forked from sebadob/rauthy
-
Notifications
You must be signed in to change notification settings - Fork 0
/
rauthy.deploy.cfg
329 lines (279 loc) · 12.4 KB
/
rauthy.deploy.cfg
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
### !!! CAUTION !!!
###
### This config is incomplete and only exists to provide values that will
### most probably be interesting for testing out Rauthy and to make the
### container image start without any configuration at all during evaluation.
###
### You can find a complete example with all existing config values in the book:
### https://sebadob.github.io/rauthy/config/config.html
###
### DO NOT USE THIS FOR PRODUCTION WITHOUT MODIFICATION
###
### Especially the `ENC_KEYS` should never be used in production. These are
### Only hardcoded for demo purposes!
#####################################
############## ACCESS ###############
#####################################
# If the User Registration endpoint should be accessible by anyone. If not, an admin must create each new user.
# (default: false)
OPEN_USER_REG=true
#####################################
############## CACHE ################
#####################################
# Can be set to 'k8s' to try to split off the node id from the hostname
# when Hiqlite is running as a StatefulSet inside Kubernetes.
# Will be ignored if `HQL_NODE_ID_FROM=k8s`
#HQL_NODE_ID_FROM=k8s
# The node id must exist in the nodes and there must always be
# at least a node with ID 1
HQL_NODE_ID=1
# All cluster member nodes.
# To make setting the env var easy, the values are separated by `\s`
# while nodes are separated by `\n`
# in the following format:
#
# id addr_raft addr_api
# id addr_raft addr_api
# id addr_raft addr_api
#
# 2 nodes must be separated by 2 `\n`
HQL_NODES="
1 localhost:8100 localhost:8200
"
# If set to `true`, all SQL statements will be logged for debugging
# purposes.
# default: false
#HQL_LOG_STATEMENTS=false
# Secrets for Raft internal authentication as well as for the API.
# These must be at least 16 characters long and you should provide
# different ones for both variables.
HQL_SECRET_RAFT=SuperSecureSecret1337
HQL_SECRET_API=SuperSecureSecret1337
# You can either parse `ENC_KEYS` and `ENC_KEY_ACTIVE` from the
# environment with setting this value to `env`, or parse them from
# a file on disk with `file:path/to/enc/keys/file`
# default: env
#HQL_ENC_KEYS_FROM=env
#####################################
############ DATABASE ###############
#####################################
# The database driver will be chosen at runtime depending on the given DATABASE_URL format. Examples:
# Sqlite: 'sqlite:data/rauthy.db' or 'sqlite::memory:'
# Postgres: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName'
#
# NOTE: The password in this case should be alphanumeric. Special characters could cause problems in the connection
# string.
#
# CAUTION: To make the automatic migrations work with Postgres15, when you do not want to just use the `postgres` user,
# You need to have a user with the same name as the DB / schema. For instance, the following would work without
# granting extra access to the `public` schema which is disabled by default since PG15:
# database: rauthy
# user: rauthy
# schema: rauthy with owner rauthy
#
#DATABASE_URL=sqlite:data/rauthy.db
DATABASE_URL=sqlite::memory:
#####################################
############# E-MAIL ################
#####################################
#SMTP_USERNAME=
#SMTP_PASSWORD=
#SMTP_URL=smtp.change.me
# Format: "Rauthy <[email protected]>"
SMTP_FROM="Rauthy <[email protected]>"
