mirror of
https://github.com/0rangebananaspy/authelia.git
synced 2024-09-14 22:47:21 +07:00
[MISC] Document usage of env variables for setting secrets. (#606)
Closes #579.
This commit is contained in:
parent
ea9b408b70
commit
7f19078efb
|
@ -11,6 +11,7 @@ logs_level: debug
|
||||||
|
|
||||||
# The secret used to generate JWT tokens when validating user identity by
|
# The secret used to generate JWT tokens when validating user identity by
|
||||||
# email confirmation.
|
# email confirmation.
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET
|
||||||
jwt_secret: a_very_important_secret
|
jwt_secret: a_very_important_secret
|
||||||
|
|
||||||
# Default redirection URL
|
# Default redirection URL
|
||||||
|
@ -44,6 +45,7 @@ totp:
|
||||||
duo_api:
|
duo_api:
|
||||||
hostname: api-123456789.example.com
|
hostname: api-123456789.example.com
|
||||||
integration_key: ABCDEF
|
integration_key: ABCDEF
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY
|
||||||
secret_key: 1234567890abcdefghifjkl
|
secret_key: 1234567890abcdefghifjkl
|
||||||
|
|
||||||
# The authentication backend to use for verifying user passwords
|
# The authentication backend to use for verifying user passwords
|
||||||
|
@ -64,33 +66,27 @@ authentication_backend:
|
||||||
skip_verify: false
|
skip_verify: false
|
||||||
# The base dn for every entries
|
# The base dn for every entries
|
||||||
base_dn: dc=example,dc=com
|
base_dn: dc=example,dc=com
|
||||||
|
|
||||||
# An additional dn to define the scope to all users
|
# An additional dn to define the scope to all users
|
||||||
additional_users_dn: ou=users
|
additional_users_dn: ou=users
|
||||||
|
|
||||||
# The users filter used to find the user DN
|
# The users filter used to find the user DN
|
||||||
# {0} is a matcher replaced by username.
|
# {0} is a matcher replaced by username.
|
||||||
# 'cn={0}' by default.
|
# 'cn={0}' by default.
|
||||||
users_filter: (cn={0})
|
users_filter: (cn={0})
|
||||||
|
|
||||||
# An additional dn to define the scope of groups
|
# An additional dn to define the scope of groups
|
||||||
additional_groups_dn: ou=groups
|
additional_groups_dn: ou=groups
|
||||||
|
|
||||||
# The groups filter used for retrieving groups of a given user.
|
# The groups filter used for retrieving groups of a given user.
|
||||||
# {0} is a matcher replaced by username.
|
# {0} is a matcher replaced by username.
|
||||||
# {dn} is a matcher replaced by user DN.
|
# {dn} is a matcher replaced by user DN.
|
||||||
# {uid} is a matcher replaced by user uid.
|
# {uid} is a matcher replaced by user uid.
|
||||||
# 'member={dn}' by default.
|
# 'member={dn}' by default.
|
||||||
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
groups_filter: (&(member={dn})(objectclass=groupOfNames))
|
||||||
|
|
||||||
# The attribute holding the name of the group
|
# The attribute holding the name of the group
|
||||||
group_name_attribute: cn
|
group_name_attribute: cn
|
||||||
|
|
||||||
# The attribute holding the mail address of the user
|
# The attribute holding the mail address of the user
|
||||||
mail_attribute: mail
|
mail_attribute: mail
|
||||||
|
|
||||||
# The username and password of the admin user.
|
# The username and password of the admin user.
|
||||||
user: cn=admin,dc=example,dc=com
|
user: cn=admin,dc=example,dc=com
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
|
||||||
password: password
|
password: password
|
||||||
|
|
||||||
# File backend configuration.
|
# File backend configuration.
|
||||||
|
@ -207,6 +203,7 @@ session:
|
||||||
name: authelia_session
|
name: authelia_session
|
||||||
|
|
||||||
# The secret to encrypt the session cookie.
|
# The secret to encrypt the session cookie.
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET
|
||||||
secret: unsecure_session_secret
|
secret: unsecure_session_secret
|
||||||
|
|
||||||
# The time in seconds before the cookie expires and session is reset.
|
# The time in seconds before the cookie expires and session is reset.
|
||||||
|
@ -224,6 +221,7 @@ session:
|
||||||
redis:
|
redis:
|
||||||
host: 127.0.0.1
|
host: 127.0.0.1
|
||||||
port: 6379
|
port: 6379
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
|
||||||
password: authelia
|
password: authelia
|
||||||
|
|
||||||
# Configuration of the authentication regulation mechanism.
|
# Configuration of the authentication regulation mechanism.
|
||||||
|
@ -257,6 +255,7 @@ storage:
|
||||||
port: 3306
|
port: 3306
|
||||||
database: authelia
|
database: authelia
|
||||||
username: authelia
|
username: authelia
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD
|
||||||
password: mypassword
|
password: mypassword
|
||||||
|
|
||||||
# Settings to connect to MySQL server
|
# Settings to connect to MySQL server
|
||||||
|
@ -265,6 +264,7 @@ storage:
