TrueChartsClone/charts/premium/authelia/questions.yaml

1169 lines
49 KiB
YAML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Include{groups}
portals:
open:
# Include{portalLink}
questions:
# Include{global}
# Include{workload}
# Include{workloadDeployment}
# Include{replicas2}
# Include{podSpec}
# Include{containerMain}
# Include{containerBasic}
# Include{containerAdvanced}
# Include{containerConfig}
# Include{podOptions}
- variable: domain
group: "App Configuration"
label: "Domain"
description: "The highest domain level possible, for example: domain.com when using app.domain.com"
schema:
type: string
default: ""
required: true
- variable: default_redirection_url
group: "App Configuration"
label: "Default Redirection URL"
description: "If user tries to authenticate without any referrer, this is used"
schema:
type: string
default: ""
valid_chars: '^https?:\/\/(.*)'
- variable: theme
group: "App Configuration"
label: "Theme"
schema:
type: string
default: "auto"
enum:
- value: "auto"
description: "auto"
- value: "light"
description: "light"
- value: "grey"
description: "grey"
- value: "dark"
description: "dark"
- variable: log
group: "App Configuration"
label: "Log Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: level
label: "Log Level"
schema:
type: string
default: "info"
enum:
- value: "info"
description: "info"
- value: "debug"
description: "debug"
- value: "trace"
description: "trace"
- variable: format
label: "Log Format"
schema:
type: string
default: "text"
enum:
- value: "json"
description: "json"
- value: "text"
description: "text"
- variable: server
group: "App Configuration"
label: "Server Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: write_buffer_size
label: "Write Buffer Size"
description: "Configures the maximum response size. The default of 4096 is generally sufficient for most use cases."
schema:
type: int
default: 4096
- variable: read_buffer_size
label: "Read Buffer Size"
description: "Configures the maximum request size. The default of 4096 is generally sufficient for most use cases."
schema:
type: int
default: 4096
- variable: totp
group: "App Configuration"
label: "TOTP Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: issuer
label: "Issuer"
description: "The issuer name displayed in the Authenticator application of your choice"
schema:
type: string
default: ""
- variable: period
label: "Period"
description: "The period in seconds a one-time password is current for"
schema:
type: int
default: 30
- variable: skew
label: "skew"
description: "Controls number of one-time passwords either side of the current one that are valid."
schema:
type: int
default: 1
- variable: password_policy
group: "App Configuration"
label: "Password Policy Configuration"
description: "Authelia allows administrators to configure an enforced password policy. Choose one of Standard or zxcvbn and not both, refer to upstream docs for more info "
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: standard
label: Standard
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enabled
schema:
type: boolean
default: false
- variable: min_length
label: "Minimum Password Length"
description: "Minimum Password Length"
schema:
type: int
required: true
show_if: [["enabled", "=", true]]
default: 8
- variable: max_length
label: "Max Passsword Length"
description: "Max Password Length"
schema:
type: int
required: true
show_if: [["enabled", "=", true]]
default: 0
- variable: require_uppercase
label: "Require Upppercase"
schema:
type: boolean
default: false
show_if: [["enabled", "=", true]]
required: true
- variable: require_lowercase
label: "Require Lowercase"
schema:
type: boolean
default: false
show_if: [["enabled", "=", true]]
required: true
- variable: require_number
label: "Require Numbers"
description: "Require Numbers in the password"
schema:
type: boolean
default: false
show_if: [["enabled", "=", true]]
required: true
- variable: require_special
label: "Require Special Characters"
schema:
type: boolean
default: false
show_if: [["enabled", "=", true]]
- variable: zxcvbn
label: zxcvbn
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: Enabled
schema:
type: boolean
default: false
required: true
- variable: min_score
label: "Min Score"
schema:
type: int
required: true
show_if: [["enabled", "=", true]]
default: 3
- variable: duo_api
group: "App Configuration"
label: "DUO API Configuration"
description: "Parameters used to contact the Duo API."
