commit 5bbb17cf0f6339d467b6b185cac3c8e448ee2b09 Author: decentral1se Date: Tue Apr 15 01:22:06 2025 +0200 feat: init diff --git a/.env.sample b/.env.sample new file mode 100644 index 0000000..3a742af --- /dev/null +++ b/.env.sample @@ -0,0 +1,21 @@ +TYPE=rauthy +DOMAIN=rauthy.example.com +LETS_ENCRYPT_ENV=production + +COMPOSE_FILE="compose.yml" + +ADMIN_EMAIL=admin@example.org +ADMIN_FORCE_MFA=true + +SECRET_ENC_KEYS_VERSION=v1 +ENC_KEY_ACTIVE="" + +SECRET_HQL_RAFT_VERSION=v1 +SECRET_HQL_API_VERSION=v1 + +# SMTP +#COMPOSE_FILE="$COMPOSE_FILE:compose.smtp.yml" +#SMTP_ENABLED=1 +#EMAIL_SUB_PREFIX="Rauthy IAM" +#SMTP_USERNAME= +#SECRET_SMTP_PASSWORD_VERSION=v1 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..7a6353d --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.envrc diff --git a/README.md b/README.md new file mode 100644 index 0000000..77c78e0 --- /dev/null +++ b/README.md @@ -0,0 +1,43 @@ +# rauthy + +> OpenID Connect Single Sign-On Identity & Access Management + + + +* **Category**: Apps +* **Status**: 0 +* **Image**: [`rauthy`](https://ghcr.io/sebadob/rauthy), 4, upstream +* **Healthcheck**: No +* **Backups**: No +* **Email**: No +* **Tests**: No +* **SSO**: No + + + +## Quick start + +* `abra app new rauthy` + +### Generate encryption keys + +* `echo "$(openssl rand -hex 4)/$(openssl rand -base64 32)"` +* `abra app secret insert enc_keys v1 ` +* `abra app config ` + * **N.B** you need to match the `ENC_KEYS_ACTIVE` env var with the start of + the generated `ENC_KEYS` value (everything before the `/`. See [the + docs](https://sebadob.github.io/rauthy/config/encryption.html) for more) + +### Generate secrets + +* `abra app secret generate -a` + +### Deploy + +* `abra app deploy ` +* `abra app logs ` + * You'll see the automatically generated admin password in the initial logs. + Ensure that you reset this password after you log in. The `ADMIN_EMAIL` env + var controls the value of the admin login username. + +For more, see [`docs.coopcloud.tech`](https://docs.coopcloud.tech). diff --git a/abra.sh b/abra.sh new file mode 100644 index 0000000..12978ab --- /dev/null +++ b/abra.sh @@ -0,0 +1 @@ +export RAUTHY_CFG_VERSION=v1 diff --git a/compose.smtp.yml b/compose.smtp.yml new file mode 100644 index 0000000..958cc32 --- /dev/null +++ b/compose.smtp.yml @@ -0,0 +1,16 @@ +--- +version: "3.13" + +services: + app: + environment: + - EMAIL_SUB_PREFIX + - SMTP_FROM + - SMTP_USERNAME + secrets: + - smtp_password + +secrets: + smtp_password: + name: ${STACK_NAME}_smtp_password_${SECRET_SMTP_PASSWORD_VERSION} + external: true diff --git a/compose.yml b/compose.yml new file mode 100644 index 0000000..97efdfc --- /dev/null +++ b/compose.yml @@ -0,0 +1,56 @@ +--- +version: "3.13" + +services: + app: + image: ghcr.io/sebadob/rauthy:0.28.3 + environment: + - ADMIN_EMAIL + - ADMIN_FORCE_MFA + - DOMAIN + - ENC_KEY_ACTIVE + configs: + - source: rauthy_cfg + target: /app/rauthy.cfg + secrets: + - enc_keys + - hql_api + - hql_raft + volumes: + - data:/app/data + networks: + - proxy + deploy: + restart_policy: + condition: on-failure + labels: + - "traefik.enable=true" + - "traefik.http.services.${STACK_NAME}.loadbalancer.server.port=8080" + - "traefik.http.routers.${STACK_NAME}.rule=Host(`${DOMAIN}`)" + - "traefik.http.routers.${STACK_NAME}.entrypoints=web-secure" + - "traefik.http.routers.${STACK_NAME}.tls.certresolver=${LETS_ENCRYPT_ENV}" + - "coop-cloud.${STACK_NAME}.version=0.1.0+0.28.3" + +networks: + proxy: + external: true + +configs: + rauthy_cfg: + name: ${STACK_NAME}_rauthy_cfg_${RAUTHY_CFG_VERSION} + file: rauthy.cfg.tmpl + template_driver: golang + +secrets: + enc_keys: + name: ${STACK_NAME}_enc_keys_${SECRET_ENC_KEYS_VERSION} + external: true + hql_raft: + name: ${STACK_NAME}_hql_raft_${SECRET_HQL_RAFT_VERSION} + external: true + hql_api: + name: ${STACK_NAME}_hql_api_${SECRET_HQL_API_VERSION} + external: true + +volumes: + data: diff --git a/rauthy.cfg.tmpl b/rauthy.cfg.tmpl new file mode 100644 index 0000000..f514bdb --- /dev/null +++ b/rauthy.cfg.tmpl @@ -0,0 +1,1337 @@ +##################################### +############## ACCESS ############### +##################################### + +# If the User Registration endpoint should be accessible by anyone. +# If not, an admin must create each new user. +# default: false +#OPEN_USER_REG=false + +# If set to true, the `/userinfo` endpoint will do additional validations. +# The non-strict mode will fetch the user by id from the `sub` claim and make +# sure it still exists and is enabled. The strict validation will do additional +# database fetches and validates every possible value. +# Additionally, it will look up a possibly linked user device from the `did` claim +# and make sure it still exists. It will also extract the `client_id` the token +# has been originally issued for from the `azp` claim, fetch it and make sure it +# still exists and is enabled. +# If you don't need the extra validations, you can set this to `false` to +# save some resources, if your clients to a lot of `/userinfo` lookups. +# default: true +#USERINFO_STRICT=true + +# Can be set to `true` to disable authorization on `/oidc/introspect`. +# This should usually never be done, but since the auth on that endpoint is not +# really standardized, you may run into issues with your client app. +# If so, please open an issue about it. +# default: false +#DANGER_DISABLE_INTROSPECT_AUTH=false + +# By default, `refresh_token`s will have an `nbf` claim, making them valid +# at `access_token_lifetime - 60 seconds`. Any usage before this time will +# result in invalidation of not only the token itself, but also all other +# linked