# Include{groups} portals: open: # Include{portalLink} questions: # Include{global} # Include{workload} # Include{workloadDeployment} # Include{replicas2} # Include{podSpec} # Include{containerMain} # Include{containerBasic} # Include{containerAdvanced} # Include{containerConfig} # Include{podOptions} - variable: domain group: "App Configuration" label: "Domain" description: "The highest domain level possible, for example: domain.com when using app.domain.com" schema: type: string default: "" required: true - variable: default_redirection_url group: "App Configuration" label: "Default Redirection URL" description: "If user tries to authenticate without any referrer, this is used" schema: type: string default: "" valid_chars: '^https?:\/\/(.*)' - variable: theme group: "App Configuration" label: "Theme" schema: type: string default: "auto" enum: - value: "auto" description: "auto" - value: "light" description: "light" - value: "grey" description: "grey" - value: "dark" description: "dark" - variable: log group: "App Configuration" label: "Log Configuration" schema: additional_attrs: true type: dict attrs: - variable: level label: "Log Level" schema: type: string default: "info" enum: - value: "info" description: "info" - value: "debug" description: "debug" - value: "trace" description: "trace" - variable: format label: "Log Format" schema: type: string default: "text" enum: - value: "json" description: "json" - value: "text" description: "text" - variable: totp group: "App Configuration" label: "TOTP Configuration" schema: additional_attrs: true type: dict attrs: - variable: issuer label: "Issuer" description: "The issuer name displayed in the Authenticator application of your choice" schema: type: string default: "" - variable: period label: "Period" description: "The period in seconds a one-time password is current for" schema: type: int default: 30 - variable: skew label: "skew" description: "Controls number of one-time passwords either side of the current one that are valid." schema: type: int default: 1 - variable: password_policy group: "App Configuration" label: "Password Policy Configuration" description: "Authelia allows administrators to configure an enforced password policy." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: standard label: Standard schema: additional_attrs: true type: dict attrs: - variable: enabled label: Enabled schema: type: boolean default: false - variable: min_length label: "Minimum Password Length" description: "Minimum Password Length" schema: type: int required: true show_if: [["enabled", "=", true]] default: 8 - variable: max_length label: "Max Passsword Length" description: "Max Password Length" schema: type: int required: true show_if: [["enabled", "=", true]] default: 0 - variable: require_uppercase label: "Require Upppercase" schema: type: boolean default: false show_if: [["enabled", "=", true]] required: true - variable: require_lowercase label: "Require Lowercase" schema: type: boolean default: false show_if: [["enabled", "=", true]] required: true - variable: require_number label: "Require Numbers" description: "Require Numbers in the password" schema: type: boolean default: false show_if: [["enabled", "=", true]] required: true - variable: require_special label: "Require Special Characters" schema: type: boolean default: false show_if: [["enabled", "=", true]] - variable: zxcvbn label: zxcvbn schema: additional_attrs: true type: dict attrs: - variable: enabled label: Enabled schema: type: boolean default: false required: true - variable: min_score label: "Min Score" schema: type: int required: true show_if: [["enabled", "=", true]] default: 3 - variable: duo_api group: "App Configuration" label: "DUO API Configuration" description: "Parameters used to contact the Duo API." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: hostname label: "Hostname" schema: type: string required: true default: "" - variable: integration_key label: "integration_key" schema: type: string default: "" required: true - variable: plain_api_key label: "plain_api_key" schema: type: string default: "" required: true - variable: session group: "App Configuration" label: "Session Provider" description: "The session cookies identify the user once logged in." schema: additional_attrs: true type: dict attrs: - variable: name label: "Cookie Name" description: | The name of the session cookie. By default this is set to authelia_session. It’s mostly useful to change this if you are doing development or running multiple instances of Authelia. schema: type: string required: true default: "authelia_session" - variable: same_site label: "SameSite Value" description: | You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally the most desirable option for Authelia. None is not recommended unless you absolutely know what you’re doing and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in this state but it’s available as an option anyway. schema: type: string default: "lax" enum: - value: "lax" description: "lax" - value: "strict" description: "strict" - variable: expiration label: "Expiration Time" description: | The period of time before the cookie expires and the session is destroyed. This is overriden by remember_me_duration when the remember me box is checked. schema: type: string default: "1h" required: true - variable: inactivity label: "Inactivity Time" description: | The period of time the user can be inactive for until the session is destroyed when the remember me box is not checked or is otherwise disabled. Useful if you want long session timers but don’t want unused devices to be vulnerable. schema: type: string default: "5m" required: true - variable: remember_me_duration