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: hostname
label: "Hostname"
schema:
type: string
required: true
default: ""
- variable: integration_key
label: "integration_key"
schema:
type: string
default: ""
required: true
- variable: plain_api_key
label: "plain_api_key"
schema:
type: string
default: ""
required: true
- variable: session
group: "App Configuration"
label: "Session Provider"
description: "The session cookies identify the user once logged in."
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: "Cookie Name"
description: |
The name of the session cookie. By default this is set to authelia_session.
Its mostly useful to change this if you are doing development or running multiple instances of Authelia.
schema:
type: string
required: true
default: "authelia_session"
- variable: same_site
label: "SameSite Value"
description: |
You can read about the SameSite cookie in detail on the MDN. In short setting SameSite to Lax is generally
the most desirable option for Authelia. None is not recommended unless you absolutely know what youre doing
and trust all the protected apps. Strict is not going to work in many use cases and we have not tested it in
this state but its available as an option anyway.
schema:
type: string
default: "lax"
enum:
- value: "lax"
description: "lax"
- value: "strict"
description: "strict"
- variable: expiration
label: "Expiration Time"
description: |
The period of time before the cookie expires and the session is destroyed. This is overriden by
remember_me_duration when the remember me box is checked.
schema:
type: string
default: "1h"
required: true
- variable: inactivity
label: "Inactivity Time"
description: |
The period of time the user can be inactive for until the session is destroyed when the remember me box is
not checked or is otherwise disabled. Useful if you want long session timers but dont want unused devices to be vulnerable.
schema:
type: string
default: "5m"
required: true
- variable: remember_me_duration
label: "Remember-Me duration"
description: |
The period of time before the cookie expires and the session is destroyed when the remember me box is checked, a user
selecting this option negates the inactivity timeout. Setting this to -1 disables this feature entirely.
schema:
type: string
default: "5M"
required: true
- variable: regulation
group: "App Configuration"
label: "Regulation Configuration"
description: "This mechanism prevents attackers from brute forcing the first factor."
schema:
additional_attrs: true
type: dict
attrs:
- variable: max_retries
label: "Maximum Retries"
description: "The number of failed login attempts before user is banned. Set it to 0 to disable regulation."
schema:
type: int
default: 3
- variable: find_time
label: "Find Time"
description: |
The period of time analyzed for failed attempts. For example if you set max_retries to 3 and find_time to
2m this means the user must have 3 failed logins in 2 minutes.
schema:
type: string
default: "2m"
required: true
- variable: ban_time
label: "Ban Duration"
description: |
The period of time the user is banned for after meeting the max_retries and find_time configuration.
After this duration the account will be able to login again.
schema:
type: string
default: "5m"
required: true
- variable: authentication_backend
group: "App Configuration"
label: "Authentication Backend Provider"
description: |
Used for verifying user passwords and retrieve information such as email
address and groups users belong to.
