225f77598a
Helm chart + Ansible role для Authelia 4.38: - Forward-auth для ingress-nginx через аннотации auth-url/auth-signin - OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud - SQLite default или PostgreSQL; опциональный Redis для сессий - RSA ключ OIDC генерируется автоматически если не задан в vault - ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса - README: install, users, protect service, OIDC per-service, debug, test
124 lines
6.0 KiB
YAML
124 lines
6.0 KiB
YAML
---
|
|
# ── Namespace / release ───────────────────────────────────────────────────────
|
|
authelia_namespace: authelia
|
|
authelia_release_name: authelia
|
|
|
|
# ── Domain ────────────────────────────────────────────────────────────────────
|
|
authelia_domain: "home.local"
|
|
authelia_host: "auth.home.local"
|
|
|
|
# ── Theme ─────────────────────────────────────────────────────────────────────
|
|
authelia_theme: dark # light | dark | grey | auto
|
|
|
|
# ── 2FA enforcement ───────────────────────────────────────────────────────────
|
|
authelia_two_factor_enabled: false
|
|
|
|
# ── Session ───────────────────────────────────────────────────────────────────
|
|
authelia_session_expiration: "1h"
|
|
authelia_session_inactivity: "5m"
|
|
authelia_session_remember_me: "1M"
|
|
|
|
# ── Storage ───────────────────────────────────────────────────────────────────
|
|
authelia_storage_type: sqlite # sqlite | postgresql
|
|
authelia_storage_size: 1Gi
|
|
authelia_storage_class: ""
|
|
|
|
# PostgreSQL (only if authelia_storage_type=postgresql)
|
|
authelia_db_host: "postgresql.postgresql.svc.cluster.local"
|
|
authelia_db_port: 5432
|
|
authelia_db_name: authelia
|
|
authelia_db_user: authelia
|
|
|
|
# ── Redis session storage (optional) ─────────────────────────────────────────
|
|
authelia_redis_enabled: false
|
|
|
|
# ── SMTP notifier (optional) ──────────────────────────────────────────────────
|
|
authelia_smtp_enabled: false
|
|
authelia_smtp_host: ""
|
|
authelia_smtp_port: 587
|
|
authelia_smtp_username: ""
|
|
authelia_smtp_sender: "authelia@home.local"
|
|
authelia_smtp_tls_skip_verify: false
|
|
|
|
# ── Ingress ───────────────────────────────────────────────────────────────────
|
|
authelia_ingress_enabled: true
|
|
authelia_ingress_class: nginx
|
|
authelia_ingress_tls_enabled: false
|
|
authelia_ingress_tls_secret: ""
|
|
authelia_ingress_cert_manager_enabled: false
|
|
authelia_ingress_cert_manager_issuer: ""
|
|
|
|
# ── OIDC provider ─────────────────────────────────────────────────────────────
|
|
authelia_oidc_enabled: true
|
|
|
|
# Per-client toggles — secrets come from vault.yml
|
|
authelia_oidc_gitea_enabled: true
|
|
authelia_oidc_gitea_redirect: "https://gitea.home.local/user/oauth2/Authelia/callback"
|
|
|
|
authelia_oidc_grafana_enabled: true
|
|
authelia_oidc_grafana_redirect: "https://grafana.home.local/login/generic_oauth"
|
|
|
|
authelia_oidc_argocd_enabled: false
|
|
authelia_oidc_argocd_redirect: "https://argocd.home.local/auth/callback"
|
|
|
|
authelia_oidc_minio_enabled: false
|
|
authelia_oidc_minio_redirect: "https://minio.home.local/oauth_callback"
|
|
|
|
authelia_oidc_vault_enabled: false
|
|
authelia_oidc_vault_redirect_1: "https://vault.home.local/ui/vault/auth/oidc/oidc/callback"
|
|
authelia_oidc_vault_redirect_2: "https://vault.home.local/oidc/callback"
|
|
|
|
authelia_oidc_nextcloud_enabled: false
|
|
authelia_oidc_nextcloud_redirect: "https://nextcloud.home.local/apps/user_oidc/code"
|
|
|
|
# ── Access control ────────────────────────────────────────────────────────────
|
|
authelia_bypass_domains: []
|
|
# - plex.home.local
|
|
|
|
authelia_oidc_domains:
|
|
- gitea.home.local
|
|
- grafana.home.local
|
|
- minio.home.local
|
|
|
|
authelia_admin_domains:
|
|
- argocd.home.local
|
|
- vault.home.local
|
|
- harbor.home.local
|
|
- kubernetes-dashboard.home.local
|
|
|
|
authelia_protected_domains:
|
|
- sonarr.home.local
|
|
- radarr.home.local
|
|
- lidarr.home.local
|
|
- bazarr.home.local
|
|
- prowlarr.home.local
|
|
- pgadmin.home.local
|
|
- phpmyadmin.home.local
|
|
|
|
# ── Users ─────────────────────────────────────────────────────────────────────
|
|
# Passwords are Argon2id hashes — set in vault.yml: authelia_user_*_password_hash
|
|
# Generate: docker run authelia/authelia:latest authelia hash-password 'yourpassword'
|
|
authelia_users:
|
|
admin:
|
|
displayname: "Administrator"
|
|
email: "admin@home.local"
|
|
groups:
|
|
- admins
|
|
- users
|
|
|
|
# ── Secrets — ALL must be set in vault.yml ────────────────────────────────────
|
|
# authelia_jwt_secret: "" # openssl rand -base64 64
|
|
# authelia_session_secret: "" # openssl rand -base64 64
|
|
# authelia_storage_encryption_key: "" # openssl rand -base64 32
|
|
# authelia_oidc_hmac_secret: "" # openssl rand -base64 48
|
|
# authelia_oidc_private_key: "" # auto-generated during deploy if empty
|
|
# authelia_oidc_secret_gitea: "" # openssl rand -hex 32
|
|
# authelia_oidc_secret_grafana: "" # openssl rand -hex 32
|
|
# authelia_oidc_secret_argocd: ""
|
|
# authelia_oidc_secret_minio: ""
|
|
# authelia_oidc_secret_vault: ""
|
|
# authelia_oidc_secret_nextcloud: ""
|
|
# authelia_user_admin_password_hash: "" # argon2id hash
|
|
# authelia_db_password: "" # only if storage_type=postgresql
|
|
# authelia_smtp_password: "" # only if smtp_enabled=true
|