homelab/k8s/infra/auth/authelia/values.yaml

# https://github.com/authelia/chartrepo/blob/master/charts/authelia/values.yaml
image:
  registry: ghcr.io
  repository: authelia/authelia
  tag: 4.38.18 # renovate: docker=ghcr.io/authelia/authelia
  pullPolicy: IfNotPresent

pod:
  kind: Deployment

configMap:
  default_2fa_method: totp
  theme: dark

  identity_validation:
    reset_password:
      secret: { secret_name: crypto }

  access_control:
    default_policy: deny
    rules:
      - domain_regex: ^.*\.stonegarden.dev$
        policy: two_factor

  session:
    encryption_key: { secret_name: crypto }
    cookies:
      - subdomain: authelia
        domain: stonegarden.dev

  storage:
    encryption_key: { secret_name: crypto }
    postgres:
      enabled: true
      deploy: false
      address: tcp://authelia-postgres-rw:5432
      database: authelia
      username: authelia
      password: { secret_name: authelia-postgres-app }

  notifier:
    smtp:
      enabled: true
      address: submission://smtp.sendgrid.net:587
      sender: Authelia <ikkje-noko-svar@stonegarden.dev>
      username: apikey
      password: { secret_name: smtp-auth }

  authentication_backend:
    ldap:
      enabled: true
      implementation: lldap
      address: ldap://lldap.lldap.svc.cluster.local
      base_dn: dc=stonegarden,dc=dev
      users_filter: (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
      additional_users_dn: ou=people
      groups_filter: (member={dn})
      additional_groups_dn: ou=groups
      user: UID=authelia,OU=people,DC=stonegarden,DC=dev
      password: { secret_name: lldap-auth }

  identity_providers:
    oidc:
      ## Currently in beta stage. See https://www.authelia.com/r/openid-connect/
      enabled: true
      hmac_secret: { secret_name: crypto }
      jwks:
        - key_id: default
          algorithm: RS256
          use: sig
          key: { path: /secrets/rsa-jwk/tls.key }
          certificate_chain: { path: /secrets/rsa-jwk/tls.crt }
        - key_id: ecdsa256
          algorithm: ES256
          use: sig
          key: { path: /secrets/ecdsa-jwk/tls.key }
          certificate_chain: { path: /secrets/ecdsa-jwk/tls.crt }
      cors:
        allowed_origins_from_client_redirect_uris: true
        endpoints: [ userinfo, authorization, token, revocation, introspection ]
      clients:

        - client_id: argocd
          client_secret: { path: /secrets/client-argocd/client_secret.txt }
          client_name: Argo CD
          public: false
          authorization_policy: two_factor
          pre_configured_consent_duration: 1 month
          redirect_uris:
            - https://argocd.stonegarden.dev/auth/callback
            - https://argocd.stonegarden.dev/applications
          scopes: [ openid, groups, email, profile, offline_access ]
          userinfo_signed_response_alg: none
          id_token_signed_response_alg: ES256
          access_token_signed_response_alg: ES256

        - client_id: argocd-cli
          client_name: Argo CD (CLI)
          public: true
          authorization_policy: two_factor
          pre_configured_consent_duration: 1 month
          redirect_uris: [ http://localhost:8085/auth/callback ]
          scopes: [ openid, groups, email, profile, offline_access ]
          id_token_signed_response_alg: ES256
          access_token_signed_response_alg: ES256

        - client_id: kubectl
          client_name: kubectl
          public: true
          authorization_policy: two_factor
          pre_configured_consent_duration: 1 month
          require_pkce: true
          redirect_uris: [ http://localhost:8000, http://localhost:18000 ]
          scopes: [ openid, groups, email, profile, offline_access ]

        - client_id: netbird
          client_secret: { path: /secrets/client-netbird/client_secret.txt }
          client_name: NetBird
          public: false
          authorization_policy: two_factor
          pre_configured_consent_duration: 1 month
          require_pkce: true
          pkce_challenge_method: S256
          audience: [ netbird ]
          redirect_uris:
            - http://localhost:53000
            - https://netbird.stonegarden.dev/callback
            - https://netbird.stonegarden.dev/silent-callback
          scopes: [ openid, profile, email, offline_access ]
          token_endpoint_auth_method: client_secret_post

secret:
  additionalSecrets:
    authelia-postgres-app:
      items:
        - key: password
          path: storage.postgres.password.txt
    lldap-auth:
      items:
        - key: password
          path: authentication.ldap.password.txt
    smtp-auth:
      items:
        - key: password
          path: notifier.smtp.password.txt
    crypto:
      items:
        - key: identity_providers.oidc.hmac.key
          path: identity_providers.oidc.hmac.key
        - key: identity_validation.reset_password.jwt.hmac.key
          path: identity_validation.reset_password.jwt.hmac.key
        - key: session.encryption.key
          path: session.encryption.key
        - key: storage.encryption.key
          path: storage.encryption.key
    rsa-jwk:
      items:
        - key: tls.key
          path: tls.key
        - key: tls.crt
          path: tls.crt
    ecdsa-jwk:
      items:
        - key: tls.key
          path: tls.key
        - key: tls.crt
          path: tls.crt
    client-argocd:
      items:
        - key: clientSecret
          path: client_secret.txt
    client-netbird:
      items:
        - key: clientSecret
          path: client_secret.txt