schema:
additional_attrs: true
type: dict
attrs:
- variable: disable_reset_password
label: "Disable Reset Password"
description: "Disable both the HTML element and the API for reset password functionality"
schema:
type: boolean
default: false
- variable: refresh_interval
label: "Reset Interval"
description: "The amount of time to wait before we refresh data from the authentication backend"
schema:
type: string
default: "5m"
required: true
- variable: ldap
label: "LDAP backend configuration"
description: "Used for verifying user passwords and retrieve information such as email address and groups users belong to"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: implementation
label: "Implementation"
description: "The LDAP implementation, this affects elements like the attribute utilized for resetting a password"
schema:
type: string
default: "custom"
enum:
- value: "activedirectory"
description: "Active Directory"
- value: "custom"
description: "Custom"
- variable: url
label: "URL"
description: "The url to the ldap server. Format: <scheme>://<address>[:<port>]"
schema:
type: string
default: "ldap://openldap.default.svc.cluster.local"
required: true
- variable: timeout
label: "Connection Timeout"
schema:
type: string
default: "5s"
required: true
- variable: start_tls
label: "Start TLS"
description: "Use StartTLS with the LDAP connection"
schema:
type: boolean
default: false
- variable: tls
label: "TLS Settings"
schema:
additional_attrs: true
type: dict
attrs:
- variable: server_name
label: "Server Name"
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
schema:
type: string
default: ""
- variable: skip_verify
label: "Skip Certificate Verification"
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
schema:
type: boolean
default: false
- variable: minimum_version
label: "Minimum TLS version"
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
schema:
type: string
default: "TLS1.2"
enum:
- value: "TLS1.0"
description: "TLS1.0"
- value: "TLS1.1"
description: "TLS1.1"
- value: "TLS1.2"
description: "TLS1.2"
- value: "TLS1.3"
description: "TLS1.3"
- variable: base_dn
label: "Base DN"
description: "The base dn for every LDAP query."
schema:
type: string
default: "DC=example,DC=com"
required: true
- variable: username_attribute
label: "Username Attribute"
description: "The attribute holding the username of the user"
schema:
type: string
default: "uid"
required: true
- variable: additional_users_dn
label: "Additional Users DN"
description: "An additional dn to define the scope to all users."
schema:
type: string
default: "OU=people"
required: true
- variable: users_filter
label: "Users Filter"
description: "The groups filter used in search queries to find the groups of the user."
schema:
type: string
default: ""
required: true
- variable: additional_groups_dn
label: "Additional Groups DN"
description: "An additional dn to define the scope of groups."
schema:
type: string
default: "OU=Groups"
required: true
- variable: groups_filter
label: "Groups Filter"
description: "The groups filter used in search queries to find the groups of the user."
schema:
type: string
default: ""
required: true
- variable: group_name_attribute
label: "Group name Attribute"
description: "The attribute holding the name of the group"
schema:
type: string
default: "cn"
required: true
- variable: mail_attribute
label: "Mail Attribute"
description: "The attribute holding the primary mail address of the user"
schema:
type: string
default: "mail"
required: true
- variable: display_name_attribute
label: "Display Name Attribute"
description: "he attribute holding the display name of the user. This will be used to greet an authenticated user."
schema:
type: string
default: "displayName"
- variable: user
label: "Admin User"
description: "The username of the admin user used to connect to LDAP."
schema:
type: string
default: "CN=admin,ou=people,DC=example,DC=com"
required: true
- variable: plain_password
label: "Password"
schema:
type: string
default: ""
required: true
- variable: file
label: "File backend configuration"
description: "With this backend, the users database is stored in a file which is updated when users reset their passwords."
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: path
label: "Path"
schema:
type: string
default: "/config/users_database.yml"
required: true
- variable: password
label: "Password Settings"
schema:
additional_attrs: true
type: dict
attrs:
- variable: algorithm
label: "Algorithm"
schema:
type: string
default: "argon2id"
enum:
- value: "argon2id"
description: "argon2id"
- value: "sha512"
description: "sha512"
- variable: iterations
label: "Iterations"
schema:
type: int
default: 1
required: true
- variable: key_length
label: "Key Length"
schema:
type: int
default: 32
required: true
- variable: salt_length
label: "Salt Length"
schema:
type: int
default: 16
required: true
- variable: memory
label: "Memory"
schema:
type: int
default: 1024
required: true
- variable: parallelism
label: "Parallelism"
schema:
type: int
default: 8
required: true
- variable: notifier
group: "App Configuration"
label: "Notifier Configuration"
description: "Notifications are sent to users when they require a password reset, a u2f registration or a TOTP registration."
schema:
additional_attrs: true
type: dict
attrs:
- variable: disable_startup_check
label: "Disable Startup Check"
schema:
type: boolean
default: false
- variable: filesystem
label: "Filesystem Provider"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: filename
label: "File Path"
schema:
type: string
default: "/config/notification.txt"
required: true
- variable: smtp
label: "SMTP Provider"
description: "Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate."
