[MISC] Document usage of env variables for setting secrets. (#606)

Closes #579.
This commit is contained in:
Clément Michaud 2020-02-01 14:17:39 +01:00 committed by GitHub
parent ea9b408b70
commit 7f19078efb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 9 deletions

View File

@ -11,6 +11,7 @@ logs_level: debug
# The secret used to generate JWT tokens when validating user identity by
# email confirmation.
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET
jwt_secret: a_very_important_secret
# Default redirection URL
@ -44,6 +45,7 @@ totp:
duo_api:
hostname: api-123456789.example.com
integration_key: ABCDEF
# This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY
secret_key: 1234567890abcdefghifjkl
# The authentication backend to use for verifying user passwords
@ -64,33 +66,27 @@ authentication_backend:
skip_verify: false
# The base dn for every entries
base_dn: dc=example,dc=com
# An additional dn to define the scope to all users
additional_users_dn: ou=users
# The users filter used to find the user DN
# {0} is a matcher replaced by username.
# 'cn={0}' by default.
users_filter: (cn={0})
# An additional dn to define the scope of groups
additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid.
# 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group
group_name_attribute: cn
# The attribute holding the mail address of the user
mail_attribute: mail
# The username and password of the admin user.
user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
password: password
# File backend configuration.
@ -207,6 +203,7 @@ session:
name: authelia_session
# The secret to encrypt the session cookie.
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET
secret: unsecure_session_secret
# The time in seconds before the cookie expires and session is reset.
@ -224,6 +221,7 @@ session:
redis:
host: 127.0.0.1
port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
password: authelia
# Configuration of the authentication regulation mechanism.
@ -257,6 +255,7 @@ storage:
port: 3306
database: authelia
username: authelia
# This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD
password: mypassword
# Settings to connect to MySQL server
@ -265,6 +264,7 @@ storage:
# port: 3306
# database: authelia
# username: authelia
# # This secret can also be set using the env variables AUTHELIA_STORAGE_POSTGRES_PASSWORD
# password: mypassword
# Configuration of the notification system.
@ -290,6 +290,7 @@ notifier:
# - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure)
smtp:
username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
password: password
host: 127.0.0.1
port: 1025
@ -297,10 +298,12 @@ notifier:
## disable_require_tls: false
## disable_verify_cert: false
## trusted_cert: ""
# Sending an email using a Gmail account is as simple as the next section.
# You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
## smtp:
## username: myaccount@gmail.com
## # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
## password: yourapppassword
## sender: admin@example.com
## host: smtp.gmail.com

View File

@ -10,3 +10,24 @@ the file path as the first argument of **Authelia**.
$ authelia --config config.custom.yml
## Secrets
Configuration of Authelia requires some secrets or passwords. Please
note that the recommended way to set secrets in Authelia is to use
environment variables.
A secret in Authelia configuration could be set by providing the
environment variable prefixed by AUTHELIA_ and with name equals to
the capitalized path of the configuration key and with dots replaced
by underscores.
For instance the LDAP password is identified by the path
**authentication_backend.ldap.password**, so this password could
alternatively be set using the environment variable called
**AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD**.
If for some reason you prefer keeping the secrets in the configuration
file, be sure to apply the right permissions to the file in order to
prevent secret leaks if an another application gets compromised on your
server. The UNIX permissions should probably be something like 600.

View File

@ -20,7 +20,7 @@ persist user configurations and one or more nginx reverse proxies configured to
be used with Authelia. With such a setup **Authelia** can easily be scaled to
multiple instances to evenly handle the traffic.
**NOTE:** If you don't have all those components, don't worry, there is a way to
**NOTE**: If you don't have all those components, don't worry, there is a way to
deploy **Authelia** with only nginx. This is described in [Deployment for Devs].
Here are the available steps to deploy **Authelia** given
@ -28,6 +28,10 @@ the configuration file is **/path/to/your/configuration.yml**. Note that you can
create your own configuration file from [config.template.yml] located at
the root of the repo.
**NOTE**: Prefer using environment variables to set secrets in production otherwise
pay attention to the permissions of the configuration file. See
[configuration.md](./configuration.md#secrets) for more information.
### Deploy with the distributable version
# Build it if not done already
@ -38,7 +42,6 @@ the root of the repo.
$ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia
## On top of Kubernetes
<img src="../docs/images/logos/kubernetes.logo.png" width="50" style="padding-right: 10px" align="left">