ingress: enabled: false pod: kind: 'Deployment' replicas: 1 ## ## Authelia Config Map Generator ## configMap: key: 'configuration.yaml' # include sub-maps wich OVERRIDE the values generated by the helm chart extraConfigs: - /secrets/authelia-smtp/smtp.yml # many of the values remain default from the helm chart authentication_backend: ldap: enabled: true implementation: 'custom' address: 'ldap://lldap:3890' base_dn: 'DC=moll,DC=re' additional_users_dn: 'OU=people' users_filter: "(&({username_attribute}={input})(objectClass=person))" additional_groups_dn: 'OU=groups' groups_filter: "(member={dn})" ## The username of the admin user. user: 'uid=authelia,ou=people,dc=moll,dc=re' password: # ## Disables this secret and leaves configuring it entirely up to you. # disabled: false # ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the # ## secret_value option below. # secret_name: ~ # ## The value of a generated secret when using the ~ secret_name. # value: '' # ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise # ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath' # ## value, '{secret_name}' is the secret_name above, and '{path}' is this value. path: 'authentication.ldap.password.txt' secret_name: authelia-ldap attributes: display_name: displayName username: uid group_name: cn mail: mail file: enabled: false session: inactivity: '2d' expiration: '7d' remember_me: '1M' cookies: - name: authelia_session domain: auth.kluster.moll.re encryption_key: secret_name: authelia-internal storage: encryption_key: secret_name: authelia-internal local: enabled: true file: /config/db.sqlite3 identity_validation: reset_password: secret: secret_name: authelia-internal path: 'identity_validation.reset_password.jwt.hmac.key' identity_providers: oidc: enabled: true hmac_secret: secret_name: authelia-internal path: 'identity_providers.oidc.hmac.key' # lifespans: # access_token: '1 hour' # authorize_code: '1 minute' # id_token: '1 hour' # refresh_token: '1 hour and 30 minutes' jwks: - algorithm: 'RS256' key: path: '/secrets/authelia-internal/oidc.jwks.key' cors: allowed_origins_from_client_redirect_uris: true clients: - client_id: 'grafana' client_name: 'Grafana' client_secret: path: '/secrets/authelia-oidc/client.grafana' public: false authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'https://grafana.kluster.moll.re/login/generic_oauth' scopes: - 'openid' - 'profile' - 'groups' - 'email' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' consent_mode: 'implicit' - client_id: 'recipes' client_name: 'Recipes' client_secret: path: '/secrets/authelia-oidc/client.recipes' public: false authorization_policy: 'one_factor' require_pkce: true pkce_challenge_method: 'S256' redirect_uris: - 'https://recipes.kluster.moll.re/login' scopes: - 'openid' - 'email' - 'profile' - 'groups' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' consent_mode: 'implicit' - client_id: 'gitea' client_name: 'Gitea' client_secret: path: '/secrets/authelia-oidc/client.gitea' public: false authorization_policy: 'one_factor' redirect_uris: - 'https://git.kluster.moll.re/user/oauth2/authelia/callback' scopes: - 'openid' - 'email' - 'profile' - 'groups' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' consent_mode: 'implicit' - client_id: 'argocd' client_name: 'Argo CD' client_secret: path: '/secrets/authelia-oidc/client.argocd' public: false authorization_policy: 'one_factor' redirect_uris: - 'https://argocd.kluster.moll.re/auth/callback' scopes: - 'openid' - 'groups' - 'email' - 'profile' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' consent_mode: 'implicit' - client_id: 'paperless' client_name: 'Paperless' client_secret: path: '/secrets/authelia-oidc/client.paperless' public: false authorization_policy: 'one_factor' redirect_uris: - 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/' scopes: - 'openid' - 'profile' - 'email' - 'groups' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' consent_mode: 'implicit' - client_id: 'linkding' client_name: 'LinkDing' client_secret: path: '/secrets/authelia-oidc/client.linkding' public: false authorization_policy: 'one_factor' redirect_uris: - 'https://linkding.kluster.moll.re/oidc/callback/' scopes: - 'openid' - 'groups' - 'email' - 'profile' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_post' consent_mode: 'implicit' - client_id: 'todos' client_name: 'Todos' client_secret: path: '/secrets/authelia-oidc/client.todos' public: false authorization_policy: 'one_factor' redirect_uris: - 'https://todos.kluster.moll.re/auth/openid/authelia' scopes: - 'openid' - 'groups' - 'email' - 'profile' userinfo_signed_response_alg: 'none' token_endpoint_auth_method: 'client_secret_basic' consent_mode: 'implicit' - client_id: 'kitchenowl' client_name: 'KitchenOwl' client_secret: path: '/secrets/authelia-oidc/client.kitchenowl' public: false token_endpoint_auth_method: 'client_secret_post' authorization_policy: 'one_factor' redirect_uris: - 'https://kitchen.kluster.moll.re/signin/redirect' - kitchenowl:///signin/redirect # mobile app as well scopes: - openid - email - profile # notifier # is set through a secret persistence: enabled: true storageClass: 'nfs-client' secret: mountPath: '/secrets' additionalSecrets: # the oidc client secrets referenced in the oidc config authelia-oidc: {} authelia-internal: {} authelia-ldap: {} authelia-smtp: {}