|
||||||
# port: 3306
|
# port: 3306
|
||||||
# database: authelia
|
# database: authelia
|
||||||
# username: authelia
|
# username: authelia
|
||||||
|
# # This secret can also be set using the env variables AUTHELIA_STORAGE_POSTGRES_PASSWORD
|
||||||
# password: mypassword
|
# password: mypassword
|
||||||
|
|
||||||
# Configuration of the notification system.
|
# Configuration of the notification system.
|
||||||
|
@ -290,6 +290,7 @@ notifier:
|
||||||
# - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure)
|
# - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure)
|
||||||
smtp:
|
smtp:
|
||||||
username: test
|
username: test
|
||||||
|
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
|
||||||
password: password
|
password: password
|
||||||
host: 127.0.0.1
|
host: 127.0.0.1
|
||||||
port: 1025
|
port: 1025
|
||||||
|
@ -297,10 +298,12 @@ notifier:
|
||||||
## disable_require_tls: false
|
## disable_require_tls: false
|
||||||
## disable_verify_cert: false
|
## disable_verify_cert: false
|
||||||
## trusted_cert: ""
|
## trusted_cert: ""
|
||||||
|
|
||||||
# Sending an email using a Gmail account is as simple as the next section.
|
# Sending an email using a Gmail account is as simple as the next section.
|
||||||
# You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
|
# You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
|
||||||
## smtp:
|
## smtp:
|
||||||
## username: myaccount@gmail.com
|
## username: myaccount@gmail.com
|
||||||
|
## # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
|
||||||
## password: yourapppassword
|
## password: yourapppassword
|
||||||
## sender: admin@example.com
|
## sender: admin@example.com
|
||||||
## host: smtp.gmail.com
|
## host: smtp.gmail.com
|
||||||
|
|
|
@ -10,3 +10,24 @@ the file path as the first argument of **Authelia**.
|
||||||
|
|
||||||
$ authelia --config config.custom.yml
|
$ authelia --config config.custom.yml
|
||||||
|
|
||||||
|
|
||||||
|
## Secrets
|
||||||
|
|
||||||
|
Configuration of Authelia requires some secrets or passwords. Please
|
||||||
|
note that the recommended way to set secrets in Authelia is to use
|
||||||
|
environment variables.
|
||||||
|
|
||||||
|
A secret in Authelia configuration could be set by providing the
|
||||||
|
environment variable prefixed by AUTHELIA_ and with name equals to
|
||||||
|
the capitalized path of the configuration key and with dots replaced
|
||||||
|
by underscores.
|
||||||
|
|
||||||
|
For instance the LDAP password is identified by the path
|
||||||
|
**authentication_backend.ldap.password**, so this password could
|
||||||
|
alternatively be set using the environment variable called
|
||||||
|
**AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD**.
|
||||||
|
|
||||||
|
If for some reason you prefer keeping the secrets in the configuration
|
||||||
|
file, be sure to apply the right permissions to the file in order to
|
||||||
|
prevent secret leaks if an another application gets compromised on your
|
||||||
|
server. The UNIX permissions should probably be something like 600.
|
|
@ -20,7 +20,7 @@ persist user configurations and one or more nginx reverse proxies configured to
|
||||||
be used with Authelia. With such a setup **Authelia** can easily be scaled to
|
be used with Authelia. With such a setup **Authelia** can easily be scaled to
|
||||||
multiple instances to evenly handle the traffic.
|
multiple instances to evenly handle the traffic.
|
||||||
|
|
||||||
**NOTE:** If you don't have all those components, don't worry, there is a way to
|
**NOTE**: If you don't have all those components, don't worry, there is a way to
|
||||||
deploy **Authelia** with only nginx. This is described in [Deployment for Devs].
|
deploy **Authelia** with only nginx. This is described in [Deployment for Devs].
|
||||||
|
|
||||||
Here are the available steps to deploy **Authelia** given
|
Here are the available steps to deploy **Authelia** given
|
||||||
|
@ -28,6 +28,10 @@ the configuration file is **/path/to/your/configuration.yml**. Note that you can
|
||||||
create your own configuration file from [config.template.yml] located at
|
create your own configuration file from [config.template.yml] located at
|
||||||
the root of the repo.
|
the root of the repo.
|
||||||
|
|
||||||
|
**NOTE**: Prefer using environment variables to set secrets in production otherwise
|
||||||
|
pay attention to the permissions of the configuration file. See
|
||||||
|
[configuration.md](./configuration.md#secrets) for more information.
|
||||||
|
|
||||||
### Deploy with the distributable version
|
### Deploy with the distributable version
|
||||||
|
|
||||||
# Build it if not done already
|
# Build it if not done already
|
||||||
|
@ -38,7 +42,6 @@ the root of the repo.
|
||||||
|
|
||||||
$ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia
|
$ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia
|
||||||
|
|
||||||
|
|
||||||
## On top of Kubernetes
|
## On top of Kubernetes
|
||||||
|
|
||||||
<img src="../docs/images/logos/kubernetes.logo.png" width="50" style="padding-right: 10px" align="left">
|
<img src="../docs/images/logos/kubernetes.logo.png" width="50" style="padding-right: 10px" align="left">
|
||||||
|
|
Loading…
Reference in New Issue
Block a user