salt/states/roles/maintain/authelia/config.yml

###############################################################
#                   Authelia configuration                    #
###############################################################

# The port to listen on
port: 8080

# Log level
#
# Level of verbosity for logs
logs_level: debug

# LDAP configuration
#
# Example: for user john, the DN will be cn=john,ou=users,dc=example,dc=com
ldap:
  # The url of the ldap server
  url: ldap://ipa.actcur.com

  # The base dn for every entries
  base_dn: dc=actcur,dc=com

  # An additional dn to define the scope to all users
  additional_users_dn: cn=users,cn=accounts

  # The users filter.
  # {0} is the matcher replaced by username.
  # 'cn={0}' by default.
  users_filter: uid={0}

  # An additional dn to define the scope of groups
  additional_groups_dn: cn=groups,cn=accounts

  # The groups filter.
  # {0} is the matcher replaced by user dn.
  # 'member={0}' by default.
  groups_filter: (&(member=uid={0},cn=users,cn=accounts,dc=actcur,dc=com)(objectclass=groupofnames))

  # The attribute holding the name of the group
  group_name_attribute: cn

  # The attribute holding the mail address of the user
  mail_attribute: mail

  # The username and password of the admin user.
  user: uid=authelia_admin,cn=users,cn=accounts,dc=actcur,dc=com
  password: "{%- include 'secure/passwords/authelia_admin_password.txt' -%}"


# Access Control
#
# Access control is a set of rules you can use to restrict user access to certain
# resources.
# Any (apply to anyone), per-user or per-group rules can be defined.
#
# If 'access_control' is not defined, ACL rules are disabled and the `allow` default
# policy is applied, i.e., access is allowed to anyone. Otherwise restrictions follow
# the rules defined.
#
# Note: One can use the wildcard * to match any subdomain.
# It must stand at the beginning of the pattern. (example: *.mydomain.com)
#
# Note: You must put the pattern in simple quotes when using the wildcard for the YAML
# to be syntaxically correct.
#
# Definition: A `rule` is an object with the following keys: `domain`, `policy`
# and `resources`.
# - `domain` defines which domain or set of domains the rule applies to.
# - `policy` is the policy to apply to resources. It must be either `allow` or `deny`.
# - `resources` is a list of regular expressions that matches a set of resources to
# apply the policy to.
#
# Note: Rules follow an order of priority defined as follows:
# In each category (`any`, `groups`, `users`), the latest rules have the highest
# priority. In other words, it means that if a given resource matches two rules in the
# same category, the latest one overrides the first one.
# Each category has also its own priority. That is, `users` has the highest priority, then
# `groups` and `any` has the lowest priority. It means if two rules in different categories
# match a given resource, the one in the category with the highest priority overrides the
# other one.
#
access_control:
  # Default policy can either be `allow` or `deny`.
  # It is the policy applied to any resource if it has not been overriden
  # in the `any`, `groups` or `users` category.
  default_policy: deny

  # The rules that apply to anyone.
  # The value is a list of rules.
  any:
    - domain: 'x'
      policy: deny

  # Group-based rules. The key is a group name and the value
  # is a list of rules.
  groups:
    domain_admins:
      # All resources in all domains
      - domain: '*.actcur.com'
        policy: allow
    video_admins:
      # All resources in all domains
      - domain: 'sonarr.actcur.com'
        policy: allow
      - domain: 'radarr.actcur.com'
        policy: allow
      - domain: 'deluge.actcur.com'
        policy: allow

# Configuration of session cookies
#
# The session cookies identify the user once logged in.
session:
  # The secret to encrypt the session cookie.
  secret: "{%- include 'secure/passwords/authelia_secret_password.txt' -%}"

  # The time before the cookie expires.
  expiration: 3600000

  # The domain to protect.
  # Note: the authenticator must also be in that domain. If empty, the cookie
  # is restricted to the subdomain of the issuer.
  domain: actcur.com

  # The redis connection details
  redis:
    host: 127.0.0.1
    port: 6379

# Configuration of the authentication regulation mechanism.
#
# This mechanism prevents attackers from brute forcing the first factor.
# It bans the user if too many attempts are done in a short period of
# time.
regulation:
  # The number of failed login attempts before user is banned.
  # Set it to 0 for disabling regulation.
  max_retries: 3

  # The length of time between login attempts before user is banned.
  find_time: 120

  # The length of time before a banned user can login again.
  ban_time: 300

# Configuration of the storage backend used to store data and secrets.
#
# You must use only an available configuration: local, mongo
storage:
  # The directory where the DB files will be saved
  #local: /var/lib/authelia/store

  # Settings to connect to mongo server
  mongo:
    url: mongodb://127.0.0.1/authelia

# Configuration of the notification system.
#
# Notifications are sent to users when they require a password reset, a u2f
# registration or a TOTP registration.
# Use only an available configuration: filesystem, gmail
notifier:
  # Use your gmail account to send the notifications. You can use an app password.
  #gmail:
  #  username: username@gmail.com
  #  password: password

  # Use a SMTP server for sending notifications
  #smtp:
  #  username: test
  #  password: test
  #  secure: false
  #  host: 'smtp.zoho.com'
  #  port: 1025
  smtp:
    username: notifications@actcur.com
    password: "{%- include 'secure/passwords/authelia_notifications_password.txt' -%}"
    secure: true
    host: 'smtp.zoho.com'
    port: 465
    sender: 'Actcur Authelia <notifications@actcur.com>'