label: "Remember-Me duration" description: | The period of time before the cookie expires and the session is destroyed when the remember me box is checked, a user selecting this option negates the inactivity timeout. Setting this to -1 disables this feature entirely. schema: type: string default: "5M" required: true - variable: regulation group: "App Configuration" label: "Regulation Configuration" description: "This mechanism prevents attackers from brute forcing the first factor." schema: additional_attrs: true type: dict attrs: - variable: max_retries label: "Maximum Retries" description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation." schema: type: int default: 3 - variable: find_time label: "Find Time" description: | The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to 2m this means the user must have 3 failed logins in 2 minutes. schema: type: string default: "2m" required: true - variable: ban_time label: "Ban Duration" description: | The period of time the user is banned for after meeting the max_retries and find_time configuration. After this duration the account will be able to login again. schema: type: string default: "5m" required: true - variable: authentication_backend group: "App Configuration" label: "Authentication Backend Provider" description: | Used for verifying user passwords and retrieve information such as email address and groups users belong to. schema: additional_attrs: true type: dict attrs: - variable: disable_reset_password label: "Disable Reset Password" description: "Disable both the HTML element and the API for reset password functionality" schema: type: boolean default: false - variable: refresh_interval label: "Reset Interval" description: "The amount of time to wait before we refresh data from the authentication backend" schema: type: string default: "5m" required: true - variable: ldap label: "LDAP backend configuration" description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: implementation label: "Implementation" description: "The LDAP implementation, this affects elements like the attribute utilized for resetting a password" schema: type: string default: "custom" enum: - value: "activedirectory" description: "Active Directory" - value: "custom" description: "Custom" - variable: url label: "URL" description: "The url to the ldap server. Format: ://
[:]" schema: type: string default: "ldap://openldap.default.svc.cluster.local" required: true - variable: timeout label: "Connection Timeout" schema: type: string default: "5s" required: true - variable: start_tls label: "Start TLS" description: "Use StartTLS with the LDAP connection" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: base_dn label: "Base DN" description: "The base dn for every LDAP query." schema: type: string default: "DC=example,DC=com" required: true - variable: username_attribute label: "Username Attribute" description: "The attribute holding the username of the user" schema: type: string default: "uid" required: true - variable: additional_users_dn label: "Additional Users DN" description: "An additional dn to define the scope to all users." schema: type: string default: "OU=people" required: true - variable: users_filter label: "Users Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: additional_groups_dn label: "Additional Groups DN" description: "An additional dn to define the scope of groups." schema: type: string default: "OU=Groups" required: true - variable: groups_filter label: "Groups Filter" description: "The groups filter used in search queries to find the groups of the user." schema: type: string default: "" required: true - variable: group_name_attribute label: "Group name Attribute" description: "The attribute holding the name of the group" schema: type: string default: "cn" required: true - variable: mail_attribute label: "Mail Attribute" description: "The attribute holding the primary mail address of the user" schema: type: string default: "mail" required: true - variable: display_name_attribute label: "Display Name Attribute" description: "he attribute holding the display name of the user. This will be used to greet an authenticated user." schema: type: string default: "displayName" - variable: user label: "Admin User" description: "The username of the admin user used to connect to LDAP." schema: type: string default: "CN=admin,ou=people,DC=example,DC=com" required: true - variable: plain_password label: "Password" schema: type: string default: "" required: true - variable: file label: "File backend configuration" description: "With this backend, the users database is stored in a file which is updated when users reset their passwords." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: path label: "Path" schema: type: string default: "/config/users_database.yml" required: true - variable: password label: "Password Settings" schema: additional_attrs: true type: dict attrs: - variable: algorithm label: "Algorithm" schema: type: string default: "argon2id" enum: - value: "argon2id" description: "argon2id" - value: "sha512" description: "sha512" - variable: iterations label: "Iterations" schema: type: int default: 1 required: true - variable: key_length label: "Key Length" schema: type: int default: 32 required: true - variable: salt_length label: "Salt Length" schema: type: int default: 16 required: true - variable: memory label: "Memory" schema: type: int default: 1024 required: true - variable: parallelism label: "Parallelism" schema: type: int default: 8 required: true - variable: notifier group: "App Configuration" label: "Notifier Configuration" description: "Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration." schema: