access_control: default_policy: one_factor networks: - name: internal networks: - 172.30.0.0/26 - 172.31.1.0/24 - name: cluster networks: - 10.149.0.0/16 rules: - domain: paperless.pyrocufflink.blue policy: two_factor subject: - 'group:Paperless-ngx Users' - domain: paperless.pyrocufflink.blue policy: deny - domain: firefly.pyrocufflink.blue resources: - '^/api/' policy: bypass - domain: firefly.pyrocufflink.blue policy: two_factor subject: - 'group:Firefly III Users' - domain: firefly-importer.pyrocufflink.blue policy: two_factor subject: - 'group:Firefly III Users' - domain: firefly-importer.pyrocufflink.blue policy: one_factor subject: - 'user:svc.xactfetch' - domain: firefly.pyrocufflink.blue policy: deny - domain: firefly-importer.pyrocufflink.blue policy: deny - domain: scan.pyrocufflink.blue networks: - internal policy: bypass - domain: metrics.pyrocufflink.blue resources: - '^/insert/.*' policy: bypass - domain: metrics.pyrocufflink.blue networks: - internal resources: - '^/alertmanager([/?].*)?$' methods: - GET - HEAD - OPTIONS policy: bypass - domain: hlcforms.pyrocufflink.blue resources: - '^/submit/.*' policy: bypass - domain: ara.ansible.pyrocufflink.blue networks: - internal - cluster resources: - '^/api/.*' methods: - POST - PATCH policy: bypass authentication_backend: ldap: base_dn: DC=pyrocufflink,DC=blue implementation: activedirectory tls: minimum_version: TLS1.2 url: ldaps://pyrocufflink.blue user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue certificates_directory: /run/authelia/certs identity_providers: oidc: clients: - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89 description: Jenkins secret: >- $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44 redirect_uris: - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin scopes: - openid - groups - profile - email - offline_access authorization_policy: one_factor pre_configured_consent_duration: 8h token_endpoint_auth_method: client_secret_post - id: kubernetes description: Kubernetes public: true redirect_uris: - http://localhost:8000 - http://localhost:18000 authorization_policy: one_factor pre_configured_consent_duration: 8h - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420 description: MinIO secret: >- $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A redirect_uris: - https://burp.pyrocufflink.blue:9090/oauth_callback - https://minio.backups.pyrocufflink.blue/oauth_callback - id: step-ca description: step-ca public: true redirect_uris: - http://127.0.0.1 pre_configured_consent_duration: 8h - id: argocd description: Argo CD pre_configured_consent_duration: 8h redirect_uris: - https://argocd.pyrocufflink.blue/auth/callback secret: >- $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw - id: argocd-cli description: argocd CLI public: true pre_configured_consent_duration: 8h audience: - argocd-cli redirect_uris: - http://localhost:8085/auth/callback scopes: - openid - profile - email - groups - offline_access - id: sshca description: SSHCA public: true pre_configured_consent_duration: 4h redirect_uris: - http://127.0.0.1 scopes: - openid - profile - email - groups log: level: info notifier: smtp: disable_require_tls: true host: mail.pyrocufflink.blue port: 25 sender: auth@pyrocufflink.net session: domain: pyrocufflink.blue expiration: 1d inactivity: 4h redis: host: redis port: 6379 server: buffers: read: 16384 storage: postgres: host: postgresql.pyrocufflink.blue database: authelia username: authelia password: unused tls: skip_verify: false telemetry: metrics: enabled: true theme: auto