 'authelia' + ## The username used for SQL authentication. + # username: 'authelia' - ## The password used for SQL authentication. - ## Can also be set using a secret: https://www.authelia.com/c/secrets - # password: 'mypassword' + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' - ## The connection timeout in the duration common syntax. - # timeout: '5 seconds' + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' - ## MySQL TLS settings. Configuring this requires TLS. - # tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the address options hostname. - # server_name: 'mysql.example.com' + ## MySQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'mysql.example.com' - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - # skip_verify: false + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false - ## Minimum TLS version for the connection. - # minimum_version: 'TLS1.2' + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' - ## Maximum TLS version for the connection. - # maximum_version: 'TLS1.3' + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' - ## The certificate chain used with the private_key if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- - ## The private key used with the certificate_chain if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- ## ## PostgreSQL (Storage Provider) ## # postgres: - ## The address of the PostgreSQL server to connect to in the address common syntax. - ## Format: [://][:]. - ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. - ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'. - # address: 'tcp://127.0.0.1:5432' + ## The address of the PostgreSQL server to connect to in the address common syntax. + ## Format: [://][:]. + ## Square brackets indicate optional portions of the format. Scheme must be 'tcp', 'tcp4', 'tcp6', or 'unix`. + ## The default scheme is 'unix' if the address is an absolute path otherwise it's 'tcp'. The default port is '5432'. + # address: 'tcp://127.0.0.1:5432' - ## List of additional server instance configurations to fallback to when the primary instance is not available. - # servers: - # - - ## The Address of this individual instance. - # address: 'tcp://127.0.0.1:5432' + ## List of additional server instance configurations to fallback to when the primary instance is not available. + # servers: + # - + ## The Address of this individual instance. + # address: 'tcp://127.0.0.1:5432' - ## The TLS configuration for this individual instance. - # tls: - # server_name: 'postgres.example.com' - # skip_verify: false - # minimum_version: 'TLS1.2' - # maximum_version: 'TLS1.3' - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The TLS configuration for this individual instance. + # tls: + # server_name: 'postgres.example.com' + # skip_verify: false + # minimum_version: 'TLS1.2' + # maximum_version: 'TLS1.3' + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- - ## The database name to use. - # database: 'authelia' + ## The database name to use. + # database: 'authelia' - ## The schema name to use. - # schema: 'public' + ## The schema name to use. + # schema: 'public' - ## The username used for SQL authentication. - # username: 'authelia' + ## The username used for SQL authentication. + # username: 'authelia' - ## The password used for SQL authentication. - ## Can also be set using a secret: https://www.authelia.com/c/secrets - # password: 'mypassword' + ## The password used for SQL authentication. + ## Can also be set using a secret: https://www.authelia.com/c/secrets + # password: 'mypassword' - ## The connection timeout in the duration common syntax. - # timeout: '5 seconds' + ## The connection timeout in the duration common syntax. + # timeout: '5 seconds' - ## PostgreSQL TLS settings. Configuring this requires TLS. - # tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the address options hostname. - # server_name: 'postgres.example.com' + ## PostgreSQL TLS settings. Configuring this requires TLS. + # tls: + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'postgres.example.com' - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - # skip_verify: false + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false - ## Minimum TLS version for the connection. - # minimum_version: 'TLS1.2' + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' - ## Maximum TLS version for the connection. - # maximum_version: 'TLS1.3' + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' - ## The certificate chain used with the private_key if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- - ## The private key used with the certificate_chain if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- ## ## Notification Provider @@ -1198,7 +1194,7 @@ notifier: ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness ## # filesystem: - # filename: '/config/notification.txt' + # filename: '/config/notification.txt' ## ## SMTP (Notification Provider) @@ -1212,22 +1208,22 @@ notifier: ## (configure in tls section) smtp: ## The address of the SMTP server to connect to in the address common syntax. - address: 'smtp://{{ postbox_host }}:{{ postbox_port }}' + address: "smtp://{{ postbox_host }}:{{ postbox_port }}" ## The connection timeout in the duration common syntax. # timeout: '5 seconds' ## The username used for SMTP authentication. - username: '{{ postbox_user }}' + username: "{{ postbox_user }}" ## The password used for SMTP authentication. ## Can also be set using a secret: https://www.authelia.com/c/secrets - password: '{{ postbox_pass }}' + password: "{{ postbox_pass }}" ## The sender is used to is used for the MAIL FROM command and the FROM header. ## If this is not defined and the username is an email, we use the username as this value. This can either be just ## an email address or the RFC5322 'Name ' format. - sender: 'Authelia ' + sender: "Authelia " ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost. # identifier: 'localhost' @@ -1237,7 +1233,7 @@ notifier: ## This address is used during the startup check to verify the email configuration is correct. ## It's not important what it is except if your email server only allows local delivery. - startup_check_address: '{{ smtp__startup_check_address }}' + # startup_check_address: '{{ smtp__startup_check_address }}' ## By default we require some form of TLS. This disables this check though is not advised. # disable_require_tls: false @@ -1246,46 +1242,45 @@ notifier: # disable_html_emails: false # tls: - ## The server subject name to check the servers certificate against during the validation process. - ## This option is not required if the certificate has a SAN which matches the address options hostname. - # server_name: 'smtp.example.com' + ## The server subject name to check the servers certificate against during the validation process. + ## This option is not required if the certificate has a SAN which matches the address options hostname. + # server_name: 'smtp.example.com' - ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the - ## certificate or the certificate of the authority signing the certificate to the certificates directory which is - ## defined by the `certificates_directory` option at the top of the configuration. - ## It's important to note the public key should be added to the directory, not the private key. - ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not - ## important to the administrator. - # skip_verify: false + ## Skip verifying the server certificate entirely. In preference to setting this we strongly recommend you add the + ## certificate or the certificate of the authority signing the certificate to the certificates directory which is + ## defined by the `certificates_directory` option at the top of the configuration. + ## It's important to note the public key should be added to the directory, not the private key. + ## This option is strongly discouraged but may be useful in some self-signed situations where validation is not + ## important to the administrator. + # skip_verify: false - ## Minimum TLS version for the connection. - # minimum_version: 'TLS1.2' + ## Minimum TLS version for the connection. + # minimum_version: 'TLS1.2' - ## Maximum TLS version for the connection. - # maximum_version: 'TLS1.3' + ## Maximum TLS version for the connection. + # maximum_version: 'TLS1.3' - ## The certificate chain used with the private_key if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The certificate chain used with the private_key if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- - ## The private key used with the certificate_chain if the server requests TLS Client Authentication - ## i.e. Mutual TLS. - # private_key: | - # -----BEGIN RSA PRIVATE KEY----- - # ... - # -----END RSA PRIVATE KEY----- + ## The private key used with the certificate_chain if the server requests TLS Client Authentication + ## i.e. Mutual TLS. + # private_key: | + # -----BEGIN RSA PRIVATE KEY----- + # ... + # -----END RSA PRIVATE KEY----- ## ## Identity Providers ## identity_providers: - ## ## OpenID Connect (Identity Provider) ## @@ -1294,13 +1289,12 @@ identity_providers: oidc: ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens). ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets - hmac_secret: '{{ oidc__hmac_secret }}' + hmac_secret: "{{ oidc__hmac_secret }}" ## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's ## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key. jwks: - - - ## Key ID embedded into the JWT header for key matching. + - ## Key ID embedded into the JWT header for key matching. ## Must be an alphanumeric string with 7 or less characters. ## This value is automatically generated if not provided. It's recommended to not configure this. # key_id: 'example' @@ -1318,12 +1312,12 @@ identity_providers: ## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain ## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one. # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- ## Enables additional debug messages. # enable_client_debug_messages: false @@ -1352,91 +1346,87 @@ identity_providers: authorization_policies: outline_policy: rules: - - policy: 'one_factor' - subject: 'group:outline' + - policy: "one_factor" + subject: "group:outline" ## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this ## syntax the lifespans can be customized per-client. # lifespans: - ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all - ## grant types but you can override this behaviour using the custom lifespans. - # access_token: '1 hour' - # authorize_code: '1 minute' - # id_token: '1 hour' - # refresh_token: '90 minutes' + ## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all + ## grant types but you can override this behaviour using the custom lifespans. + # access_token: '1 hour' + # authorize_code: '1 minute' + # id_token: '1 hour' + # refresh_token: '90 minutes' ## Cross-Origin Resource Sharing (CORS) settings. # cors: - ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. - # endpoints: - # - 'authorization' - # - 'pushed-authorization-request' - # - 'token' - # - 'revocation' - # - 'introspection' - # - 'userinfo' + ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on. + # endpoints: + # - 'authorization' + # - 'pushed-authorization-request' + # - 'token' + # - 'revocation' + # - 'introspection' + # - 'userinfo' - ## List of allowed origins. - ## Any origin with https is permitted unless this option is configured or the - ## allowed_origins_from_client_redirect_uris option is enabled. - # allowed_origins: - # - 'https://example.com' + ## List of allowed origins. + ## Any origin with https is permitted unless this option is configured or the + ## allowed_origins_from_client_redirect_uris option is enabled. + # allowed_origins: + # - 'https://example.com' - ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, - ## provided they have the scheme http or https and do not have the hostname of localhost. - # allowed_origins_from_client_redirect_uris: false + ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins, + ## provided they have the scheme http or https and do not have the hostname of localhost. + # allowed_origins_from_client_redirect_uris: false ## Clients is a list of registered clients and their configuration. ## It's recommended you read the documentation before configuration of a registered client. ## See: https://www.authelia.com/c/oidc/registered-clients clients: - - - client_name: 'Miniflux' - client_id: '{{ oidc__miniflux__client_id }}' - client_secret: '{{ oidc__miniflux__client_secret }}' + - client_name: "Miniflux" + client_id: "{{ oidc__miniflux__client_id }}" + client_secret: "{{ oidc__miniflux__client_secret }}" redirect_uris: - - 'https://miniflux.vakhrushev.me/oauth2/oidc/callback' + - "https://miniflux.vakhrushev.me/oauth2/oidc/callback" scopes: - - 'openid' - - 'profile' - - 'email' + - "openid" + - "profile" + - "email" response_types: - - 'code' + - "code" grant_types: - - 'authorization_code' - access_token_signed_response_alg: 'none' - userinfo_signed_response_alg: 'none' - token_endpoint_auth_method: 'client_secret_basic' + - "authorization_code" + access_token_signed_response_alg: "none" + userinfo_signed_response_alg: "none" + token_endpoint_auth_method: "client_secret_basic" - - - client_name: 'Wakapi' - client_id: '{{ oidc__wakapi__client_id }}' - client_secret: '{{ oidc__wakapi__client_secret }}' + - client_name: "Wakapi" + client_id: "{{ oidc__wakapi__client_id }}" + client_secret: "{{ oidc__wakapi__client_secret }}" redirect_uris: - - 'https://wakapi.vakhrushev.me/oidc/authelia/callback' + - "https://wakapi.vakhrushev.me/oidc/authelia/callback" scopes: - - 'openid' - - 'profile' - - 'email' -# response_types: -# - 'code' -# grant_types: -# - 'authorization_code' -# access_token_signed_response_alg: 'none' -# userinfo_signed_response_alg: 'none' -# token_endpoint_auth_method: 'client_secret_basic' - - - - ## The description to show to users when they end up on the consent screen. Defaults to the ID above. - client_name: 'Outline' + - "openid" + - "profile" + - "email" + # response_types: + # - 'code' + # grant_types: + # - 'authorization_code' + # access_token_signed_response_alg: 'none' + # userinfo_signed_response_alg: 'none' + # token_endpoint_auth_method: 'client_secret_basic' + - ## The description to show to users when they end up on the consent screen. Defaults to the ID above. + client_name: "Outline" ## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a ## configuration. - client_id: '{{ oidc__outline__client_id }}' + client_id: "{{ oidc__outline__client_id }}" ## The client secret is a shared secret between Authelia and the consumer of this client. # yamllint disable-line rule:line-length - client_secret: '{{ oidc__outline__client_secret }}' + client_secret: "{{ oidc__outline__client_secret }}" ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not ## necessary. It is critical to read the documentation for more information. @@ -1447,40 +1437,40 @@ identity_providers: ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client. redirect_uris: - - 'https://outline.vakhrushev.me/auth/oidc.callback' + - "https://outline.vakhrushev.me/auth/oidc.callback" ## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as ## URIs to fetch Request Objects. # request_uris: - # - 'https://oidc.example.com:8080/oidc/request-object.jwk' + # - 'https://oidc.example.com:8080/oidc/request-object.jwk' ## Audience this client is allowed to request. # audience: [] ## Scopes this client is allowed to request. scopes: - - 'openid' - - 'profile' - - 'email' + - "openid" + - "profile" + - "email" ## Grant Types configures which grants this client can obtain. ## It's not recommended to define this unless you know what you're doing. # grant_types: - # - 'authorization_code' + # - 'authorization_code' ## Response Types configures which responses this client can be sent. ## It's not recommended to define this unless you know what you're doing. # response_types: - # - 'code' + # - 'code' ## Response Modes configures which response modes this client supports. # response_modes: - # - 'form_post' - # - 'query' + # - 'form_post' + # - 'query' ## The policy to require for this client; one_factor or two_factor. Can also be the key names for the ## authorization policies section. - authorization_policy: 'outline_policy' + authorization_policy: "outline_policy" ## The custom lifespan name to use for this client. This must be configured independent of the client before ## utilization. Custom lifespans are reusable similar to authorization policies. @@ -1581,7 +1571,7 @@ identity_providers: ## The signing algorithm used for signing the User Info Request responses. ## Please read the documentation before adjusting this option. ## See: https://www.authelia.com/c/oidc/registered-clients#userinfo_signed_response_alg - userinfo_signed_response_alg: 'none' + userinfo_signed_response_alg: "none" ## The signing key id used for signing the User Info Request responses. ## Please read the documentation before adjusting this option. @@ -1645,7 +1635,7 @@ identity_providers: ## The permitted client authentication method for the Token Endpoint for this client. ## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it ## defaults to 'none' per the specifications. - token_endpoint_auth_method: 'client_secret_post' + token_endpoint_auth_method: "client_secret_post" ## The permitted client authentication signing algorithm for the Token Endpoint for this client when using ## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method. @@ -1688,27 +1678,27 @@ identity_providers: ## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if ## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive. # jwks: - # - - ## Key ID used to match the JWT's to an individual identifier. This option is required if configured. - # key_id: 'example' + # - + ## Key ID used to match the JWT's to an individual identifier. This option is required if configured. + # key_id: 'example' - ## The key algorithm expected with this key. - # algorithm: 'RS256' + ## The key algorithm expected with this key. + # algorithm: 'RS256' - ## The key use expected with this key. Currently only 'sig' is supported. - # use: 'sig' + ## The key use expected with this key. Currently only 'sig' is supported. + # use: 'sig' - ## Required Public Key in PEM DER form. - # key: | - # -----BEGIN RSA PUBLIC KEY----- - # ... - # -----END RSA PUBLIC KEY----- + ## Required Public Key in PEM DER form. + # key: | + # -----BEGIN RSA PUBLIC KEY----- + # ... + # -----END RSA PUBLIC KEY----- - ## The matching certificate chain in PEM DER form that matches the key if available. - # certificate_chain: | - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- - # -----BEGIN CERTIFICATE----- - # ... - # -----END CERTIFICATE----- + ## The matching certificate chain in PEM DER form that matches the key if available. + # certificate_chain: | + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- + # -----BEGIN CERTIFICATE----- + # ... + # -----END CERTIFICATE----- diff --git a/tasks.py b/tasks.py index f2c729b..25ea119 100644 --- a/tasks.py +++ b/tasks.py @@ -9,7 +9,7 @@ from invoke.context import Context from invoke.exceptions import Exit from invoke.tasks import task -HOSTS_FILE = "production.yml" +HOSTS_FILE = "timeweb.yml" VARS_FILE = "vars/vars.yml" AUTHELIA_DOCKER = "docker run --rm -v $PWD:/data authelia/authelia:4.39.4 authelia"