services/roles/authelia
2022-08-11 16:49:35 +02:00
..
defaults chore(authelia): authentication_backend.disable_password_reset was deprecated 2022-08-11 16:48:21 +02:00
handlers feat(authelia): add ansible role for authelia 2022-04-16 14:33:49 +02:00
tasks feat(authelia): add ansible role for authelia 2022-04-16 14:33:49 +02:00
vars fix(authelia): prometheus metrics config was wrongly scoped to toplevel telemetry key 2022-08-11 16:49:35 +02:00
README.md feat(authelia): add ansible role for authelia 2022-04-16 14:33:49 +02:00

finallycoffee.services.authelia ansible role

Deploys authelia, an open-source full-featured authentication server with OIDC beta support.

Configuration

Most configurations options are exposed to be overrideable by setting authelia_config_{flat_config_key}, which means totp.digits: 8 would become authelia_config_totp_digits: 8.

If configuration is not exposed in defaults/main.yml, it can be overridden in authelia_extra_config, which is merged recursively to the default config. Entire blocks can currently not be easily overridden, it's best to rely on the authelia_extra_config here.

Below are some configuration hints towards enabling 2nd factor providers like TOTP, WebAuthN etc.

TOTP

See the authelia docs on TOTP before adjusting some of the fine-grained configuration, as many TOTP clients do not properly support all by-spec supported values.

authelia_config_totp_disable: false
authelia_config_totp_issuer: "your.authelia.domain"
# Best to stick to authelias guide here
authelia_config_totp_algorithm: [...]
authelia_config_totp_digits: [...]
authelia_config_totp_period: [...]

WebAuthN

authelia_config_webauthn_disable: false
authelia_config_webauthn_timeout: 30s
# Force user to touch the security key's confirmation button
authelia_config_webauthn_user_verification: required

For more information about possible WebAuthN configuration, see the authelia docs on WebAuthN.

Database & Redis

While Authelia can use a sqlite DB with in memory store by setting authelia_sqlite_storage_file_path, it is recommended to use a proper database and a redis instance:

authelia_database_type: postgres
authelia_database_host: /var/run/postgres/
authelia_database_user: authelia
authelia_database_pass: authelia

# Redis
authelia_redis_host: /var/run/redis/
authelia_redis_pass: very_long_static_secret

Notifications

For a test setup, notifications can be written into a config file, this behaviour is enabled by setting authelia_config_notifier_filesystem_filename. For real-world use, an SMTP server is strongly recommended, its config is as follows:

authelia_smtp_host: mail.domain.com
authelia_smtp_port: 587 # for StartTLS
authelia_smtp_user: authelia@domain.com
authelia_smtp_pass: authelia_user_pass