sessions and tokens for this user to prevent damage in case a client +# leaked the token by accident. +# However, there are bad / lazy client implementations that do not respect +# either `nbf` in the `refresh_token`, or the `exp` claim in `access_token` +# and will refresh early while the current access_token is still valid. +# This does not only waste resources and time, but also makes it possible +# to have multiple valid `access_token`s at the same time for the same +# session. You should only disable the `nbf` claim if you have a good +# reasons to do so. +# If disabled, the `nbf` claim will still exist, but always set to *now*. +# default: false +#DISABLE_REFRESH_TOKEN_NBF=false + +# Can be used when 'OPEN_USER_REG=true' to restrict the domains +# for a registration. For instance, set it to +# 'USER_REG_DOMAIN_RESTRICTION=gmail.com' to allow only +# registrations with 'user@gmail.com' (default: '') +#USER_REG_DOMAIN_RESTRICTION=some-domain.com + +# If `OPEN_USER_REG=true`, you can blacklist certain domains +# on the open registration endpoint. +# Provide the domains as a `\n` separated list. +#USER_REG_DOMAIN_BLACKLIST=" +#example.com +#evil.net +#" + +# If set to `true`, any validation of the `redirect_uri` provided during +# a user registration will be disabled. +# Clients can use this feature to redirect the user back to their application +# after a successful registration, so instead of ending up in the user +# dashboard, they come back to the client app that initiated the registration. +# +# The given `redirect_uri` will be compared against all registered +# `client_uri`s and will throw an error, if there is no match. However, +# this check will prevent ephemeral clients from using this feature. Only +# if you need it in combination with ephemeral clients, you should +# set this option to `true`. Otherwise it is advised to set the correct +# Client URI in the admin UI. The `redirect_uri` will be allowed if it starts +# with any registered `client_uri`. +# +# default: false +#USER_REG_OPEN_REDIRECT=true + +# If set to true, a violation inside the CSRF protection middleware based +# on Sec-* headers will block invalid requests. Usually you always want this +# enabled. You may only set it to false during the first testing phase if you +# experience any issues with an already existing Rauthy deployment. +# In future releases, it will not be possible the disable these blocks. +# default: true +#SEC_HEADER_BLOCK=true + +# If set to 'true', this will validate the remote peer IP address with +# each request and compare it with the IP which was used during the initial +# session creation / login. If the IP is different, the session will be +# rejected. This is a security hardening and prevents stolen access credentials, +# for instance if an attacker might have copied the encrypted session cookie +# and the XSRF token from the local storage from a user. However, this event +# is really unlikely, since it may only happen if an attacker has direct access +# to the machine itself. +# +# If your users are using mobile networks and get new IP addresses all the time, +# this means they have to do a new login each time. This is no big deal at all with +# Webauthn / FIDO keys anyway and should not be a reason to deactivate this feature. +# +# Caution: If you are running behind a reverse proxy which does not provide the +# X-FORWARDED-FOR header correctly, or you have the PROXY_MODE in this config +# disabled, this feature will not work. You can validate the IPs for each session +# in the Admin UI. If these are correct, your setup is okay. +# +# default: true +#SESSION_VALIDATE_IP=true + +# By default, Rauthy will log a warning into the logs, if an active password +# reset form is being access multiple times from different hosts. You can set +# this to `true` to actually block any following request after the initial one. +# This hardens the security of the password reset form a bit more, but will +# create problems with E-Mail providers like Microsoft, which cans the customers +# E-Mails and even uses links inside, which make them unusable with this set to +# true. +# This feature works by setting an encrypted cookie to the host whichever opens +# the password reset form for the very first time. All subsequent requests either +# need to provide that cookie or would otherwise be rejected. +#PASSWORD_RESET_COOKIE_BINDING=true + +# Can be set to extract the remote client peer IP from a custom header name +# instead of the default mechanisms. This is needed when you are running +# behind a proxy which does not set the `X-REAL-IP` or `X-FORWARDED-FOR` headers +# correctly, or for instance when you proxy your requests through a CDN like +# Cloudflare, which adds custom headers in this case. +# For instance, if your requests are proxied through cloudflare, your would +# set `CF-Connecting-IP`. +#PEER_IP_HEADER_NAME="CF-Connecting-IP" + +# You can enable authn/authz headers which would be added to the response +# of the `/auth/v1/oidc/forward_auth` endpoint. With `AUTH_HEADERS_ENABLE=true`, +# the headers below will be added to authenticated requests. These could +# be used on legacy downstream applications, that don't support OIDC on +# their own. +# However, be careful when using this, since this kind of authn/authz has +# a lot of pitfalls out of the scope of Rauthy. +# default: false +#AUTH_HEADERS_ENABLE=true + +# Configure the header names being used for the different values. +# You can change them to your needs, if you cannot easily change your +# downstream apps. +# default: x-forwarded-user +#AUTH_HEADER_USER=x-forwarded-user +# default: x-forwarded-user-roles +#AUTH_HEADER_ROLES=x-forwarded-user-roles +# default: x-forwarded-user-groups +#AUTH_HEADER_GROUPS=x-forwarded-user-groups +# default: x-forwarded-user-email +#AUTH_HEADER_EMAIL=x-forwarded-user-email +# default: x-forwarded-user-email-verified +#AUTH_HEADER_EMAIL_VERIFIED=x-forwarded-user-email-verified +# default: x-forwarded-user-family-name +#AUTH_HEADER_FAMILY_NAME=x-forwarded-user-family-name +# default: x-forwarded-user-given-name +#AUTH_HEADER_GIVEN_NAME=x-forwarded-user-given-name +# default: x-forwarded-user-mfa +#AUTH_HEADER_MFA=x-forwarded-user-mfa + +# You can set different security levels for Rauthy's cookies. +# The safest option would be 'host', but may not be desirable when +# you host an application on the same origin behind a reverse proxy. +# In this case you might want to restrict to 'secure', which will then +# take the COOKIE_PATH from below into account. +# The last option is 'danger-insecure' which really should never be used +# unless you are just testing on localhost and you are using Safari. +#COOKIE_MODE=host + +# If set to 'true', Rauthy will bind the cookie to the `/auth` path. +# You may want to change this only for very specific reasons and if +# you are in such a situation, where you need this, you will know it. +# Otherwise don't change this value. +# default: true +#COOKIE_SET_PATH=true + +# The "catch all" route handler on `/` will compare the request path +# against a hardcoded list of common scan targets from bots and attackers. +# If the path matches any of these targets, the IP will be blacklisted +# preemptively for the set time in minutes. +# You can disable it with setting it to `0`. +# default: 1440 +#SUSPICIOUS_REQUESTS_BLACKLIST=1440 + +# This will emit a log with level of warning if a request to `/` has +# been made that has not been caught by any of the usual routes and +# and handlers. Apart from a request to just `/` which will end in +# a redirect to `/auth/v1`, all additional path's will be logged. +# This can help to improve the internal suspicious blocklist in the +# future. +# default: false +#SUSPICIOUS_REQUESTS_LOG=false + +##################################### +############# BACKUPS ############### +##################################### + +# When the auto-backup task should run. +# Accepts cron syntax: +# "sec min hour day_of_month month day_of_week year" +# default: "0 30 2 * * * *" +#HQL_BACKUP_CRON="0 30 2 * * * *" + +# Local backups older than the configured days will be cleaned up after +# the backup cron job. +# default: 30 +#HQL_BACKUP_KEEP_DAYS=30 + +# Backups older than the configured days will be cleaned up locally +# after each `Client::backup()` and the cron job `HQL_BACKUP_CRON`. +# default: 3 +#HQL_BACKUP_KEEP_DAYS_LOCAL=3 + +# If you ever need to restore from a backup, the process is simple. +# 1. Have the cluster shut down. This is probably the case anyway, if +# you need to restore from a backup. +# 2. Provide the backup file name on S3 storage with the +# HQL_BACKUP_RESTORE value. +# 3. Start up the cluster again. +# 4. After the restart, make sure to remove the HQL_BACKUP_RESTORE +# env value. +#HQL_BACKUP_RESTORE= + +# Access values for the S3 bucket where backups will be pushed to. +#HQL_S3_URL=https://s3.example.com +#HQL_S3_BUCKET=my_bucket +#HQL_S3_REGION=example +#HQL_S3_PATH_STYLE=true +#HQL_S3_KEY=s3_key +#HQL_S3_SECRET=s3_secret + +##################################### +############ BOOTSTRAP ############## +##################################### + +# If set, the email of the default admin will be changed +# during the initialization of an empty production database. +BOOTSTRAP_ADMIN_EMAIL="{{ env "ADMIN_EMAIL" }}" + +# If set, this plain text password will be used for the +# initial admin password instead of generating a random +# password. +#BOOTSTRAP_ADMIN_PASSWORD_PLAIN="123SuperSafe" + +# If set, this will take the argon2id hashed password +# during the initialization of an empty production database. +# If both BOOTSTRAP_ADMIN_PASSWORD_PLAIN and +# BOOTSTRAP_ADMIN_PASSWORD_ARGON2ID are set, the hashed version +# will always be prioritized. +#BOOTSTRAP_ADMIN_PASSWORD_ARGON2ID='$argon2id$v=19$m=32768,t=3,p=2$xr23OhOHw+pNyy3dYKZUcA$CBO4NpGvyi6gvrb5uNrnsS/z/Ew+IuS0/gVqFmLKncA' + +# You can provide an API Key during the initial prod database +# bootstrap. This key must match the format and pass validation. +# You need to provide it as a base64 encoded JSON in the format: +# +# ``` +# struct ApiKeyRequest { +# /// Validation: `^[a-zA-Z0-9_-/]{2,24}$` +# name: String, +# /// Unix timestamp in seconds in the future (max year 2099) +# exp: Option, +# access: Vec, +# } +# +# struct ApiKeyAccess { +# group: AccessGroup, +# access_rights: Vec, +# } +# +# enum AccessGroup { +# Blacklist, +# Clients, +# Events, +# Generic, +# Groups, +# Roles, +# Secrets, +# Sessions, +# Scopes, +# UserAttributes, +# Users, +# } +# +# #[serde(rename_all = "lowercase")] +# enum AccessRights { +# Read, +# Create, +# Update, +# Delete, +# } +# ``` +# +# You can use the `api_key_example.json` from `/` as +# an example. Afterwards, just `base64 api_key_example.json | tr -d '\n'` +#BOOTSTRAP_API_KEY="ewogICJuYW1lIjogImJvb3RzdHJhcCIsCiAgImV4cCI6IDE3MzU1OTk2MDAsCiAgImFjY2VzcyI6IFsKICAgIHsKICAgICAgImdyb3VwIjogIkNsaWVudHMiLAogICAgICAiYWNjZXNzX3JpZ2h0cyI6IFsKICAgICAgICAicmVhZCIsCiAgICAgICAgImNyZWF0ZSIsCiAgICAgICAgInVwZGF0ZSIsCiAgICAgICAgImRlbGV0ZSIKICAgICAgXQogICAgfSwKICAgIHsKICAgICAgImdyb3VwIjogIlJvbGVzIiwKICAgICAgImFjY2Vzc19yaWdodHMiOiBbCiAgICAgICAgInJlYWQiLAogICAgICAgICJjcmVhdGUiLAogICAgICAgICJ1cGRhdGUiLAogICAgICAgICJkZWxldGUiCiAgICAgIF0KICAgIH0sCiAgICB7CiAgICAgICJncm91cCI6ICJHcm91cHMiLAogICAgICAiYWNjZXNzX3JpZ2h0cyI6IFsKICAgICAgICAicmVhZCIsCiAgICAgICAgImNyZWF0ZSIsCiAgICAgICAgInVwZGF0ZSIsCiAgICAgICAgImRlbGV0ZSIKICAgICAgXQogICAgfQogIF0KfQ==" + +# The