# Include{groups} portals: open: # Include{portalLink} questions: # Include{global} # Include{controller} # Include{replicas} # Include{replica1} # Include{controllerExpertExtraArgs} # Include{containerConfig} - variable: domain group: "App Configuration" label: "Domain" description: "The highest domain level possible, for example: domain.com when using app.domain.com" schema: type: string default: "" required: true - variable: default_redirection_url group: "App Configuration" label: "Default Redirection Url" description: "If user tries to authenticate without any referer, this is used" schema: type: string default: "" - variable: theme group: "App Configuration" label: "Theme" schema: type: string default: "auto" enum: - value: "auto" description: "auto" - value: "light" description: "light" - value: "grey" description: "grey" - value: "dark" description: "dark" - variable: log group: "App Configuration" label: "Log Configuration " schema: additional_attrs: true type: dict attrs: - variable: level label: "Log Level" schema: type: string default: "info" enum: - value: "info" description: "info" - value: "debug" description: "debug" - value: "trace" description: "trace" - variable: format label: "Log Format" schema: type: string default: "text" enum: - value: "json" description: "json" - value: "text" description: "text" - variable: totp group: "App Configuration" label: "TOTP Configuration" schema: additional_attrs: true type: dict attrs: - variable: issuer label: "Issuer" description: "The issuer name displayed in the Authenticator application of your choice" schema: type: string default: "" - variable: period label: "Period" description: "The period in seconds a one-time password is current for" schema: type: int default: 30 - variable: skew label: "skew" description: "Controls number of one-time passwords either side of the current one that are valid." schema: type: int default: 1 - variable: duo_api group: "App Configuration" label: "DUO API Configuration" description: "Parameters used to contact the Duo API." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: hostname label: "Hostname" schema: type: string required: true default: "" - variable: integration_key label: "integration_key" schema: type: string default: "" required: true - variable: plain_api_key label: "plain_api_key" schema: type: string default: "" required: true - variable: session group: "App Configuration" label: "Session Provider" description: "The session cookies identify the user once logged in." schema: additional_attrs: true type: dict attrs: - variable: name label: "Cookie Name" description: "The name of the session cookie." schema: type: string required: true default: "authelia_session" - variable: same_site label: "SameSite Value" description: "Sets the Cookie SameSite value" schema: type: string default: "lax" enum: - value: "lax" description: "lax" - value: "strict" description: "strict" - variable: expiration label: "Expiration Time" description: "The time in seconds before the cookie expires and session is reset." schema: type: string default: "1h" required: true - variable: inactivity label: "Inactivity Time" description: "The inactivity time in seconds before the session is reset." schema: type: string default: "5m" required: true - variable: inactivity label: "Remember-Me duration" description: "The remember me duration" schema: type: string default: "5M" required: true - variable: regulation group: "App Configuration" label: "Regulation Configuration" description: "his mechanism prevents attackers from brute forcing the first factor." schema: additional_attrs: true type: dict attrs: - variable: max_retries label: "Maximum Retries" description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation." schema: type: int default: 3 - variable: find_time label: "Find Time" description: "The time range during which the user can attempt login before being banned." schema: type: string default: "2m" required: true - variable: ban_time label: "Ban Duration" description: "The length of time before a banned user can login again" schema: type: string default: "5m" required: true - variable: authentication_backend group: "App Configuration" label: "Authentication Backend Provider" description: "sed for verifying user passwords and retrieve information such as email address and groups users belong to." schema: additional_attrs: true type: dict attrs: - variable: disable_reset_password label: "Disable Reset Password" description: "Disable both the HTML element and the API for reset password functionality" schema: type: boolean default: false - variable: refresh_interval label: "Reset Interval" description: "The amount of time to wait before we refresh data from the authentication backend" schema: type: string default: "5m" required: true - variable: ldap label: "LDAP backend configuration" description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: implementation label: "Implementation" description: "The LDAP implementation, this affects elements like the attribute utilised for resetting a password" schema: type: string default: "custom" enum: - value: "activedirectory" description: "activedirectory" - value: "custom" description: "custom" - variable: url label: "URL" description: "The url to the ldap server. Format: ://
[:]" schema: type: string default: "ldap://openldap.default.svc.cluster.local" required: true - variable: timeout label: "Connection Timeout" schema: type: string default: "5s" required: true - variable: start_tls label: "Start TLS" description: "Use StartTLS with the LDAP connection" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: base_dn label: "Base DN" description: "The base dn for every LDAP query." schema: type: string default: "DC=example,DC=com" required: true - variable: username_attribute label: "Username Attribute" description: "The attribute holding the username of the user" schema: type: string default: "" required: true - variable: additional_users_dn label: "Additional Users DN" description: "An additional dn to define the scope to all users." schema: type: string default: "OU=Users" required: true - variable: users_filter