DevOpsTools/K3S
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
225f77598a696120369a23d791f37daccb1e0a97
K3S/addons/authelia/role/templates/values.yaml.j2
Sergey Antropoff 225f77598a feat: добавить аддон authelia — SSO forward-auth и OIDC provider 
Helm chart + Ansible role для Authelia 4.38:
- Forward-auth для ingress-nginx через аннотации auth-url/auth-signin
- OIDC provider: Gitea, Grafana, ArgoCD, MinIO, Vault, Nextcloud
- SQLite default или PostgreSQL; опциональный Redis для сессий
- RSA ключ OIDC генерируется автоматически если не задан в vault
- ConfigMap authelia-forward-auth с готовыми аннотациями для любого сервиса
- README: install, users, protect service, OIDC per-service, debug, test
2026-04-26 18:18:46 +03:00

155 lines
5.4 KiB
Django/Jinja
Raw Blame History

# Generated by Ansible — do not edit manually.
# Configure via: group_vars/all/addons.yml → authelia_* variables
# Secrets from: group_vars/all/vault.yml → authelia_* secrets
domain: {{ authelia_domain | quote }}
authHost: {{ authelia_host | quote }}
theme: {{ authelia_theme | quote }}
secrets:
jwtSecret: {{ authelia_jwt_secret | quote }}
sessionSecret: {{ authelia_session_secret | quote }}
storageEncryptionKey: {{ authelia_storage_encryption_key | quote }}
oidcHmacSecret: {{ authelia_oidc_hmac_secret | quote }}
oidcPrivateKey: {{ _authelia_oidc_private_key_final | quote }}
dbPassword: {{ authelia_db_password | default('') | quote }}
smtpPassword: {{ authelia_smtp_password | default('') | quote }}
# Users — passwords are Argon2id hashes from vault.yml
users:
{% for username, user in authelia_users.items() %}
{{ username }}:
disabled: false
displayname: {{ user.displayname | quote }}
password: {{ vars['authelia_user_' + username + '_password_hash'] | default('') | quote }}
email: {{ user.email | quote }}
groups:
{{ user.groups | to_yaml | indent(6, True) }}
{% endfor %}
totp:
issuer: {{ authelia_domain | quote }}
period: 30
skew: 1
twoFactor:
enabled: {{ authelia_two_factor_enabled | string | lower }}
session:
name: authelia_session
domain: {{ authelia_domain | quote }}
sameSite: lax
expiration: {{ authelia_session_expiration | quote }}
inactivity: {{ authelia_session_inactivity | quote }}
rememberMeDuration: {{ authelia_session_remember_me | quote }}
storage:
type: {{ authelia_storage_type | quote }}
size: {{ authelia_storage_size | quote }}
storageClassName: {{ authelia_storage_class | quote }}
sqlite:
path: /data/db.sqlite3
postgresql:
host: {{ authelia_db_host | quote }}
port: {{ authelia_db_port }}
database: {{ authelia_db_name | quote }}
username: {{ authelia_db_user | quote }}
schema: public
redis:
enabled: {{ authelia_redis_enabled | string | lower }}
notifier:
smtp:
enabled: {{ authelia_smtp_enabled | string | lower }}
host: {{ authelia_smtp_host | quote }}
port: {{ authelia_smtp_port }}
username: {{ authelia_smtp_username | quote }}
sender: {{ authelia_smtp_sender | quote }}
tls:
skipVerify: {{ authelia_smtp_tls_skip_verify | string | lower }}
accessControl:
defaultPolicy: deny
bypassDomains:
{{ authelia_bypass_domains | to_yaml | indent(4, True) }}
oidcDomains:
{{ authelia_oidc_domains | to_yaml | indent(4, True) }}
adminDomains:
{{ authelia_admin_domains | to_yaml | indent(4, True) }}
protectedDomains:
{{ authelia_protected_domains | to_yaml | indent(4, True) }}
oidc:
enabled: {{ authelia_oidc_enabled | string | lower }}
accessTokenLifespan: 1h
authorizeCodeLifespan: 1m
idTokenLifespan: 1h
refreshTokenLifespan: 90m
clients:
gitea:
enabled: {{ authelia_oidc_gitea_enabled | string | lower }}
id: gitea
secret: {{ authelia_oidc_secret_gitea | default('') | quote }}
description: "Gitea"
redirectUris:
- {{ authelia_oidc_gitea_redirect | quote }}
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
grafana:
enabled: {{ authelia_oidc_grafana_enabled | string | lower }}
id: grafana
secret: {{ authelia_oidc_secret_grafana | default('') | quote }}
description: "Grafana"
redirectUris:
- {{ authelia_oidc_grafana_redirect | quote }}
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
argocd:
enabled: {{ authelia_oidc_argocd_enabled | string | lower }}
id: argocd
secret: {{ authelia_oidc_secret_argocd | default('') | quote }}
description: "ArgoCD"
redirectUris:
- {{ authelia_oidc_argocd_redirect | quote }}
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
minio:
enabled: {{ authelia_oidc_minio_enabled | string | lower }}
id: minio
secret: {{ authelia_oidc_secret_minio | default('') | quote }}
description: "MinIO"
redirectUris:
- {{ authelia_oidc_minio_redirect | quote }}
scopes: [openid, profile, email]
grantTypes: [authorization_code]
vault:
enabled: {{ authelia_oidc_vault_enabled | string | lower }}
id: vault
secret: {{ authelia_oidc_secret_vault | default('') | quote }}
description: "Vault"
redirectUris:
- {{ authelia_oidc_vault_redirect_1 | quote }}
- {{ authelia_oidc_vault_redirect_2 | quote }}
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
nextcloud:
enabled: {{ authelia_oidc_nextcloud_enabled | string | lower }}
id: nextcloud
secret: {{ authelia_oidc_secret_nextcloud | default('') | quote }}
description: "Nextcloud"
redirectUris:
- {{ authelia_oidc_nextcloud_redirect | quote }}
scopes: [openid, profile, email, groups]
grantTypes: [refresh_token, authorization_code]
ingress:
enabled: {{ authelia_ingress_enabled | string | lower }}
ingressClass: {{ authelia_ingress_class | quote }}
tls:
enabled: {{ authelia_ingress_tls_enabled | string | lower }}
secretName: {{ authelia_ingress_tls_secret | quote }}
certManager:
enabled: {{ authelia_ingress_cert_manager_enabled | string | lower }}
issuer: {{ authelia_ingress_cert_manager_issuer | quote }}
Reference in New Issue View Git Blame Copy Permalink