secret for the above defined bootstrap API Key. +# This must be at least 64 alphanumeric characters long. +# You will be able to use that key afterwards with setting +# the `Authorization` header: +# +# `Authorization: API-Key $` +#BOOTSTRAP_API_KEY_SECRET=twUA2M7RZ8H3FyJHbti2AcMADPDCxDqUKbvi8FDnm3nYidwQx57Wfv6iaVTQynMh + +##################################### +############# CLUSTER ############### +##################################### + +# Can be set to 'k8s' to try to split off the node id from the hostname +# when Hiqlite is running as a StatefulSet inside Kubernetes. +#HQL_NODE_ID_FROM=k8s + +# The node id must exist in the nodes and there must always be +# at least a node with ID 1 +# Will be ignored if `HQL_NODE_ID_FROM=k8s` +HQL_NODE_ID=1 + +# All cluster member nodes. +# To make setting the env var easy, the values are separated by `\s` +# while nodes are separated by `\n` +# in the following format: +# +# id addr_raft addr_api +# id addr_raft addr_api +# id addr_raft addr_api +# +HQL_NODES=" +1 localhost:8100 localhost:8200 +" + +# Sets the limit when the Raft will trigger the creation of a new +# state machine snapshot and purge all logs that are included in +# the snapshot. +# Higher values can achieve more throughput in very write heavy +# situations but will end up in more disk usage and longer +# snapshot creations / log purges. +# default: 10000 +#HQL_LOGS_UNTIL_SNAPSHOT=10000 + +# Secrets for Raft internal authentication as well as for the API. +# These must be at least 16 characters long and you should provide +# different ones for both variables. +HQL_SECRET_RAFT={{ secret "hql_raft" }} +HQL_SECRET_API={{ secret "hql_api" }} + +# You can either parse `ENC_KEYS` and `ENC_KEY_ACTIVE` from the +# environment with setting this value to `env`, or parse them from +# a file on disk with `file:path/to/enc/keys/file` +# default: env +#HQL_ENC_KEYS_FROM=env + +##################################### +############ DATABASE ############### +##################################### + +# Connection string to connect to a Postgres database. +# This will be ignored as long as `HIQLITE=true`. +# +# Format: 'postgresql://User:PasswordWithoutSpecialCharacters@localhost:5432/DatabaseName' +# +# NOTE: The password in this case should be alphanumeric. +# Special characters could cause problems in the connection string. +# +# CAUTION: To make the automatic migrations work with Postgres 15+, +# when you do not want to just use the `postgres` user, You need +# to have a user with the same name as the DB / schema. For instance, +# the following would work without granting extra access to the +# `public` schema which is disabled by default since PG15: +# database: rauthy +# user: rauthy +# schema: rauthy with owner rauthy +# +#DATABASE_URL=postgresql://rauthy:123SuperSafe@localhost:5432/rauthy + +# Max DB connections for the Postgres pool. +# Irrelevant for Hiqlite. +# default: 20 +#DATABASE_MAX_CONN=20 + +# If specified, the currently configured Database will be +# DELETED and OVERWRITTEN with a migration from the given +# database with this variable. Can be used to migrate between +# different databases. +# To migrate from Hiqlite, use the `sqlite:` prefix. +# +# !!! USE WITH CARE !!! +# +#MIGRATE_DB_FROM=sqlite:data/state_machine/db/hiqlite.db +#MIGRATE_DB_FROM=postgresql://postgres:123SuperSafe@localhost:5432/rauthy + +# Hiqlite is the default database for Rauthy. +# You can opt-out and use Postgres instead by setting the proper +# `DATABASE_URL=postgresql://...` by setting `HIQLITE=false` +# default: true +#HIQLITE=true + +# The data dir hiqlite will store raft logs and state machine data in. +# default: data +#HQL_DATA_DIR=data + +# The file name of the SQLite database in the state machine folder. +# default: hiqlite.db +#HQL_FILENAME_DB=hiqlite.db + +# If set to `true`, all SQL statements will be logged for debugging +# purposes. +# default: false +#HQL_LOG_STATEMENTS=false + +# The size of the pooled connections for local database reads. +# +# Do not confuse this with a pool size for network databases, as it +# is much more efficient. You can't really translate between them, +# because it depends on many things, but assuming a factor of 10 is +# a good start. This means, if you needed a (read) pool size of 40 +# connections for something like a postgres before, you should start +# at a `read_pool_size` of 4. +# +# Keep in mind that this pool is only used for reads and writes will +# travel through the Raft and have their own dedicated connection. +# +# default: 4 +#HQL_READ_POOL_SIZE=4 + +# Enables immediate flush + sync to disk after each Log Store Batch. +# The situations where you would need this are very rare, and you +# should use it with care. +# +# The default is `false`, and a flush + sync will be done in 200ms +# intervals. Even if the application should crash, the OS will take +# care of flushing left-over buffers to disk and no data will get +# lost. Only if something worse happens, you might lose the last +# 200ms of commits. +# +# The only situation where you might want to enable this option is +# when you are on a host that might lose power out of nowhere, and +# it has no backup battery, or when your OS / disk itself is unstable. +# +# `sync_immediate` will greatly reduce the write throughput and put +# a lot more pressure on the disk. If you have lots of writes, it +# can pretty quickly kill your SSD for instance. +#HQL_SYNC_IMMEDIATE=false + +# The password for the Hiqlite dashboard