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enable"
schema:
type: boolean
default: true
show_subquestions_if: true
subquestions:
- variable: host
label: "Host"
schema:
type: string
default: "smtp.mail.svc.cluster.local"
required: true
- variable: port
label: "Port"
schema:
type: int
default: 25
required: true
- variable: timeout
label: "Timeout"
schema:
type: string
default: "5s"
required: true
- variable: username
label: "Username"
schema:
type: string
default: ""
- variable: plain_password
label: "Password"
schema:
type: string
default: ""
- variable: sender
label: "Sender"
schema:
type: string
default: ""
required: true
- variable: identifier
label: "Identifier"
description: "HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost."
schema:
type: string
default: "localhost"
required: true
- variable: subject
label: "Subject"
description: "Subject configuration of the emails sent, {title} is replaced by the text from the notifier"
schema:
type: string
default: "[Authelia] {title}"
required: true
- variable: startup_check_address
label: "Startup Check Address"
description: "This address is used during the startup check to verify the email configuration is correct."
schema:
type: string
default: "test@authelia.com"
required: true
- variable: disable_require_tls
label: "Disable Require TLS"
schema:
type: boolean
default: false
- variable: disable_html_emails
label: "Disable HTML emails"
schema:
type: boolean
default: false
- variable: tls
label: "TLS Settings"
schema:
additional_attrs: true
type: dict
attrs:
- variable: server_name
label: "Server Name"
description: "Server Name for certificate validation (in case it's not set correctly in the URL)."
schema:
type: string
default: ""
- variable: skip_verify
label: "Skip Certificate Verification"
description: "Skip verifying the server certificate (to allow a self-signed certificate)"
schema:
type: boolean
default: false
- variable: minimum_version
label: "Minimum TLS version"
description: "Minimum TLS version for either Secure LDAP or LDAP StartTLS."
schema:
type: string
default: "TLS1.2"
enum:
- value: "TLS1.0"
description: "TLS1.0"
- value: "TLS1.1"
description: "TLS1.1"
- value: "TLS1.2"
description: "TLS1.2"
- value: "TLS1.3"
description: "TLS1.3"
- variable: access_control
group: "App Configuration"
label: "Access Control Configuration"
description: "Access control is a list of rules defining the authorizations applied for one resource to users or group of users."
schema:
additional_attrs: true
type: dict
attrs:
- variable: default_policy
label: "Default Policy"
description: |
The default policy defines the policy applied if no rules section apply to the information known about the request.
It is recommended that this is configured to deny for security reasons. Sites which you do not wish to secure at all
with Authelia should not be configured in your reverse proxy to perform authentication with Authelia at all for performance reasons.
schema:
type: string
default: "deny"
enum:
- value: "bypass"
description: "bypass"
- value: "one_factor"
description: "one_factor"
- value: "two_factor"
description: "two_factor"
- value: "deny"
description: "deny"
- variable: networks_access_control
label: "Networks"
schema:
type: list
default: []
items:
- variable: networkItem
label: "Network Item"
schema:
additional_attrs: true
type: dict
attrs:
- variable: name
label: "Name"
schema:
type: string
default: ""
required: true
- variable: networks
label: "Networks"
schema:
type: list
default: []
items:
- variable: network
label: "network"
schema:
type: string
default: ""
required: true
- variable: rules
label: "Rules"
schema:
type: list
default: []
items:
- variable: rulesItem
label: "Rule"
schema:
additional_attrs: true
type: dict
attrs:
- variable: domain
label: "Domains"
description: "Defines which domain or set of domains the rule applies to."