additional_attrs: true type: dict attrs: - variable: disable_startup_check label: "Disable Startup Check" schema: type: boolean default: false - variable: filesystem label: "Filesystem Provider" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: filename label: "File Path" schema: type: string default: "/config/notification.txt" required: true - variable: smtp label: "SMTP Provider" description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate." schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enable" schema: type: boolean default: true show_subquestions_if: true subquestions: - variable: host label: "Host" schema: type: string default: "smtp.mail.svc.cluster.local" required: true - variable: port label: "Port" schema: type: int default: 25 required: true - variable: timeout label: "Timeout" schema: type: string default: "5s" required: true - variable: username label: "Username" schema: type: string default: "" - variable: plain_password label: "Password" schema: type: string default: "" - variable: sender label: "Sender" schema: type: string default: "" required: true - variable: identifier label: "Identifier" description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost." schema: type: string default: "localhost" required: true - variable: subject label: "Subject" description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier" schema: type: string default: "[Authelia] {title}" required: true - variable: startup_check_address label: "Startup Check Address" description: "This address is used during the startup check to verify the email configuration is correct." schema: type: string default: "test@authelia.com" required: true - variable: disable_require_tls label: "Disable Require TLS" schema: type: boolean default: false - variable: disable_html_emails label: "Disable HTML emails" schema: type: boolean default: false - variable: tls label: "TLS Settings" schema: additional_attrs: true type: dict attrs: - variable: server_name label: "Server Name" description: "Server Name for certificate validation (in case it's not set correctly in the URL)." schema: type: string default: "" - variable: skip_verify label: "Skip Certificate Verification" description: "Skip verifying the server certificate (to allow a self-signed certificate)" schema: type: boolean default: false - variable: minimum_version label: "Minimum TLS version" description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS." schema: type: string default: "TLS1.2" enum: - value: "TLS1.0" description: "TLS1.0" - value: "TLS1.1" description: "TLS1.1" - value: "TLS1.2" description: "TLS1.2" - value: "TLS1.3" description: "TLS1.3" - variable: access_control group: "App Configuration" label: "Access Control Configuration" description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users." schema: additional_attrs: true type: dict attrs: - variable: default_policy label: "Default Policy" description: | The default policy defines the policy applied if no rules section apply to the information known about the request. It is recommended that this is configured to deny for security reasons. Sites which you do not wish to secure at all with Authelia should not be configured in your reverse proxy to perform authentication with Authelia at all for performance reasons. schema: type: string default: "deny" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: networks label: "Networks" schema: type: list default: [] items: - variable: networkItem label: "Network Item" schema: additional_attrs: true type: dict attrs: - variable: name label: "Name" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "network" schema: type: string default: "" required: true - variable: rules label: "Rules" schema: type: list default: [] items: - variable: rulesItem label: "Rule" schema: additional_attrs: true type: dict attrs: - variable: domain label: "Domains" description: "Defines which domain or set of domains the rule applies to." schema: type: list default: [] items: - variable: domainEntry label: "Domain" schema: type: string default: "" required: true - variable: policy label: "Policy" description: | The specific policy to apply to the selected rule. This is not criteria for a match, this is the action to take when a match is made. schema: type: string default: "two_factor" enum: - value: "bypass" description: "bypass" - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - value: "deny" description: "deny" - variable: subject label: "Subject" description: | This criteria matches identifying characteristics about the subject. Currently this is either user or groups the user belongs to. This allows you to effectively control exactly what each user is authorized to access or to specifically require two-factor authentication to specific users. Subjects are prefixed with either user: or group: to identify which part of the identity to check. schema: type: list default: [] items: - variable: subjectitem label: "Subject" schema: type: string default: "" required: true - variable: networks label: "Networks" schema: type: list default: [] items: - variable: network label: "Network" schema: type: string default: "" required: true - variable: resources label: "Resources" description: "is a list of regular expressions that matches a set of resources to apply the policy to" schema: type: list default: [] items: - variable: resource label: "Resource" schema: type: string default: "" required: true # Include{serviceRoot} - variable: main label: "Main Service" description: "The Primary service on which the healthcheck runs, often the webUI" schema: additional_attrs: true type: dict attrs: # Include{serviceSelectorLoadBalancer} # Include{serviceSelectorExtras} - variable: main label: "Main Service Port Configuration" schema: additional_attrs: true type: dict attrs: - variable: port label: "Port" description: "This port exposes the container port on the service" schema: type: int default: 9091 required: true # Include{serviceExpertRoot} # Include{serviceExpert} # Include{serviceList} # Include{persistenceRoot} - variable: config label: "App Config Storage" description: "Stores the Application Configuration." schema: additional_attrs: true type: dict attrs: # Include{persistenceBasic} # Include{persistenceList} # Include{ingressRoot} - variable: main label: "Main Ingress" schema: additional_attrs: true type: dict attrs: # Include{ingressDefault} # Include{ingressTLS} # Include{ingressTraefik} # Include{ingressAdvanced} # Include{ingressList} # Include{securityContextRoot} - variable: runAsUser label: "runAsUser" description: "The UserID of the user running the application" schema: type: int default: 568 - variable: runAsGroup label: "runAsGroup" description: "The groupID of the user running the application" schema: type: int default: 568 # Include{securityContextContainer} # Include{securityContextAdvanced} # Include{securityContextPod} - variable: fsGroup label: "fsGroup" description: "The group that should own ALL storage." schema: type: int default: 568 # Include{resources} # Include{advanced} - variable: identity_providers group: "Advanced" label: "Authelia Identity Providers (BETA)" schema: additional_attrs: true type: dict attrs: - variable: oidc label: "OpenID Connect(BETA)" schema: additional_attrs: true type: dict attrs: - variable: enabled label: "Enabled" schema: type: boolean default: false show_subquestions_if: true subquestions: - variable: access_token_lifespan label: "Access Token Lifespan" schema: type: string default: "1h" required: true - variable: authorize_code_lifespan label: "Authorize Code Lifespan" schema: type: string default: "1m" required: true - variable: id_token_lifespan label: "ID Token Lifespan" schema: type: string default: "1h" required: true - variable: refresh_token_lifespan label: "Refresh Token Lifespan" schema: type: string default: "90m" required: true - variable: enable_client_debug_messages label: "Enable Client Debug Messages" schema: type: boolean default: false - variable: clients label: "Clients" schema: type: list default: [] items: - variable: clientEntry label: "Client" schema: additional_attrs: true type: dict attrs: - variable: id label: "ID/Name" description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration." schema: type: string default: "myapp" required: true - variable: description label: "Description" description: "The description to show to users when they end up on the consent screen. Defaults to the ID above." schema: type: string default: "My Application" required: true - variable: secret label: "Secret" description: "The client secret is a shared secret between Authelia and the consumer of this client." schema: type: string default: "" required: true - variable: public label: "public" description: "Sets the client to public. This should typically not be set, please see the documentation for usage." schema: type: boolean default: false - variable: authorization_policy label: "Authorization Policy" description: "The policy to require for this client; one_factor or two_factor." schema: type: string default: "two_factor" enum: - value: "one_factor" description: "one_factor" - value: "two_factor" description: "two_factor" - variable: consent_mode label: "Consent Mode" description: | Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.) schema: type: string default: "auto" enum: - value: "auto" description: "auto" - value: "explicit" description: "explicit" - value: "implicit" description: "implicit" - variable: userinfo_signing_algorithm label: "Userinfo Signing Algorithm" description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256." schema: type: string default: "none" enum: - value: "none" description: "none" - value: "RS256" description: "RS256" - variable: audience label: "Audience" description: "Audience this client is allowed to request." schema: type: list default: [] items: - variable: audienceEntry label: "" schema: type: string default: "" required: true - variable: scopes label: "Scopes" description: "Scopes this client is allowed to request." schema: type: list default: [] items: - variable: ScopeEntry label: "Scope" schema: type: string default: "openid" required: true - variable: redirect_uris label: "redirect_uris" description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client." schema: type: list default: [] items: - variable: uriEntry label: "Url" schema: type: string default: "https://oidc.example.com/oauth2/callback" required: true - variable: grant_types description: "Grant Types configures which grants this client can obtain." label: "grant_types" schema: type: list default: [] items: - variable: grantEntry label: "Grant" schema: type: string default: "refresh_token" required: true - variable: response_types description: "Response Types configures which responses this client can be sent." label: "response_types" schema: type: list default: [] items: - variable: responseEntry label: "type" schema: type: string default: "code" required: true - variable: response_modes description: "Response Modes configures which response modes this client supports." label: "response_modes" schema: type: list default: [] items: - variable: modeEntry label: "Mode" schema: type: string default: "form_post" required: true # Include{postgresql} # Include{postgresqlBasics} # Include{addons} # Include{codeserver} # Include{vpn} # Include{netshoot} # Include{documentation}