Micha
2d1b541847
- BitLocker baerchen: bewusst deaktiviert - Veeam Storage Encryption: bewusst unverschluesselt - Stromverbrauch: bewusst ohne Messung (geschlossen) - Nextcloud 2FA: geparkt bis OIDC die App-Login-Ebene erreicht - Authelia: Catch-all *.kaleschke.info one_factor -> two_factor (Repo-Baseline; Host-Merge + restart + authelia-diff.sh als aktiver Schritt offen) - Authelia OIDC und Gast-/IoT-Netz als aktive Bloecke aufgenommen - MASTER_TODO: Operator-Entscheidung-Sektion ohne offene Punkte Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
96 lines
2.5 KiB
YAML
96 lines
2.5 KiB
YAML
---
|
|
# Authelia configuration - repo baseline for non-secret access-control/session/storage settings
|
|
# Manual host sync/merge required after changes:
|
|
# /mnt/user/appdata/authelia/config/configuration.yml
|
|
# Docs: https://www.authelia.com/configuration/
|
|
# Keep user database, OIDC client configuration, and secret values outside Git.
|
|
|
|
theme: dark
|
|
|
|
server:
|
|
address: tcp://0.0.0.0:9091
|
|
|
|
log:
|
|
level: info
|
|
|
|
authentication_backend:
|
|
file:
|
|
path: /config/users_database.yml
|
|
password:
|
|
algorithm: argon2id
|
|
iterations: 3
|
|
key_length: 32
|
|
salt_length: 16
|
|
memory: 65536
|
|
parallelism: 4
|
|
|
|
access_control:
|
|
default_policy: deny
|
|
rules:
|
|
# Authelia selbst ist immer erreichbar (bypass)
|
|
- domain: auth.kaleschke.info
|
|
policy: bypass
|
|
|
|
# Oeffentliche Apps - kein Login noetig
|
|
- domain:
|
|
- immich.kaleschke.info
|
|
- paperless.kaleschke.info
|
|
- mealie.kaleschke.info
|
|
- vault.kaleschke.info
|
|
- ntfy.kaleschke.info
|
|
- git.kaleschke.info
|
|
policy: bypass
|
|
|
|
# Admin-Dienste - 2FA erforderlich (Operator-UIs mit Host-/Backup-Zugriff)
|
|
- domain:
|
|
- files.kaleschke.info
|
|
- scrutiny.kaleschke.info
|
|
- borg.kaleschke.info
|
|
- code.kaleschke.info
|
|
policy: two_factor
|
|
|
|
# Alles andere mit Authelia-Middleware - 2FA (Haertung 2026-06-06).
|
|
# Vorher one_factor; alle restlichen Admin-UIs (monitoring, glances, glance,
|
|
# speedtest, pdf, mail, paperless-gpt, hermes, sp ...) sind damit two_factor.
|
|
# Voraussetzung: Operator-Account hat Authelia-TOTP enrolled (Tier-1-UIs nutzen es bereits).
|
|
# Komodo hat bewusst keine ForwardAuth-Middleware und wird hier nicht ausgewertet.
|
|
- domain: "*.kaleschke.info"
|
|
policy: two_factor
|
|
|
|
session:
|
|
name: authelia_session
|
|
same_site: lax
|
|
expiration: 12h
|
|
inactivity: 45m
|
|
remember_me: 1M
|
|
cookies:
|
|
- domain: kaleschke.info
|
|
authelia_url: https://auth.kaleschke.info
|
|
default_redirection_url: https://glance.kaleschke.info
|
|
|
|
regulation:
|
|
max_retries: 3
|
|
find_time: 2m
|
|
ban_time: 5m
|
|
|
|
storage:
|
|
postgres:
|
|
address: tcp://postgresql17:5432
|
|
database: authelia
|
|
username: authelia
|
|
|
|
notifier:
|
|
disable_startup_check: false
|
|
smtp:
|
|
address: submission://mail.gmx.net:587
|
|
username: michideheld@gmx.de
|
|
sender: "Authelia <michideheld@gmx.de>"
|
|
identifier: auth.kaleschke.info
|
|
subject: "[Authelia] {title}"
|
|
startup_check_address: michideheld@gmx.de
|
|
|
|
totp:
|
|
issuer: kaleschke.info
|
|
period: 30
|
|
skew: 1
|