schema:
type: list
default: []
items:
- variable: domainEntry
label: "Domain"
schema:
type: string
default: ""
required: true
- variable: domain_regex
label: "Domains RegEx"
description: "defines which domain or set of domains the rule applies to using regular expressions."
schema:
type: list
default: []
items:
- variable: domainRegexEntry
label: "Domain RegEx"
schema:
type: string
default: ""
required: true
- variable: policy
label: "Policy"
description: |
The specific policy to apply to the selected rule. This is not criteria for a match, this is the
action to take when a match is made.
schema:
type: string
default: "two_factor"
enum:
- value: "bypass"
description: "bypass"
- value: "one_factor"
description: "one_factor"
- value: "two_factor"
description: "two_factor"
- value: "deny"
description: "deny"
- variable: subject
label: "Subject"
description: |
This criteria matches identifying characteristics about the subject. Currently this is either
user or groups the user belongs to. This allows you to effectively control exactly what each user is
authorized to access or to specifically require two-factor authentication to specific users. Subjects
are prefixed with either user: or group: to identify which part of the identity to check.
schema:
type: list
default: []
items:
- variable: subjectitem
label: "Subject"
schema:
type: string
default: ""
required: true
- variable: networks
label: "Networks"
schema:
type: list
default: []
items:
- variable: network
label: "Network"
schema:
type: string
default: ""
required: true
- variable: resources
label: "Resources"
description: "is a list of regular expressions that matches a set of resources to apply the policy to"
schema:
type: list
default: []
items:
- variable: resource
label: "Resource"
schema:
type: string
default: ""
required: true
# Include{serviceRoot}
- variable: main
label: "Main Service"
description: "The Primary service on which the healthcheck runs, often the webUI"
schema:
additional_attrs: true
type: dict
attrs:
# Include{serviceSelectorLoadBalancer}
# Include{serviceSelectorExtras}
- variable: main
label: "Main Service Port Configuration"
schema:
additional_attrs: true
type: dict
attrs:
- variable: port
label: "Port"
description: "This port exposes the container port on the service"
schema:
type: int
default: 9091
required: true
# Include{serviceExpertRoot}
# Include{serviceExpert}
# Include{serviceList}
# Include{persistenceRoot}
- variable: config
label: "App Config Storage"
description: "Stores the Application Configuration."
schema:
additional_attrs: true
type: dict
attrs:
# Include{persistenceBasic}
# Include{persistenceList}
# Include{ingressRoot}
- variable: main
label: "Main Ingress"
schema:
additional_attrs: true
type: dict
attrs:
# Include{ingressDefault}
# Include{ingressAdvanced}
# Include{ingressList}
# Include{securityContextRoot}
- variable: runAsUser
label: "runAsUser"
description: "The UserID of the user running the application"
schema:
type: int
default: 568
- variable: runAsGroup
label: "runAsGroup"
description: "The groupID of the user running the application"
schema:
type: int
default: 568
# Include{securityContextContainer}
# Include{securityContextAdvanced}
# Include{securityContextPod}
- variable: fsGroup
label: "fsGroup"
description: "The group that should own ALL storage."
schema:
type: int
default: 568
# Include{resources}
# Include{postgresql}
# Include{advanced}
- variable: identity_providers
group: "Advanced"
label: "Authelia Identity Providers (BETA)"
schema:
additional_attrs: true
type: dict
attrs:
- variable: oidc
label: "OpenID Connect(BETA)"
schema:
additional_attrs: true
type: dict
attrs:
- variable: enabled
label: "Enabled"
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: access_token_lifespan
label: "Access Token Lifespan"
schema:
type: string
default: "1h"
required: true
- variable: authorize_code_lifespan
label: "Authorize Code Lifespan"
schema:
type: string
default: "1m"
required: true
- variable: id_token_lifespan
label: "ID Token Lifespan"
schema:
type: string
default: "1h"
required: true
- variable: refresh_token_lifespan
label: "Refresh Token Lifespan"
schema:
type: string
default: "90m"
required: true
- variable: enable_client_debug_messages
label: "Enable Client Debug Messages"
schema:
type: boolean
default: false
- variable: clients
label: "Clients"
schema:
type: list
default: []
items:
- variable: clientEntry
label: "Client"
schema:
additional_attrs: true
type: dict
attrs:
- variable: id
label: "ID/Name"
description: "The ID is the OpenID Connect ClientID which is used to link an application to a configuration."
