# Render concrete values into configuration.yml on PD. # Do not rely on runtime env interpolation for this file. theme: auto default_2fa_method: totp server: address: tcp://0.0.0.0:9091 log: level: info totp: issuer: paccoco.com authentication_backend: file: path: /config/users_database.yml watch: false password: algorithm: argon2 access_control: default_policy: deny rules: - domain: auth.paccoco.com policy: bypass - domain: gitea.paccoco.com policy: one_factor subject: - group:admins - domain: grafana.paccoco.com policy: one_factor subject: - group:admins - domain: dns.paccoco.com policy: one_factor subject: - group:admins - domain: traefik.paccoco.com policy: one_factor subject: - group:admins session: secret: 'CHANGE_ME_SESSION_SECRET' name: authelia_session same_site: lax expiration: 8h inactivity: 1h remember_me: 30d redis: host: shared-redis port: 6379 password: 'CHANGE_ME_REDIS_PASSWORD' cookies: - domain: paccoco.com authelia_url: https://auth.paccoco.com default_redirection_url: https://grafana.paccoco.com storage: encryption_key: 'CHANGE_ME_STORAGE_ENCRYPTION_KEY' postgres: address: tcp://shared-postgres:5432 database: 'authelia' schema: public username: 'authelia' password: 'CHANGE_ME_POSTGRES_PASSWORD' identity_validation: reset_password: jwt_secret: 'CHANGE_ME_RESET_PASSWORD_JWT_SECRET' notifier: filesystem: filename: /config/data/notification.txt identity_providers: oidc: hmac_secret: 'CHANGE_ME_OIDC_HMAC_SECRET' jwks: - key_id: 'grafana' algorithm: 'RS256' use: 'sig' key: | -----BEGIN PRIVATE KEY----- CHANGE_ME_OIDC_PRIVATE_KEY -----END PRIVATE KEY----- claims_policies: grafana: id_token: - email - email_verified - groups - preferred_username - name clients: - client_id: 'grafana' client_name: 'Grafana' client_secret: 'CHANGE_ME_GRAFANA_CLIENT_SECRET' public: false authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'https://grafana.paccoco.com/login/generic_oauth' scopes: - openid - profile - email - groups response_types: - code grant_types: - authorization_code access_token_signed_response_alg: 'none' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' claims_policy: 'grafana'