docker-apps/auth/config/configuration.yml

theme: 'dark'

default_2fa_method: 'totp'

totp:
  issuer: 'auth.aggtaa.com'

identity_validation:
  reset_password:
    jwt_secret: 'ShnKq2VDRwA1fMxwhmPmkj3DJdt40CqO6WWyDKmdohFQH7WAypikiq109yKf9nUv'

authentication_backend:
  file:
    path: '/config/users_database.yml'
    watch: true
    search:
      email: false
      case_insensitive: false
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 3
        memory: 65536
        parallelism: 4
        key_length: 32
        salt_length: 16

access_control:
  default_policy: 'deny'

  rules:
    - domain: "*.aggtaa.com"
      policy: two_factor
      networks:
        - 192.168.0.0/16
        - 10.0.0.0/8
        - 172.16.0.0/12

    - domain: "*.aggtaa.com"
      policy: two_factor

session:
  name: 'aas'
  secret: 'It1PZBvUNXvfbRnaOSBkupXxCMt8FRrc'
  cookies:
    - name: 'aas'
      domain: 'aggtaa.com'
      authelia_url: 'https://auth.aggtaa.com'

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  encryption_key: '8Ei4XmiFM1GF7EWxiHyyReEWSuUgc4zH'
  local:
    path: '/db/db.sqlite3'

notifier:
  smtp:
    address: 'smtp://mail-eu.smtp2go.com:587'
    username: 'robot@aggtaa.com'
    password: 'ULCKdUexeCQVgDl3'
    sender: 'auth.aggtaa.com <robot@aggtaa.com>'

    subject: 'auth.aggtaa.com: {title}'

    tls:
      server_name: 'mail-eu.smtp2go.com'

identity_providers:
  oidc:
    hmac_secret: 'mbHg5s2JnQDuGdtBxrofu7uiu4MR7098'
    jwks:
      - key_id: "main"
        algorithm: 'RS256'
        use: "sig"
        key: |
          -----BEGIN PRIVATE KEY-----
          MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCiXH1drELlUhBh
          RL0YayG5k+6jLnGD1646iHbB36rGTFRdhbz8h9v1g+QkPlHY9chzTtc67QD89myv
          46+pYW32QmIlx86xrP7AMFxyHhL8XSVV3AHSWiNL1RwN59Aa1IMo2xhw36ZH0WH/
          bAmodMQ9lIrP4T3EU4tUoRvO7RvcHW/ngrfd5xonmBLY13m+sAXtolG8yRzVW2Qh
          ew1Y55r6Armrihvyo+/0L5raBrPt+w476t35rz/uUUIvdrQMUwIitpd3vP9j0rW/
          sTkKrx9Djgs9ECIvIyhJcMiiCZnpqWnUvJzYAbbehU6T4ASW8qOD5d2LBA7cO9R+
          QNrrj2wbAgMBAAECggEAFWyu/lVk3m3dy3gOm9JHOP3UV6QhRoyHaSHoydyB5Hje
          CRlEvu4OkG8/A6lVk5ObR9v3escbgkXiQbOB0pAQupY37VRYagmx9BptmIFvb+26
          p4HIm8FZNwCAGzWjuGaiiBmhOAPLJV7z14iiHaCK5LVdO+E1DVsY36oCyWNwcbMa
          4+d6RGgbFeUHXGnuayd5hTvUlsXAbPo4/gJT1KDvqPPjZl8U6ur1mRIt+BTzrntv
          C2oN1hq+cJQRrQhySt0/QNAE+k4+r70ZKC/4rDjYkdhyBqNPq7mjAYJ7miWF/YFZ
          4AYzo+z7Mws1sMJkNG/SFaNXWgh8KWdFHfgZNWSogQKBgQDSf2w8j9WC1h30FtKy
          kGYWFKcNYM2AGoE5PnT1bxvBOtgrttwOVsXESIjyXgRygKvZgExIx3nh8bUkXHWL
          31wY5y1I6ZrvFIKNsfaQm8sf9PttH4biXJ3h9eBYeBx7y/3+QAOqqiDF+vcGOWJF
          xA7ZKBjz2NEgdr7c7jFsIIOiwwKBgQDFdUeOm+lY24nU0/qC06Zk7tjf3xxRGq9d
          Fddix1ENUS2BGcltOVr1UedWeoBeN5P004FqzRHyX4Z/1Yvzvax809TqyT36lQ/z
          zBjizZKggAmfU5wCCpuSubT+Wq1o3FPQ5fLbnllFMf1UE64lZouAT1NHFHuwDrYV
          e8bBCwzLyQKBgQCZSMkc4PDuMdXmJaiQ964fbjKn/1Imcyae9OheweZIM/2u954P
          owipAtkXBXffmeuKm27xoLEU49qw+9NtY93BFLdZXSPB7gGUBYAzlf+46cEdmdOz
          ixY9sbsJMY4saEQxnZQN942eHj88fRUfEMJvSE/DYqQHK/GZGKtMvfCd2QKBgF9Y
          EvZUaGdkkng25yaWxijEf+oRlF3BMd4Tts3WileQ1BUbe3yHDlmYc8j5G9Tip0m3
          ey0z2i+bWpmNZqeJ9ajMrGm2RHwjz/EbowSY2O0xBfRt7c26i4Zcr32GEWepw7sB
          3bOYEWjtC3K2kgczLbcGFqMiy9qmL9vNyZnbGRGpAoGBAKbIM3P1XrfJ2Uogbq1g
          ssjngQ/HvAbFwZlAP0mH6H1A8skJiqZ/unjlo98wAj7v912nd3rrm9VKZGkXakSR
          MqhDyoDv+RIbyhznbRiGd7S6ddqTx2zm03svlCqQZUH92GmFgQlUJ7AngqlxqxEv
          LHwFtrfVT+ViB1m8zP+RieKb
          -----END PRIVATE KEY-----          

    enable_client_debug_messages: true
    cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
      endpoints:
        - 'authorization'
        - 'pushed-authorization-request'
        - 'token'
        - 'revocation'
        - 'introspection'
        - 'userinfo'

    clients:
      - client_id: opencloud
        client_name: files.aggtaa.com
        public: true
        consent_mode: pre-configured # store user consent for some time
        pre_configured_consent_duration: 100y
        scopes:
          - openid
          - email
          - profile
          - groups
        redirect_uris:
          - https://files.aggtaa.com/
          - https://files.aggtaa.com/oidc-callback.html
          - https://files.aggtaa.com/oidc-silent-redirect.html

      - client_id: 'filebrowser-quantum'
        client_name: 'files.aggtaa.com'
        client_secret: '$pbkdf2-sha512$310000$Dtx8Y69nPActRIoqOWEXQQ$4F0bgcL7rf90toYT9tljgBRumTdgkoop4RMg3crSQNfiY/Y2cPKXqgUhU8G/1uf/hZv1Sz4Yl0Aec.xwG/VSnA'
        public: false
        consent_mode: implicit
        require_pkce: false
        pkce_challenge_method: ''
        redirect_uris:
          - 'https://files.aggtaa.com/api/auth/oidc/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'groups'
          - 'email'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        access_token_signed_response_alg: 'none'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'