#####################################
###### ENCRYPTION / HASHING #########
#####################################
# You need to define at least one valid encryption key.
# These keys are used in various places, like for instance
# encrypting confidential client secrets in the database, or
# encryption cookies, and so on.
#
# The format must match:
# ENC_KEYS="
# q6u26onRvXVG4427/M0NFQzhSSldCY01rckJNa1JYZ3g2NUFtSnNOVGdoU0E=
# bVCyTsGaggVy5yqQ/UzluN29DZW41M3hTSkx6Y3NtZmRuQkR2TnJxUTYzcjQ=
# "
#
# The first part until the first `/` is the key ID.
# The ID must match '[a-zA-Z0-9]{2,20}'
#
# The key itself begins after the first `/` has been found.
# The key must be exactly 32 bytes long, encoded as base64.
#
# You can find a more detailed explanation on how to generate
# keys in the documentation:
# 1. https://sebadob.github.io/rauthy/getting_started/k8s.html#create-and-apply-secrets
# 2. https://sebadob.github.io/rauthy/config/encryption.html
#
# You can provide multiple keys to make things like key
# rotation work. Be careful with removing old keys. Make sure
# that all secrets have been migrated beforehand.
# You can find a utility in the Admin UI to do this for you.
#
ENC_KEYS="
q6u26onRvXVG4427/M0NFQzhSSldCY01rckJNa1JYZ3g2NUFtSnNOVGdoU0E=
bVCyTsGaggVy5yqQ/UzluN29DZW41M3hTSkx6Y3NtZmRuQkR2TnJxUTYzcjQ=
"
# This identifies the key ID from the `ENC_KEYS` list, that
# should actively be used for new encryptions.
ENC_KEY_ACTIVE=bVCyTsGaggVy5yqQ
# M_COST should never be below 32768 in production
#ARGON2_M_COST=131072
# T_COST should never be below 1 in production
#ARGON2_T_COST=4
# P_COST should never be below 2 in production
#ARGON2_P_COST=8
# Limits the maximum amount of parallel password hashes at the exact same time to never exceed system memory while
# still allowing a good amount of memory for the argon2id algorithm (default: 2)
# CAUTION: You must make sure, that you have at least (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + idle memory
# of your deployment available.
MAX_HASH_THREADS=1
#####################################
######### EVENTS / AUDIT ############
#####################################
# The E-Mail address event notifications should be sent to
# The notification level for events. Works the same way as a logging level. For instance:
# 'notice' means send out a notifications for all events with the info level or higher.
# Possible values:
# - info
# - notice
# - warning
# - critical
# default: 'notice'
#EVENT_NOTIFY_LEVEL_EMAIL=notice
# Matrix variables for event notifications.
# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory.
# Depending on your Matrix setup, additionally one of
# `EVENT_MATRIX_ACCESS_TOKEN` or `EVENT_MATRIX_USER_PASSWORD` is needed.
# If you log in to Matrix with User + Password, you may use `EVENT_MATRIX_USER_PASSWORD`.
# If you log in via OIDC SSO (or just want to use a session token you can revoke),
# you should provide `EVENT_MATRIX_ACCESS_TOKEN`.
# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred.
