diff --git a/config.minimal.yml b/config.minimal.yml index 2daa4764..385b05b4 100644 --- a/config.minimal.yml +++ b/config.minimal.yml @@ -4,13 +4,105 @@ authentication_backend: file: - # The path to the database file. The file is at the root of the repo. path: /etc/authelia/users_database.yml session: - # The secret to encrypt the session cookies with. secret: unsecure_session_secret - - # The domain to protect. - # Note: Authelia must also be served by that domain. domain: example.com + +# Configuration of the storage backend used to store data and secrets. i.e. totp data +storage: + local: + path: /etc/authelia/storage + +# TOTP Issuer Name +# +# This will be the issuer name displayed in Google Authenticator +# See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names +totp: + issuer: example.com + +# Authentication methods +# +# Authentication methods can be defined per subdomain. +# There are currently two available methods: "single_factor" and "two_factor" +authentication_methods: + default_method: two_factor + per_subdomain_methods: + single_factor.example.com: single_factor + +# Access Control +# +# Access control is a set of rules you can use to restrict user access to certain +# resources. +access_control: + # Default policy can either be `allow` or `deny`. + default_policy: deny + groups: + admins: + # All resources in all domains + - domain: '*.example.com' + policy: allow + # Except mx2.mail.example.com (it restricts the first rule) + #- domain: 'mx2.mail.example.com' + # policy: deny + + # User-based rules. + users: + john: + - domain: dev.example.com + policy: allow + resources: + - '^/users/john/.*$' + harry: + - domain: dev.example.com + policy: allow + resources: + - '^/users/harry/.*$' + bob: + - domain: '*.mail.example.com' + policy: allow + - domain: 'dev.example.com' + policy: allow + resources: + - '^/users/bob/.*$' + +# Configuration of the authentication regulation mechanism. +regulation: + # Set it to 0 to disable max_retries. + max_retries: 3 + + # The user is banned if the authenticaction failed `max_retries` times in a `find_time` seconds window. + find_time: 120 + + # The length of time before a banned user can login again. + ban_time: 300 + +# Default redirection URL +# +# Note: this parameter is optional. If not provided, user won't +# be redirected upon successful authentication. +#default_redirection_url: https://authelia.example.domain + +notifier: + # For testing purpose, notifications can be sent in a file + filesystem: + filename: /tmp/authelia/notification.txt + + # Use your email account to send the notifications. You can use an app password. + # List of valid services can be found here: https://nodemailer.com/smtp/well-known/ + ## email: + ## username: user@example.com + ## password: yourpassword + ## sender: admin@example.com + ## service: gmail + + # Use a SMTP server for sending notifications + #smtp: + # username: test + # password: password + # secure: false + # host: 'smtp' + # port: 1025 + # sender: admin@example.com + diff --git a/docker-compose.swarm.minimal.yml b/docker-compose.swarm.minimal.yml new file mode 100644 index 00000000..adabd1f3 --- /dev/null +++ b/docker-compose.swarm.minimal.yml @@ -0,0 +1,48 @@ +version: '3.4' +services: + authelia: + image: clems4ever/authelia:latest + # Used for Docker configs + configs: + - source: authelia + target: /etc/authelia/config.yml + uid: '0' + gid: '0' + mode: 0444 + environment: + - NODE_TLS_REJECT_UNAUTHORIZED=0 + # Where the authelia volume is to be mounted. To only use a single volume, the minimal config needs to be changed to read the users_database.yml also from this subdirectory. + # Otherwise a second volume will need to be configured here to mount the users_database.yml. + volumes: + - authelia:/etc/authelia/storage + networks: + - overlay + deploy: + #Configure Authelia to automatically restart on failure. + restart_policy: + condition: on-failure + delay: 5s + max_attempts: 3 + window: 120s + # Mode: global would start authelia on all available nodes, replicated limits it to how many replicas are configured. + mode: replicated + # How many replicas are wanted. Can be any number >0 up to however many nodes are available. + replicas: 1 + placement: + constraints: + - node.role == worker + +#The volume for authelia needs to be configured. There are many drivers available. Such as local storage, ceph-rdb, nfs, cifs etc. +volumes: + authelia: + driver: default + name: volume-authelia + +networks: + overlay: + external: true + +# This is needed if Docker configs are being used to provide Authelia with its configuration. +configs: + authelia: + external: true