[MISC] Document usage of env variables for setting secrets. (#606)

Closes #579.
This commit is contained in:
Clément Michaud 2020-02-01 14:17:39 +01:00 committed by GitHub
parent ea9b408b70
commit 7f19078efb
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 36 additions and 9 deletions

View File

@ -11,6 +11,7 @@ logs_level: debug
# The secret used to generate JWT tokens when validating user identity by # The secret used to generate JWT tokens when validating user identity by
# email confirmation. # email confirmation.
# This secret can also be set using the env variables AUTHELIA_JWT_SECRET
jwt_secret: a_very_important_secret jwt_secret: a_very_important_secret
# Default redirection URL # Default redirection URL
@ -44,6 +45,7 @@ totp:
duo_api: duo_api:
hostname: api-123456789.example.com hostname: api-123456789.example.com
integration_key: ABCDEF integration_key: ABCDEF
# This secret can also be set using the env variables AUTHELIA_DUO_API_SECRET_KEY
secret_key: 1234567890abcdefghifjkl secret_key: 1234567890abcdefghifjkl
# The authentication backend to use for verifying user passwords # The authentication backend to use for verifying user passwords
@ -64,33 +66,27 @@ authentication_backend:
skip_verify: false skip_verify: false
# The base dn for every entries # The base dn for every entries
base_dn: dc=example,dc=com base_dn: dc=example,dc=com
# An additional dn to define the scope to all users # An additional dn to define the scope to all users
additional_users_dn: ou=users additional_users_dn: ou=users
# The users filter used to find the user DN # The users filter used to find the user DN
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username.
# 'cn={0}' by default. # 'cn={0}' by default.
users_filter: (cn={0}) users_filter: (cn={0})
# An additional dn to define the scope of groups # An additional dn to define the scope of groups
additional_groups_dn: ou=groups additional_groups_dn: ou=groups
# The groups filter used for retrieving groups of a given user. # The groups filter used for retrieving groups of a given user.
# {0} is a matcher replaced by username. # {0} is a matcher replaced by username.
# {dn} is a matcher replaced by user DN. # {dn} is a matcher replaced by user DN.
# {uid} is a matcher replaced by user uid. # {uid} is a matcher replaced by user uid.
# 'member={dn}' by default. # 'member={dn}' by default.
groups_filter: (&(member={dn})(objectclass=groupOfNames)) groups_filter: (&(member={dn})(objectclass=groupOfNames))
# The attribute holding the name of the group # The attribute holding the name of the group
group_name_attribute: cn group_name_attribute: cn
# The attribute holding the mail address of the user # The attribute holding the mail address of the user
mail_attribute: mail mail_attribute: mail
# The username and password of the admin user. # The username and password of the admin user.
user: cn=admin,dc=example,dc=com user: cn=admin,dc=example,dc=com
# This secret can also be set using the env variables AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD
password: password password: password
# File backend configuration. # File backend configuration.
@ -207,6 +203,7 @@ session:
name: authelia_session name: authelia_session
# The secret to encrypt the session cookie. # The secret to encrypt the session cookie.
# This secret can also be set using the env variables AUTHELIA_SESSION_SECRET
secret: unsecure_session_secret secret: unsecure_session_secret
# The time in seconds before the cookie expires and session is reset. # The time in seconds before the cookie expires and session is reset.
@ -224,6 +221,7 @@ session:
redis: redis:
host: 127.0.0.1 host: 127.0.0.1
port: 6379 port: 6379
# This secret can also be set using the env variables AUTHELIA_SESSION_REDIS_PASSWORD
password: authelia password: authelia
# Configuration of the authentication regulation mechanism. # Configuration of the authentication regulation mechanism.
@ -257,6 +255,7 @@ storage:
port: 3306 port: 3306
database: authelia database: authelia
username: authelia username: authelia
# This secret can also be set using the env variables AUTHELIA_STORAGE_MYSQL_PASSWORD
password: mypassword password: mypassword
# Settings to connect to MySQL server # Settings to connect to MySQL server
@ -265,6 +264,7 @@ storage:
# port: 3306 # port: 3306
# database: authelia # database: authelia
# username: authelia # username: authelia
# # This secret can also be set using the env variables AUTHELIA_STORAGE_POSTGRES_PASSWORD
# password: mypassword # password: mypassword
# Configuration of the notification system. # Configuration of the notification system.
@ -290,6 +290,7 @@ notifier:
# - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure) # - use the disable_verify_cert boolean value to disable the validation (prefer the trusted_cert option as it's more secure)
smtp: smtp:
username: test username: test
# This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
password: password password: password
host: 127.0.0.1 host: 127.0.0.1
port: 1025 port: 1025
@ -297,10 +298,12 @@ notifier:
## disable_require_tls: false ## disable_require_tls: false
## disable_verify_cert: false ## disable_verify_cert: false
## trusted_cert: "" ## trusted_cert: ""
# Sending an email using a Gmail account is as simple as the next section. # Sending an email using a Gmail account is as simple as the next section.
# You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en # You need to create an app password by following: https://support.google.com/accounts/answer/185833?hl=en
## smtp: ## smtp:
## username: myaccount@gmail.com ## username: myaccount@gmail.com
## # This secret can also be set using the env variables AUTHELIA_NOTIFIER_SMTP_PASSWORD
## password: yourapppassword ## password: yourapppassword
## sender: admin@example.com ## sender: admin@example.com
## host: smtp.gmail.com ## host: smtp.gmail.com