schema:
type: string
default: "myapp"
required: true
- variable: description
label: "Description"
description: "The description to show to users when they end up on the consent screen. Defaults to the ID above."
schema:
type: string
default: "My Application"
required: true
- variable: secret
label: "Secret"
description: "The client secret is a shared secret between Authelia and the consumer of this client."
schema:
type: string
default: ""
required: true
- variable: public
label: "public"
description: "Sets the client to public. This should typically not be set, please see the documentation for usage."
schema:
type: boolean
default: false
- variable: authorization_policy
label: "Authorization Policy"
description: "The policy to require for this client; one_factor or two_factor."
schema:
type: string
default: "two_factor"
enum:
- value: "one_factor"
description: "one_factor"
- value: "two_factor"
description: "two_factor"
- variable: consent_mode
label: "Consent Mode"
description: |
Configures the consent mode. This can be set to auto (default), explicit (consent required every time) or
implicit (automatically assumes consent for every authorization, never asking the user if they wish to give consent.)
schema:
type: string
default: "auto"
enum:
- value: "auto"
description: "auto"
- value: "explicit"
description: "explicit"
- value: "implicit"
description: "implicit"
- variable: userinfo_signing_algorithm
label: "Userinfo Signing Algorithm"
description: "The algorithm used to sign userinfo endpoint responses for this client, either none or RS256."
schema:
type: string
default: "none"
enum:
- value: "none"
description: "none"
- value: "RS256"
description: "RS256"
- variable: audience
label: "Audience"
description: "Audience this client is allowed to request."
schema:
type: list
default: []
items:
- variable: audienceEntry
label: ""
schema:
type: string
default: ""
required: true
- variable: scopes
label: "Scopes"
description: "Scopes this client is allowed to request."
schema:
type: list
default: []
items:
- variable: ScopeEntry
label: "Scope"
schema:
type: string
default: "openid"
required: true
- variable: redirect_uris
label: "redirect_uris"
description: "Redirect URI's specifies a list of valid case-sensitive callbacks for this client."
schema:
type: list
default: []
items:
- variable: uriEntry
label: "Url"
schema:
type: string
default: "https://oidc.example.com/oauth2/callback"
required: true
- variable: grant_types
description: "Grant Types configures which grants this client can obtain."
label: "grant_types"
schema:
type: list
default: []
items:
- variable: grantEntry
label: "Grant"
schema:
type: string
default: "refresh_token"
required: true
- variable: response_types
description: "Response Types configures which responses this client can be sent."
label: "response_types"
schema:
type: list
default: []
items:
- variable: responseEntry
label: "type"
schema:
type: string
default: "code"
required: true
- variable: response_modes
description: "Response Modes configures which response modes this client supports."
label: "response_modes"
schema:
type: list
default: []
items:
- variable: modeEntry
label: "Mode"
schema:
type: string
default: "form_post"
required: true
- variable: require_pkce
label: "Require PKCE"
description: "This configuration option enforces the use of PKCE for this registered client."
schema:
type: boolean
default: false
show_subquestions_if: true
subquestions:
- variable: pkce_challange_method
label: "PKCE Challange Method"
description: "This setting enforces the use of the specified PKCE challenge method for this individual client."
schema:
type: string
default: S256
enum:
- value: "plain"
description: "plain"
- value: "S256"
description: "S256"
# Include{addons}
# Include{codeserver}
# Include{vpn}
# Include{netshoot}
# Include{documentation}