as Argon2ID hash. +# '123SuperMegaSafe' in this example +#HQL_PASSWORD_DASHBOARD=JGFyZ29uMmlkJHY9MTkkbT0zMix0PTIscD0xJE9FbFZURnAwU0V0bFJ6ZFBlSEZDT0EkTklCN0txTy8vanB4WFE5bUdCaVM2SlhraEpwaWVYOFRUNW5qdG9wcXkzQQ== + +# Defines the time in seconds after which the `/health` endpoint +# includes HA quorum checks. The initial delay solves problems +# like Kubernetes StatefulSet starts that include the health +# endpoint in the scheduling routine. In these cases, the scheduler +# will not start other Pods if the first does not become healthy. +# +# This is a chicken-and-egg problem which the delay solves. +# There is usually no need to adjust this value. +# +# default: 30 +#HEALTH_CHECK_DELAY_SECS=30 + +# Disables the housekeeping schedulers (default: false) +#SCHED_DISABLE=true + +# The interval in minutes in which the scheduler for expired +# users should run. If this finds expired users, it invalidates +# all existing sessions and refresh tokens for this user. +# default: 60 +#SCHED_USER_EXP_MINS=60 + +# The threshold in minutes after which time the user expiry +# scheduler should automatically clean up expired users. +# If not set at all, expired users will never be cleaned up +# automatically. +# default: disabled / not set +#SCHED_USER_EXP_DELETE_MINS=7200 + +##################################### +######### DEVICE GRANT ############## +##################################### + +# The lifetime in secods of auth codes for the Device Authorization +# Grant flow. You may increase the default of 300 seconds, if you have +# "slow users" and they are simply not fast enough with the verification. +# default: 300 +#DEVICE_GRANT_CODE_LIFETIME=300 + +# The length of the `user_code` the user has to enter manually for +# auth request validation. This must be < 64 characters. +# default: 8 +#DEVICE_GRANT_USER_CODE_LENGTH=8 + +# Specifies the rate-limit in seconds per IP for starting new Device +# Authorization Grant flows. This is especially important for public +# clients, because a code request for this flow will actually create +# cached data. If this would happen on an unrestricted, open endpoint, +# the application could easily be DoS'ed. +# If you use the `device_code` grant with confidential clients only, +# you can leave this unset, which will not rate-limit the endpoint. +# default: not set +#DEVICE_GRANT_RATE_LIMIT=1 + +# The interval in seconds which devices are told to use when they +# poll the token endpoint during Device Authorization Grant flow. +# default: 5 +#DEVICE_GRANT_POLL_INTERVAL=5 + +# You can define a global lifetime in hours for refresh tokens issued +# from a Device Authorization Grant flow. You might want to have a +# higher lifetime than normal refresh tokens, because they might be +# used in IoT devices which may be offline for longer periods of time. +# default: 72 +#DEVICE_GRANT_REFRESH_TOKEN_LIFETIME=72 + +##################################### +############## DPOP ################# +##################################### + +# May be set to 'false' to disable forcing the usage of +# DPoP nonce's. +# default: true +#DPOP_FORCE_NONCE=true + +# Lifetime in seconds for DPoP nonces. These are used to +# limit the lifetime of a client's DPoP proof. Do not set +# lower than 30 seconds to avoid too many failed client +# token requests. +# default: 900 +#DPOP_NONCE_EXP=900 + +##################################### +########## DYNAMIC CLIENTS ########## +##################################### + +# If set to `true`, dynamic client registration will be enabled. +# Only activate this, if you really need it and you know, what +# you are doing. The dynamic client registration without further +# restriction will allow anyone to register new clients, even +# bots and spammers, and this may create security issues, if not +# handled properly and your users just login blindly to any client +# they get redirected to. +# default: false +#ENABLE_DYN_CLIENT_REG=false + +# If specified, this secret token will be expected during +# dynamic client registrations to be given as a +# `Bearer ` token. Needs to be communicated +# in advance. +# default: +#DYN_CLIENT_REG_TOKEN= + +# The default token lifetime in seconds for a dynamic client, +# that will be set during the registration. +# This value can be modified manually after registration via +# the Admin UI like for any other client. +# default: 1800 +#DYN_CLIENT_DEFAULT_TOKEN_LIFETIME=1800 + +# If set to 'true', client secret and registration token will be +# automatically rotated each time a dynamic client updates itself +# via the PUT endpoint. This is the only way that secret rotation +# could be automated safely. +# However, this is not mandatory by RFC and it may lead to errors, +# if the dynamic clients are not implemented properly to check for +# and update their secrets after they have done a request. +# If you get into secret-problems with dynamic clients, you should +# update the client to check for new secrets, if this is under your +# control. If you cannot do anything about it, you might set this +# value to 'false' to disable secret rotation. +# default: true +#DYN_CLIENT_SECRET_AUTO_ROTATE=true + +# This scheduler will be running in the background, if +# `ENABLE_DYN_CLIENT_REG=true`. It will auto-delete dynamic clients, +# that have been registered and not been used in the following +# `DYN_CLIENT_CLEANUP_THRES` hours. +# Since a dynamic client should be used right away, this should never +# be a problem with "real" clients, that are not bots or spammers. +# +# The interval is specified in minutes. +# default: 60 +#DYN_CLIENT_CLEANUP_INTERVAL=60 + +# The threshold for newly registered dynamic clients