ingress:
enabled: false
pod:
kind: 'Deployment'
replicas: 1
##
## Authelia Config Map Generator
##
configMap:
key: 'configuration.yml'
# include sub-maps wich OVERRIDE the values generated by the helm chart
extraConfigs:
- /secrets/authelia-smtp/smtp.yml
# many of the values remain default from the helm chart
authentication_backend:
ldap:
enabled: true
implementation: 'custom'
address: 'ldap://lldap:3890'
base_dn: 'DC=moll,DC=re'
additional_users_dn: 'OU=people'
users_filter: "(&({username_attribute}={input})(objectClass=person))"
additional_groups_dn: 'OU=groups'
groups_filter: "(member={dn})"
## The username of the admin user.
user: 'uid=authelia,ou=people,dc=moll,dc=re'
password:
# ## Disables this secret and leaves configuring it entirely up to you.
# disabled: false
# ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
# ## secret_value option below.
# secret_name: ~
# ## The value of a generated secret when using the ~ secret_name.
# value: ''
# ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
# ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
# ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
path: 'authentication.ldap.password.txt'
secret_name: authelia-ldap
attributes:
display_name: displayName
username: uid
group_name: cn
mail: mail
file:
enabled: false
session:
inactivity: '2d'
expiration: '7d'
remember_me: '1M'
cookies:
- name: authelia_session
domain: auth.kluster.moll.re
encryption_key:
secret_name: authelia-internal
storage:
encryption_key:
secret_name: authelia-internal
local:
enabled: true
file: /config/db.sqlite3
# notifier:
# notifier is configured via the smtp secret and merged by authelia upon startup
identity_validation:
reset_password:
secret:
secret_name: authelia-internal
path: 'identity_validation.reset_password.jwt.hmac.key'
identity_providers:
oidc:
enabled: true
hmac_secret:
secret_name: authelia-internal
path: 'identity_providers.oidc.hmac.key'
# lifespans:
# access_token: '1 hour'
# authorize_code: '1 minute'
# id_token: '1 hour'
# refresh_token: '1 hour and 30 minutes'
jwks:
- algorithm: 'RS256'
key:
path: '/secrets/authelia-internal/oidc.jwks.key'
cors:
allowed_origins_from_client_redirect_uris: true
clients:
- client_id: 'grafana'
client_name: 'Grafana'
client_secret:
path: '/secrets/authelia-oidc/client.grafana'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://grafana.kluster.moll.re/login/generic_oauth'
scopes:
- 'openid'
- 'profile'
- 'groups'
- 'email'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
- client_id: 'recipes'
client_name: 'Recipes'
client_secret:
path: '/secrets/authelia-oidc/client.recipes'
public: false
authorization_policy: 'one_factor'
require_pkce: true
pkce_challenge_method: 'S256'
redirect_uris:
- 'https://recipes.kluster.moll.re/login'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'gitea'
client_name: 'Gitea'
client_secret:
path: '/secrets/authelia-oidc/client.gitea'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'argocd'
client_name: 'Argo CD'
client_secret:
path: '/secrets/authelia-oidc/client.argocd'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://argocd.kluster.moll.re/auth/callback'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
- client_id: 'paperless'
client_name: 'Paperless'
client_secret:
path: '/secrets/authelia-oidc/client.paperless'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
scopes:
- 'openid'
- 'profile'
- 'email'
- 'groups'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'linkding'
client_name: 'LinkDing'
client_secret:
path: '/secrets/authelia-oidc/client.linkding'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://linkding.kluster.moll.re/oidc/callback/'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_post'
consent_mode: 'implicit'
- client_id: 'todos'
client_name: 'Todos'
client_secret:
path: '/secrets/authelia-oidc/client.todos'
public: false
authorization_policy: 'one_factor'
redirect_uris:
- 'https://todos.kluster.moll.re/auth/openid/authelia'
scopes:
- 'openid'
- 'groups'
- 'email'
- 'profile'
userinfo_signed_response_alg: 'none'
token_endpoint_auth_method: 'client_secret_basic'
consent_mode: 'implicit'
- client_id: 'kitchenowl'
client_name: 'KitchenOwl'
client_secret:
path: '/secrets/authelia-oidc/client.kitchenowl'
public: false
token_endpoint_auth_method: 'client_secret_post'
authorization_policy: 'one_factor'
redirect_uris:
- 'https://kitchen.kluster.moll.re/signin/redirect'
- kitchenowl:///signin/redirect
# mobile app as well
scopes:
- openid
- email
- profile
persistence:
enabled: true
storageClass: 'nfs-client'
secret:
mountPath: '/secrets'
additionalSecrets:
# the oidc client secrets referenced in the oidc config
authelia-oidc: {}
authelia-internal: {}
authelia-ldap: {}
authelia-smtp: {}