#
# If left empty, no messages will be sent to Slack.
# Format: `@<user_id>:<server address>`
#EVENT_MATRIX_USER_ID=
# Format: `!<random string>:<server address>`
#EVENT_MATRIX_ROOM_ID=
#EVENT_MATRIX_ACCESS_TOKEN=
#EVENT_MATRIX_USER_PASSWORD=
# Optional path to a PEM Root CA certificate file for the Matrix client.
#EVENT_MATRIX_ROOT_CA_PATH=tls/root.cert.pem
# May be set to disable the TLS validation for the Matrix client.
# default: false
#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false
# The Webhook for Slack Notifications.
# If left empty, no messages will be sent to Slack.
#EVENT_SLACK_WEBHOOK=
#####################################
############# LOGGING ###############
#####################################
# This is the log level for stdout logs
# Accepts: error, info, debug, trace (default: info)
#LOG_LEVEL=info
# This is a special config which allows the configuration of customized access logs.
# These logs will be logged with each request in addition to the normal LOG_LEVEL logs.
# The following values are valid:
# - Debug
# CAUTION: The Debug setting logs every information available to the middleware which includes SENSITIVE HEADERS
# DO NOT use the Debug level in a working production environment!
# - Verbose
# Verbose logging without headers - generates huge outputs
# - Basic
# Logs access to all endpoints apart from the Frontend ones which all js, css, ...
# - Modifying
# Logs only requests to modifying endpoints and skips all GET
# - Off
# default: Modifying
#LOG_LEVEL_ACCESS=Modifying
#####################################
################ MFA ################
#####################################
# If 'true', MFA for an account must be enabled to access the rauthy admin UI (default: true)
ADMIN_FORCE_MFA=false
#####################################
############# SERVER ################
#####################################
# The server address to listen on. Can bind to a specific IP.
# default: 0.0.0.0
#LISTEN_ADDRESS=0.0.0.0
# The listen ports for HTTP / HTTPS, depending on the activated 'LISTEN_SCHEME'
# default: 8080
#LISTEN_PORT_HTTP=8080
# default: 8443
#LISTEN_PORT_HTTPS=8443
# The scheme to use locally, valid values: http | https | http_https | unix_http | unix_https
# For more details about the UNIX domain socket, check out its documentation page.
# default: http_https
LISTEN_SCHEME=http
# The Public URL of the whole deployment
# The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN HEADER later on, which is especially important when running
# rauthy behind a reverse proxy. In case of a non-standard port (80/443), you need to add the port to the PUB_URL
PUB_URL=localhost:8080
# default value: number of available physical cores
HTTP_WORKERS=1
# When Rauthy is running behind a reverse proxy, set to true
# default: false
#PROXY_MODE=false
# If the Swagger UI should be served externally as well. This makes the link in the Admin UI work.
#
# CAUTION: The Swagger UI is open and does not require any login to be seen!
# Rauthy is open source, which means anyone could just download it and see on their own,
# but it may be a security concern to just expose less information.
# (default: false)
SWAGGER_UI_EXTERNAL=true
#####################################
############# WEBAUTHN ##############
#####################################
# The 'Relaying Party (RP) ID' - effective domain name (default: localhost)
# CAUTION: When this is changed, no already registered device will work!
#RP_ID=localhost
# Url containing the effective domain name (default: http://localhost:8080)
# CAUTION: Must include the port number!
#RP_ORIGIN=http://localhost:8080
# Non critical RP Name
# Has no security properties and may be changed without issues (default: Rauthy Webauthn)
#RP_NAME='Rauthy Webauthn'
# The Cache lifetime in seconds for Webauthn requests. Within this time, a webauthn request must have been validated.
# (default: 60)
WEBAUTHN_REQ_EXP=60
# The Cache lifetime for additional Webauthn Data like auth codes and so on. Should not be lower than WEBAUTHN_REQ_EXP.
# The value is in seconds (default: 90)
WEBAUTHN_DATA_EXP=90
# With webauthn enabled for a user, he needs to enter username / password on a new system. If these credentials are
# verified, rauthy will set an additional cookie, which will determine how long the user can then use only (safe)
# MFA passwordless webauthn login with yubikeys, apple touch id, windows hello, ... until he needs to verify his
# credentials again.
# Passwordless login is generally much safer than logging in with a password. But sometimes it is possible, that the
# Webauthn devices do not force the user to include a second factor, which in that case would be a single factor login
# again. That is why we should ask for the original password in addition once in a while to set the cookie.
# The value is in hours (default: 2160)
WEBAUTHN_RENEW_EXP=2160
# This feature can be set to 'true' to force User verification during the Webauthn ceremony.
# UV will be true, if the user does not only need to verify its presence by touching the key, but by also providing
# proof that he knows (or is) some secret via a PIN or biometric key for instance.
# With UV, we have a true MFA scenario where UV == false (user presence only) would be a 2FA scenario (with password).
# Be careful with this option, since Android and some special combinations of OS + browser to not support UV yet.
# (default: false)
#WEBAUTHN_FORCE_UV=false
#####################################
############### TLS #################
#####################################
## Rauthy TLS
# Overwrite the path to the TLS certificate file in PEM format for rauthy (default: tls/tls.crt)
TLS_CERT=/app/tls/cert-chain.pem
# Overwrite the path to the TLS private key file in PEM format for rauthy.
# If the path / filename ends with '.der', rauthy will parse it as DER, otherwise as PEM.
# (default: tls/tls.key)
TLS_KEY=/app/tls/key.pem
## CACHE TLS
# If given, these keys / certificates will be used to establish
# TLS connections between nodes.
#HQL_TLS_RAFT_KEY=tls/key.pem
#HQL_TLS_RAFT_CERT=tls/cert-chain.pem
#HQL_TLS_RAFT_DANGER_TLS_NO_VERIFY=true
#HQL_TLS_API_KEY=tls/key.pem
#HQL_TLS_API_CERT=tls/cert-chain.pem
#HQL_TLS_API_DANGER_TLS_NO_VERIFY=true