307 lines
9.1 KiB
YAML
307 lines
9.1 KiB
YAML
ingress:
|
|
enabled: false
|
|
|
|
|
|
pod:
|
|
kind: 'Deployment'
|
|
replicas: 1
|
|
|
|
|
|
|
|
##
|
|
## Authelia Config Map Generator
|
|
##
|
|
configMap:
|
|
key: 'configuration.yaml'
|
|
# include sub-maps wich OVERRIDE the values generated by the helm chart
|
|
extraConfigs:
|
|
- /secrets/authelia-smtp/smtp.yml
|
|
|
|
|
|
# many of the values remain default from the helm chart
|
|
authentication_backend:
|
|
ldap:
|
|
enabled: true
|
|
implementation: 'custom'
|
|
address: 'ldap://lldap:3890'
|
|
base_dn: 'DC=moll,DC=re'
|
|
additional_users_dn: 'OU=people'
|
|
users_filter: "(&({username_attribute}={input})(objectClass=person))"
|
|
additional_groups_dn: 'OU=groups'
|
|
groups_filter: "(member={dn})"
|
|
|
|
## The username of the admin user.
|
|
user: 'uid=authelia,ou=people,dc=moll,dc=re'
|
|
password:
|
|
# ## Disables this secret and leaves configuring it entirely up to you.
|
|
# disabled: false
|
|
|
|
# ## The secret name. The ~ name is special as it is the secret we generate either automatically or via the
|
|
# ## secret_value option below.
|
|
# secret_name: ~
|
|
|
|
# ## The value of a generated secret when using the ~ secret_name.
|
|
# value: ''
|
|
|
|
# ## The path to the secret. If it has a '/' prefix it's assumed to be an absolute path within the pod. Otherwise
|
|
# ## it uses the format '{mountPath}/{secret_name}/{path}' where '{mountPath}' refers to the 'secret.mountPath'
|
|
# ## value, '{secret_name}' is the secret_name above, and '{path}' is this value.
|
|
path: 'authentication.ldap.password.txt'
|
|
secret_name: authelia-ldap
|
|
|
|
attributes:
|
|
display_name: displayName
|
|
username: uid
|
|
group_name: cn
|
|
mail: mail
|
|
file:
|
|
enabled: false
|
|
|
|
|
|
session:
|
|
inactivity: '2d'
|
|
expiration: '7d'
|
|
remember_me: '1M'
|
|
cookies:
|
|
- name: authelia_session
|
|
domain: auth.kluster.moll.re
|
|
encryption_key:
|
|
secret_name: authelia-internal
|
|
|
|
|
|
storage:
|
|
encryption_key:
|
|
secret_name: authelia-internal
|
|
|
|
local:
|
|
enabled: true
|
|
path: /config/db.sqlite3
|
|
|
|
|
|
identity_validation:
|
|
reset_password:
|
|
secret:
|
|
secret_name: authelia-internal
|
|
path: 'identity_validation.reset_password.jwt.hmac.key'
|
|
|
|
|
|
identity_providers:
|
|
oidc:
|
|
enabled: true
|
|
hmac_secret:
|
|
secret_name: authelia-internal
|
|
path: 'identity_providers.oidc.hmac.key'
|
|
|
|
# lifespans:
|
|
# access_token: '1 hour'
|
|
# authorize_code: '1 minute'
|
|
# id_token: '1 hour'
|
|
# refresh_token: '1 hour and 30 minutes'
|
|
|
|
jwks:
|
|
- algorithm: 'RS256'
|
|
key:
|
|
path: '/secrets/authelia-internal/oidc.jwks.key'
|
|
|
|
cors:
|
|
allowed_origins_from_client_redirect_uris: true
|
|
|
|
clients:
|
|
- client_id: 'grafana'
|
|
client_name: 'Grafana'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.grafana'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
require_pkce: true
|
|
pkce_challenge_method: 'S256'
|
|
redirect_uris:
|
|
- 'https://grafana.kluster.moll.re/login/generic_oauth'
|
|
scopes:
|
|
- 'openid'
|
|
- 'profile'
|
|
- 'groups'
|
|
- 'email'
|
|
response_types:
|
|
- 'code'
|
|
grant_types:
|
|
- 'authorization_code'
|
|
access_token_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'recipes'
|
|
client_name: 'Recipes'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.recipes'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
require_pkce: true
|
|
pkce_challenge_method: 'S256'
|
|
redirect_uris:
|
|
- 'https://recipes.kluster.moll.re/login'
|
|
scopes:
|
|
- 'openid'
|
|
- 'email'
|
|
- 'profile'
|
|
