Sebastian Krüger
ffbcecc09d
Replace HTTP Basic Auth with Authelia ForwardAuth for consistent authentication across infrastructure: - Asciinema Admin (admin.asciinema.dev.pivoine.art): Removed Basic Auth, added Authelia protection - FaceFusion (facefusion.ai.pivoine.art): Removed Basic Auth, added Authelia protection Updated Authelia access control to include both services with one_factor policy. All services now use Authelia for authentication, eliminating the need to manage separate Basic Auth credentials. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
118 lines
2.5 KiB
YAML
118 lines
2.5 KiB
YAML
---
|
|
###############################################################
|
|
# Authelia Configuration #
|
|
###############################################################
|
|
|
|
theme: auto
|
|
|
|
server:
|
|
address: "tcp://:9091"
|
|
|
|
log:
|
|
level: info
|
|
format: text
|
|
|
|
# identity_validation jwt_secret set via environment variable:
|
|
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET
|
|
|
|
totp:
|
|
issuer: pivoine.art
|
|
period: 30
|
|
skew: 1
|
|
|
|
webauthn:
|
|
disable: false
|
|
display_name: Pivoine Auth
|
|
attestation_conveyance_preference: indirect
|
|
user_verification: preferred
|
|
timeout: 60s
|
|
|
|
ntp:
|
|
address: "time.cloudflare.com:123"
|
|
version: 4
|
|
max_desync: 3s
|
|
disable_startup_check: false
|
|
disable_failure: false
|
|
|
|
authentication_backend:
|
|
password_reset:
|
|
disable: false
|
|
refresh_interval: 5m
|
|
file:
|
|
path: /etc/authelia/users_database.yml
|
|
watch: true
|
|
password:
|
|
algorithm: argon2
|
|
argon2:
|
|
variant: argon2id
|
|
iterations: 3
|
|
memory: 65536
|
|
parallelism: 4
|
|
key_length: 32
|
|
salt_length: 16
|
|
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
# Authelia portal itself
|
|
- domain: auth.pivoine.art
|
|
policy: bypass
|
|
|
|
# Services that should be publicly accessible
|
|
- domain:
|
|
- "pivoine.art"
|
|
- "www.pivoine.art"
|
|
policy: bypass
|
|
|
|
# Protected services - require authentication
|
|
- domain:
|
|
- "netdata.pivoine.art"
|
|
- "mailpit.pivoine.art"
|
|
- "scrapy.pivoine.art"
|
|
- "restic.pivoine.art"
|
|
- "proxy.pivoine.art"
|
|
- "admin.asciinema.dev.pivoine.art"
|
|
- "facefusion.ai.pivoine.art"
|
|
policy: one_factor
|
|
|
|
|
|
# session secret set via environment variable: AUTHELIA_SESSION_SECRET
|
|
session:
|
|
name: 'authelia_session'
|
|
same_site: 'lax'
|
|
expiration: '1h'
|
|
inactivity: '5m'
|
|
remember_me: '1M'
|
|
cookies:
|
|
- domain: 'pivoine.art'
|
|
authelia_url: 'https://auth.pivoine.art'
|
|
same_site: 'lax'
|
|
expiration: '1h'
|
|
inactivity: '5m'
|
|
remember_me: '1M'
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
# storage encryption_key and postgres password set via environment variables:
|
|
# AUTHELIA_STORAGE_ENCRYPTION_KEY, AUTHELIA_STORAGE_POSTGRES_PASSWORD
|
|
storage:
|
|
postgres:
|
|
host: postgres
|
|
port: 5432
|
|
database: authelia
|
|
username: valknar
|
|
schema: public
|
|
|
|
notifier:
|
|
disable_startup_check: false
|
|
smtp:
|
|
host: net_mailpit
|
|
port: 1025
|
|
sender: auth@pivoine.art
|
|
identifier: auth.pivoine.art
|
|
disable_require_tls: true
|
|
disable_html_emails: false
|