label: "Users Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: additional_groups_dn label: "Additional Groups DN" description: "An additional dn to define the scope of groups." schema: type: string default: "OU=Groups" required: true - variable: groups_filter label: "Groups Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: group_name_attribute label: "Group name Attribute" description: "The attribute holding the name of the group" schema: type: string default: "" required: true - variable: mail_attribute label: "Mail Attribute" description: "The attribute holding the primary mail address of the user" schema: type: string default: "" required: true - variable: display_name_attribute label: "Display Name Attribute" description: "he attribute holding the display name of the user. This will be used to greet an authenticated user." schema: type: string default: "" - variable: user label: "Admin User" description: "The username of the admin user used to connect to LDAP." schema: type: string default: "CN=Authelia,DC=example,DC=com" required: true - variable: plain_password label: "Password" schema: type: string default: "" required: true - variable: file label: "File backend configuration" description: "With this backend, the users database is stored in a file which is updated when users reset their passwords." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: path label: "Path" schema: type: string default: "/config/users_database.yml" required: true - variable: password label: "Password Settings" schema: additional_attrs: true type: dict attrs: - variable: algorithm label: "Algorithm" schema: type: string default: "argon2id" enum: - value: "argon2id" description: "argon2id" - value: "sha512" description: "sha512" - variable: iterations label: "Iterations" schema: type: int default: 1 required: true - variable: key_length label: "Key Length" schema: type: int default: 32 required: true - variable: salt_length label: "Salt Length" schema: type: int default: 16 required: true - variable: memory label: "Memory" schema: type: int default: 1024 required: true - variable: parallelism label: "Parallelism" schema: type: int default: 8 required: true - variable: notifier group: "App Configuration" label: "Notifier Configuration" description: "otifications are sent to users when they require a password reset, a u2f registration or a TOTP registration." schema: additional_attrs: true type: dict attrs: - variable: disable_startup_check label: "Disable Startup Check" schema: type: boolean default: false - variable: filesystem label: "Filesystem Provider" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: filename label: "File Path" schema: type: string default: "/config/notification.txt" required: true - variable: smtp label: "SMTP Provider" description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: true show_subquestions_if: true subquestions: - variable: host label: "Host" schema: type: string default: "smtp.mail.svc.cluster.local" required: true - variable: port label: "Port" schema: type: int default: 25 required: true - variable: timeout label: "Timeout" schema: type: string default: "5s" required: true - variable: username label: "Username" schema: type: string default: "" - variable: plain_password label: "Password" schema: type: string default: "" - variable: sender label: "Sender" schema: type: string default: "" required: true - variable: identifier label: "Identifier" description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost." schema: type: string default: "localhost" required: true - variable: subject label: "Subject" description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier" schema: type: string default: "[Authelia] {title}" required: true - variable: startup_check_address label: "Startup Check Address" description: "This address is used during the startup check to verify the email configuration is correct." schema: type: string default: "test@authelia.com" required: true - variable: disable_require_tls label: "Disable Require TLS" schema: type: boolean default: false - variable: disable_html_emails label: "Disable HTML emails" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: access_control group: "App Configuration" label: "Access Control Configuration" description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users." schema: additional_attrs: true type: dict attrs: - variable: default_policy label: "Default Policy" description: "Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'." schema: type: string default: "two_factor" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: networks label: "Networks" schema: type: list default: [] items: - variable: networkItem label: "Network Item" schema: additional_attrs: true type: dict attrs: - variable: name label: "Name" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "network" schema: type: string default: "" required: true - variable: rules label: "Rules" schema: type: list default: [] items: - variable: rulesItem label: "Rule" schema: additional_attrs: true type: dict attrs: - variable: domain label: "Domains" description: "defines which domain or set of domains the rule applies to." schema: type: list default: [] items: - variable: domainEntry label: "Domain" schema: type: string default: "" required: true - variable: policy label: "Policy" description: "The policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'." schema: type: string default: "two_factor" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: subject label: "Subject" description: "defines the subject to apply authorizations to. This parameter is optional and matching any user if not provided" schema: type: list default: [] items: - variable: subjectitem label: "Subject" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "Network" schema: type: string default: "" required: true - variable: resources label: "Resources" description: "is a list of regular expressions that matches a set of resources to apply the policy to" schema: type: list default: [] items: - variable: resource label: "Resource" schema: type: string default: "" required: true # Include{serviceRoot} - variable: main label: "Main Service" description: "The Primary service on which the healthcheck runs, often the webUI" schema: additional_attrs: true type: dict attrs: # Include{serviceSelectorLoadBalancer} # Include{serviceSelectorExtras} - variable: main label: "Main Service Port Configuration" schema: additional_attrs: true type: dict attrs: - variable: port label: "Port" description: "This port exposes the container port on the service" schema: type: int default: 9091 required: true # Include{serviceExpertRoot} default: false # Include{serviceExpert} # Include{serviceList} # Include{persistenceRoot} - variable: config label: "App Config Storage" description: "Stores the Application Configuration." schema: additional_attrs: true type: dict attrs: # Include{persistenceBasic} # Include{persistenceList} # Include{ingressRoot} - variable: main label: "Main Ingress" schema: additional_attrs: true type: dict attrs: # Include{ingressDefault} # Include{ingressTLS} # Include{ingressTraefik} # Include{ingressList} # Include{security} # Include{securityContextAdvancedRoot} - variable: privileged label: "Privileged mode" schema: type: boolean default: false - variable: readOnlyRootFilesystem label: "ReadOnly Root Filesystem" schema: type: boolean default: true - variable: allowPrivilegeEscalation label: "Allow Privilege Escalation" schema: type: boolean default: false - variable: runAsNonRoot label: "runAsNonRoot" schema: type: boolean default: true # Include{podSecurityContextRoot} - variable: runAsUser label: "runAsUser" description: "The UserID of the user running the application" schema: type: int default: 568 - variable: runAsGroup label: "runAsGroup" description: "The groupID this App of the user running the application" schema: type: int default: 568 - variable: fsGroup label: "fsGroup" description: "The group that should own ALL storage." schema: type: int default: 568 # Include{podSecurityContextAdvanced} # Include{resources} # Include{advanced} # Include{addons} # Include{codeserver} # Include{vpn} # Include{documentation} - variable: identity_providers group: "Advanced" label: "Authelia Identity Providers (BETA)" schema: additional_attrs: true type: dict attrs: - variable: oidc label: "OpenID Connect(BETA)" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "enabled" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: access_token_lifespan label: "Access Token Lifespan" schema: type: string default: "1h" required: true - variable: authorize_code_lifespan label: "Authorize Code Lifespan" schema: type: string default: "1m" required: true - variable: id_token_lifespan label: "ID Token Lifespan" schema: type: string default: "1h" required: true - variable: refresh_token_lifespan label: "Refresh Token Lifespan" schema: type: string default: "90m" required: true - variable: enable_client_debug_messages label: "Enable Client Debug Messages" schema: type: boolean default: false - variable: clients label: "Clients" schema: type: list default: [] items: - variable: clientEntry label: "Client" schema: additional_attrs: true type: dict attrs: - variable: id label: "ID/Name" description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration." schema: type: string default: "myapp" required: true - variable: description label: "Description" description: "The description to show to users when they end up on the consent screen. Defaults to the ID above." schema: type: string default: "My Application" required: true - variable: secret label: "Secret" description: "The client secret is a shared secret between Authelia and the consumer of this client." schema: type: string default: "" required: true - variable: public label: "public" description: "Sets the client to public. This should typically not be set, please see the documentation for usage." schema: type: boolean default: false - variable: authorization_policy label: "Authorization Policy" description: "The policy to require for this client; one_factor or two_factor." schema: type: string default: "two_factor" enum: - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - variable: consent_mode label: "Consent Mode" description: "Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)" schema: type: string default: "auto" enum: - value: "auto" description: "auto" - value: "explicit" description: "explicit" - value: "implicit" description: "implicit" - variable: userinfo_signing_algorithm label: "Userinfo Signing Algorithm" description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256." schema: type: string default: "none" enum: - value: "none" description: "none" - value: "RS256" description: "RS256" - variable: audience label: "Audience" description: "Audience this client is allowed to request." schema: type: list default: [] items: - variable: audienceEntry label: "" schema: type: string default: "" required: true - variable: scopes label: "Scopes" description: "Scopes this client is allowed to request." schema: type: list default: [] items: - variable: ScopeEntry label: "Scope" schema: type: string default: "openid" required: true - variable: redirect_uris label: "redirect_uris" description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client." schema: type: list default: [] items: - variable: uriEntry label: "Url" schema: type: string default: "https://oidc.example.com/oauth2/callback" required: true - variable: grant_types description: "Grant Types configures which grants this client can obtain." label: "grant_types" schema: type: list default: [] items: - variable: grantEntry label: "Grant" schema: type: string default: "refresh_token" required: true - variable: response_types description: "Response Types configures which responses this client can be sent." label: "response_types" schema: type: list default: [] items: - variable: responseEntry label: "type" schema: type: string default: "code" required: true - variable: response_modes description: "Response Modes configures which response modes this client supports." label: "response_modes" schema: type: list default: [] items: - variable: modeEntry label: "Mode" schema: type: string default: "form_post" required: true