- 'groups'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'gitea'
|
|
client_name: 'Gitea'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.gitea'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://git.kluster.moll.re/user/oauth2/authelia/callback'
|
|
scopes:
|
|
- 'openid'
|
|
- 'email'
|
|
- 'profile'
|
|
- 'groups'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'argocd'
|
|
client_name: 'Argo CD'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.argocd'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://argocd.kluster.moll.re/auth/callback'
|
|
scopes:
|
|
- 'openid'
|
|
- 'groups'
|
|
- 'email'
|
|
- 'profile'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'paperless'
|
|
client_name: 'Paperless'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.paperless'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://paperless.kluster.moll.re/accounts/oidc/authelia/login/callback/'
|
|
scopes:
|
|
- 'openid'
|
|
- 'profile'
|
|
- 'email'
|
|
- 'groups'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'linkding'
|
|
client_name: 'LinkDing'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.linkding'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://linkding.kluster.moll.re/oidc/callback/'
|
|
scopes:
|
|
- 'openid'
|
|
- 'groups'
|
|
- 'email'
|
|
- 'profile'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'todos'
|
|
client_name: 'Todos'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.todos'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://todos.kluster.moll.re/auth/openid/authelia'
|
|
scopes:
|
|
- 'openid'
|
|
- 'groups'
|
|
- 'email'
|
|
- 'profile'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
consent_mode: 'implicit'
|
|
- client_id: 'kitchenowl'
|
|
client_name: 'KitchenOwl'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.kitchenowl'
|
|
public: false
|
|
token_endpoint_auth_method: 'client_secret_post'
|
|
authorization_policy: 'one_factor'
|
|
redirect_uris:
|
|
- 'https://kitchen.kluster.moll.re/signin/redirect'
|
|
- kitchenowl:/signin/redirect
|
|
# mobile app as well
|
|
scopes:
|
|
- openid
|
|
- email
|
|
- profile
|
|
- client_id: 'actualbudget'
|
|
client_name: 'Actual Budget'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.actualbudget'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
require_pkce: false
|
|
pkce_challenge_method: ''
|
|
redirect_uris:
|
|
- 'https://actualbudget.kluster.moll.re/openid/callback'
|
|
scopes:
|
|
- 'openid'
|
|
- 'profile'
|
|
- 'groups'
|
|
- 'email'
|
|
response_types:
|
|
- 'code'
|
|
grant_types:
|
|
- 'authorization_code'
|
|
access_token_signed_response_alg: 'none'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
- client_id: 'vaultwarden'
|
|
client_name: 'VaultWarden'
|
|
client_secret:
|
|
path: '/secrets/authelia-oidc/client.vaultwarden'
|
|
public: false
|
|
authorization_policy: 'one_factor'
|
|
require_pkce: false
|
|
pkce_challenge_method: ''
|
|
redirect_uris:
|
|
- 'https://passwords.kluster.moll.re/identity/connect/oidc-signin'
|
|
scopes:
|
|
- 'openid'
|
|
- 'profile'
|
|
- 'groups'
|
|
- 'email'
|
|
response_types:
|
|
- 'code'
|
|
grant_types:
|
|
- 'authorization_code'
|
|
access_token_signed_response_alg: 'none'
|
|
userinfo_signed_response_alg: 'none'
|
|
token_endpoint_auth_method: 'client_secret_basic'
|
|
|
|
# notifier
|
|
# is set through a secret
|
|
|
|
|
|
persistence:
|
|
enabled: true
|
|
storageClass: 'nfs-client'
|
|
|
|
|
|
secret:
|
|
mountPath: '/secrets'
|
|
additionalSecrets:
|
|
# the oidc client secrets referenced in the oidc config
|
|
authelia-oidc: {}
|
|
authelia-internal: {}
|
|
authelia-ldap: {}
|
|
authelia-smtp: {}
|