View File

@ -10,3 +10,24 @@ the file path as the first argument of **Authelia**.
$ authelia --config config.custom.yml $ authelia --config config.custom.yml
## Secrets
Configuration of Authelia requires some secrets or passwords. Please
note that the recommended way to set secrets in Authelia is to use
environment variables.
A secret in Authelia configuration could be set by providing the
environment variable prefixed by AUTHELIA_ and with name equals to
the capitalized path of the configuration key and with dots replaced
by underscores.
For instance the LDAP password is identified by the path
**authentication_backend.ldap.password**, so this password could
alternatively be set using the environment variable called
**AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD**.
If for some reason you prefer keeping the secrets in the configuration
file, be sure to apply the right permissions to the file in order to
prevent secret leaks if an another application gets compromised on your
server. The UNIX permissions should probably be something like 600.

View File

@ -20,7 +20,7 @@ persist user configurations and one or more nginx reverse proxies configured to
be used with Authelia. With such a setup **Authelia** can easily be scaled to be used with Authelia. With such a setup **Authelia** can easily be scaled to
multiple instances to evenly handle the traffic. multiple instances to evenly handle the traffic.
**NOTE:** If you don't have all those components, don't worry, there is a way to **NOTE**: If you don't have all those components, don't worry, there is a way to
deploy **Authelia** with only nginx. This is described in [Deployment for Devs]. deploy **Authelia** with only nginx. This is described in [Deployment for Devs].
Here are the available steps to deploy **Authelia** given Here are the available steps to deploy **Authelia** given
@ -28,6 +28,10 @@ the configuration file is **/path/to/your/configuration.yml**. Note that you can
create your own configuration file from [config.template.yml] located at create your own configuration file from [config.template.yml] located at
the root of the repo. the root of the repo.
**NOTE**: Prefer using environment variables to set secrets in production otherwise
pay attention to the permissions of the configuration file. See
[configuration.md](./configuration.md#secrets) for more information.
### Deploy with the distributable version ### Deploy with the distributable version
# Build it if not done already # Build it if not done already
@ -38,7 +42,6 @@ the root of the repo.
$ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia $ docker run -v /path/to/your/configuration.yml:/etc/authelia/configuration.yml -e TZ=Europe/Paris authelia/authelia
## On top of Kubernetes ## On top of Kubernetes
<img src="../docs/images/logos/kubernetes.logo.png" width="50" style="padding-right: 10px" align="left"> <img src="../docs/images/logos/kubernetes.logo.png" width="50" style="padding-right: 10px" align="left">