cleanup, if +# not being used within this timeframe. This is a helper to keep +# the database clean, if you are not using any `DYN_CLIENT_REG_TOKEN`. +# The threshold should be specified in minutes. Any client, that has +# not been used within this time after the registration will be +# automatically deleted. +# +# Note: This scheduler will only run, if you have not set any +# `DYN_CLIENT_REG_TOKEN`. +# +# default: 60 +#DYN_CLIENT_CLEANUP_MINUTES=60 + +# The rate-limiter timeout for dynamic client registration. +# This is the timeout in seconds which will prevent an IP from +# registering another dynamic client, if no `DYN_CLIENT_REG_TOKEN` +# is set. With a `DYN_CLIENT_REG_TOKEN`, the rate-limiter will not +# be applied. +# default: 60 +#DYN_CLIENT_RATE_LIMIT_SEC=60 + +{{ if eq (env "SMTP_ENABLED") "1" }} +##################################### +############# E-MAIL ################ +##################################### + +# This contact information will be added to the `rauthy`client +# within the anti lockout rule with each new restart. +RAUTHY_ADMIN_EMAIL="{{ env "ADMIN_EMAIL" }}" + +# Will be used as the prefix for the E-Mail subject for each E-Mail +# that will be sent out to a client. +# This can be used to further customize your deployment. +# default: "Rauthy IAM" +EMAIL_SUB_PREFIX="{{ env "EMAIL_SUB_PREFIX" }}" + +# Rauthy will force TLS and try a downgrade to STARTTLS, if +# TLS fails. It will never allow an unencrypted connection. +# You might want to set `SMTP_DANGER_INSECURE=true` if you +# need this for local dev. +#SMTP_URL= +#SMTP_USERNAME="{{ env "SMTP_USERNAME" }}" +#SMTP_PASSWORD="{{ secret "smtp_password" }}" +# Format: "Rauthy " +# default: "Rauthy " +#SMTP_FROM="{{ env "SMTP_FROM" }}" + +# The number of retries that should be done for connecting to +# the given SMTP_URL. +# When these retries are exceeded without success, Rauthy will +# panic and exit, so no E-Mail can get lost silently because of +# a missing SMTP connection. +# default: 3 +#SMTP_CONNECT_RETRIES=3 + +# You can set this to `true` to allow an unencrypted and +# unauthenticated SMTP connection to an SMTP relay on your localhost +# or for development purposes. +# When set to `true`, `SMTP_USERNAME` and `SMTP_PASSWORD` will be +# ignored and you can modify the target port with +# `SMTP_DANGER_INSECURE_PORT`. +# default: false +#SMTP_DANGER_INSECURE=false + +# The port for an insecure SMTP relay. +# This will most likely be used for testing only. +# It will only be taken into account if `SMTP_DANGER_INSECURE=true` is set. +# default: 1025 +#SMTP_DANGER_INSECURE_PORT=1025 +{{ end }} + +##################################### +###### ENCRYPTION / HASHING ######### +##################################### + +# You need to define at least one valid encryption key. +# These keys are used in various places, like for instance +# encrypting confidential client secrets in the database, or +# encryption cookies, and so on. +# +# The format must match: +# ENC_KEYS=" +# q6u26onRvXVG4427/M0NFQzhSSldCY01rckJNa1JYZ3g2NUFtSnNOVGdoU0E= +# bVCyTsGaggVy5yqQ/UzluN29DZW41M3hTSkx6Y3NtZmRuQkR2TnJxUTYzcjQ= +# " +# +# The first part until the first `/` is the key ID. +# The ID must match '[a-zA-Z0-9]{2,20}' +# +# The key itself begins after the first `/` has been found. +# The key must be exactly 32 bytes long, encoded as base64. +# +# You can find a more detailed explanation on how to generate +# keys in the documentation: +# 1. https://sebadob.github.io/rauthy/getting_started/k8s.html#create-and-apply-secrets +# 2. https://sebadob.github.io/rauthy/config/encryption.html +# +# You can provide multiple keys to make things like key +# rotation work. Be careful with removing old keys. Make sure +# that all secrets have been migrated beforehand. +# You can find a utility in the Admin UI to do this for you. +# +ENC_KEYS=" +{{ secret "enc_keys" }} +" + +# This identifies the key ID from the `ENC_KEYS` list, that +# should actively be used for new encryptions. +ENC_KEY_ACTIVE="{{ env "ENC_KEY_ACTIVE" }}" + +# Argon2ID hashing parameters. Take a look at the documentation +# for more information: +# https://sebadob.github.io/rauthy/config/argon2.html +# M_COST should never be below 32768 in production +ARGON2_M_COST=131072 +# T_COST must be greater than 0 +ARGON2_T_COST=4 +# P_COST should never be below 2 in production +ARGON2_P_COST=8 + +# Limits the maximum amount of parallel password hashes at +# the exact same time to never exceed system memory while +# still allowing a good amount of memory for the argon2id +# algorithm (default: 2) +# +# CAUTION: You must make sure, that you have at least +# (MAX_HASH_THREADS * ARGON2_M_COST / 1024) + idle memory +# of your deployment available +MAX_HASH_THREADS=1 + +# The time in ms when to log a warning, if a request waited +# longer than this time. This is an indicator, that you have +# more concurrent logins than allowed and may need config +# adjustments, +# if this happens more often. (default: 500) +#HASH_AWAIT_WARN_TIME=500 + +# JWKS auto rotate cronjob. This will (by default) rotate +# all JWKs every 1. day of the month. If you need smaller +# intervals, you may adjust this value. For security reasons, +# you cannot fully disable it. +# In a HA deployment, this job will only be executed on the +# current cache leader at that time. +# Format: "sec min hour day_of_month month day_of_week year" +# default: "0 30 3 1 * * *" +#JWK_AUTOROTATE_CRON="0 30 3 1 * * *" + +##################################### +####### EPHEMERAL CLIENTS ########### +##################################### + +# Can be set to 'true' to allow the dynamic client lookup via URLs as +# 'client_id's during authorization_code flow initiation. +# default: false +#ENABLE_EPHEMERAL_CLIENTS=false + +# Can be set to 'true' to enable WebID functionality like needed +# for things like Solid OIDC. +# default: false +#ENABLE_WEB_ID=false + +# If set to 'true', 'solid' will be added to the 'aud' claim from the ID token +# for ephemeral clients. +# default: false +#ENABLE_SOLID_AUD=false + +# If set to 'true', MFA / Passkeys will be forced for ephemeral clients. +# default: false +#EPHEMERAL_CLIENTS_FORCE_MFA=false + +# The allowed flows separated by ' ' for ephemeral clients. +# default: "authorization_code" +#EPHEMERAL_CLIENTS_ALLOWED_FLOWS="authorization_code refresh_token" + +# The allowed scopes separated by ' ' for ephemeral clients. +# default: "openid profile email webid" +#EPHEMERAL_CLIENTS_ALLOWED_SCOPES="openid profile email webid" + +# The lifetime in seconds ephemeral clients will be kept inside the cache. +# default: 3600 +#EPHEMERAL_CLIENTS_CACHE_LIFETIME=3600 + +##################################### +######### EVENTS / AUDIT ############ +##################################### + +# The E-Mail address event notifications should be sent to. +#EVENT_EMAIL=admin@localhost.de + +# Matrix variables for event notifications. +# `EVENT_MATRIX_USER_ID` and `EVENT_MATRIX_ROOM_ID` are mandatory. +# Depending on your Matrix setup, additionally one of +# `EVENT_MATRIX_ACCESS_TOKEN` or `EVENT_MATRIX_USER_PASSWORD` is needed. +# If you log in to Matrix with User + Password, you may use `EVENT_MATRIX_USER_PASSWORD`. +# If you log in via OIDC SSO (or just want to use a session token you can revoke), +# you should provide `EVENT_MATRIX_ACCESS_TOKEN`. +# If both are given, the `EVENT_MATRIX_ACCESS_TOKEN` will be preferred. +# +# If left empty, no messages will not be sent to Matrix. +# Format: `@:` +#EVENT_MATRIX_USER_ID= +# Format: `!:` +#EVENT_MATRIX_ROOM_ID= +#EVENT_MATRIX_ACCESS_TOKEN= +#EVENT_MATRIX_USER_PASSWORD= +# URL of your Matrix server. +# default: https://matrix.org +#EVENT_MATRIX_SERVER_URL=https://matrix.org +# Optional path to a PEM Root CA certificate file for the Matrix client. +#EVENT_MATRIX_ROOT_CA_PATH=path/to/my/root_ca_cert.pem +# May be set to disable the TLS validation for the Matrix client. +# default: false +#EVENT_MATRIX_DANGER_DISABLE_TLS_VALIDATION=false +# The default behavior is, that Rauthy will panic at startup if it cannot connect +# to a configured Matrix server. The reason is that event notifications cannot be +# dropped silently. +# However, if you use a self-hosted Matrix server which uses Rauthy as its OIDC +# provider and both instances went offline, you will have a chicken and egg problem: +# - Rauthy cannot connect to Matrix and will panic +# - Your Matrix server cannot connect to Rauthy and will panic +# To solve this issue, you can temporarily set this value to 'true' and revert +# back, after the system is online again. +# default: false +#EVENT_MATRIX_ERROR_NO_PANIC=false + +# The Webhook for Slack Notifications. +# If left empty, no messages will be sent to Slack. +#EVENT_SLACK_WEBHOOK= + +# The notification level for events. Works the same way as a logging level. +# For instance: 'notice' means send out a notifications for all events with +# the notice level or higher. +# Possible values: +# - info +# - notice +# - warning +# - critical +# +# default: 'warning' +EVENT_NOTIFY_LEVEL_EMAIL=warning +# default: 'notice' +EVENT_NOTIFY_LEVEL_MATRIX=notice +# default: 'notice' +EVENT_NOTIFY_LEVEL_SLACK=notice + +# Define the level from which on events should be persisted inside the +# database. All events with a lower level will be lost, if there is no +# active event subscriber. +# Possible values: +# - info +# - notice +# - warning +# - critical +# default: 'info' +#EVENT_PERSIST_LEVEL=info + +# Define the number of days when events should be cleaned up from the database. +# default: 31 +#EVENT_CLEANUP_DAYS=31 + +# The level for the generated Event after a new user has been registered. +# default: info +EVENT_LEVEL_NEW_USER=info +# The level for the generated Event after a user has changed his E-Mail +# default: notice +EVENT_LEVEL_USER_EMAIL_CHANGE=notice +# The level for the generated Event after a user has reset its password +# default: notice +EVENT_LEVEL_USER_PASSWORD_RESET=notice +# The level for the generated Event after a user has been given the +# 'rauthy_admin' role +# default: notice +EVENT_LEVEL_RAUTHY_ADMIN=notice +# The level for the generated Event after a new App version has been found +# default: notice +EVENT_LEVEL_RAUTHY_VERSION=notice +# The level for the generated Event after the JWKS has been rotated +# default: notice +EVENT_LEVEL_JWKS_ROTATE=notice +# The level for the generated Event after DB secrets have been migrated +# to a new key +# default: notice +EVENT_LEVEL_SECRETS_MIGRATED=notice +# The level for the generated Event after a Rauthy instance has been +# started +# default: info +EVENT_LEVEL_RAUTHY_START=info +# The level for the generated Event after a Rauthy entered a healthy +# state (again) +# default: notice +EVENT_LEVEL_RAUTHY_HEALTHY=notice +# The level for the generated Event after a Rauthy entered an unhealthy +#state +# default: critical +EVENT_LEVEL_RAUTHY_UNHEALTHY=critical +# The level for the generated Event after an IP has been blacklisted +# default: warning +EVENT_LEVEL_IP_BLACKLISTED=warning +# The level for the generated Event after certain amounts of false +# logins from an IP +# default: critical +EVENT_LEVEL_FAILED_LOGINS_25=critical +# default: critical +EVENT_LEVEL_FAILED_LOGINS_20=critical +# default: warning +EVENT_LEVEL_FAILED_LOGINS_15=warning +# default: warning +EVENT_LEVEL_FAILED_LOGINS_10=warning +# default: notice +EVENT_LEVEL_FAILED_LOGINS_7=notice +# default: info +EVENT_LEVEL_FAILED_LOGIN=info + +# If set to 'true', it will disable the app version checker. +# This is a scheduled task that looks up the latest version periodically +# by doing a request to the Github API to check the latest release. +# This ignores any type of prerelease and will only notify for a new stable. +# default: false +#DISABLE_APP_VERSION_CHECK=false + +##################################### +############## FED CM ############### +##################################### + +## CAUTION: The FedCM is highly experimental at this point! +## Do not attempt to use it in production because it is subject to change +## in the future! The spec is currently a draft and under active development. + +# Set to `true` to enable the experimental FedCM. +# default: false +#EXPERIMENTAL_FED_CM_ENABLE=false + +# Session lifetime for FedCM in seconds - the session can not be extended +# beyond this time and a new login will be forced. +# default: 2592000 +#SESSION_LIFETIME_FED_CM=2592000 + +# Session timeout for FedCM in seconds +# When a new token / login is requested before this timeout hits the limit, +# the user will be authenticated without prompting for the credentials again. +# This is the value which can extend the session, until it hits its maximum +# lifetime set with _FED_CM. +# default: 259200 +#SESSION_TIMEOUT_FED_CM=259200 + +##################################### +############### I18n ################ +##################################### + +# Can be set to filter the languages to show in the UI. +# If not set, all available i18n translations will be +# show in the language selector. +# To show only specific ones, provide them here as a +# space-separated value. +# +# Languages for all user-facing pages. +# Available Options: en de zhhans ko +#FILTER_LANG_COMMON="en de zhhans ko" +# Languages for the Admin UI. +# Available Options: en de ko +#FILTER_LANG_ADMIN="en de ko" + +##################################### +####### LIFETIMES / TIMEOUTS ######## +##################################### + +# Set the grace time in seconds for how long in seconds the +# refresh token should still be valid after usage. Keep this +# value small, but do not set it to 0 with an HA deployment +# to not get issues with small HA cache latencies. +# +# If you have an external client, which does concurrent +# requests, from which the request interceptor wants to refresh +# the token, you may have multiple hits on the endpoint and all +# of them should be valid. +# +# Caching is done on the endpoint itself, but grace time of 0 +# will only be good for a single instance of rauthy. +# default: 5 +#REFRESH_TOKEN_GRACE_TIME=5 + +# Session lifetime in seconds - the session can not be +# extended beyond this time and a new login will be forced. +# This is the session for the authorization code flow. +# default: 14400 +#SESSION_LIFETIME=14400 + +# If 'true', a 2FA / MFA check will be done with each automatic +# token generation, even with an active session, which kind of +# makes the session useless with Webauthn enabled, but provides +# maximum amount of security. +# If 'false', the user will not get an MFA prompt with an active +# session at the authorization endpoint. +# default: false +#SESSION_RENEW_MFA=false + +# Session timeout in seconds +# When a new token / login is requested before this timeout hits +# the limit, the user will be authenticated without prompting for +# the credentials again. +# This is the value which can extend the session, until it hits +# its maximum lifetime set with SESSION_LIFETIME. +# default: 5400 +#SESSION_TIMEOUT=5400 + +# ML: magic link +# LT: lifetime +# Lifetime in minutes for reset password magic links (default: 30) +#ML_LT_PWD_RESET=30 + +# Lifetime in minutes for the first password magic link, for +# setting the initial password. (default: 4320) +#ML_LT_PWD_FIRST=4320 + +##################################### +############# LOGGING ############### +##################################### + +# This is the log level for stdout logs +# Accepts: error, info, debug, trace (default: info) +#LOG_LEVEL=info + +# The log level for the `Hiqlite` persistence layer. +# default: info +LOG_LEVEL_DATABASE=info + +# This is a special config which allows the configuration of +# customized access logs. These logs will be logged with each +# request in addition to the normal LOG_LEVEL logs. +# The following values are valid: +# - Debug +# CAUTION: The Debug setting logs every information available +# to the middleware which includes SENSITIVE HEADERS +# DO NOT use the Debug level in a working production environment! +# - Verbose +# Verbose logging without headers - generates huge outputs +# - Basic +# Logs access to all endpoints apart from the Frontend ones +# which all js, css, ... +# - Modifying +# Logs only requests to modifying endpoints and skips all GET +# - Off +# default: Modifying +#LOG_LEVEL_ACCESS=Basic + +# You can change the log output format to JSON, if you set: +# `LOG_FMT=json`. +# Keep in mind, that some logs will include escaped values, +# for instance when `Text` already logs a JSON in debug level. +# Some other logs like an Event for instance will be formatted +# as Text anyway. If you need to auto-parse events, please consider +# using an API token and listen ot them actively. +# default: text +#LOG_FMT=text + +##################################### +################ MFA ################ +##################################### + +# If 'true', MFA for an account must be enabled to access the +# rauthy admin UI (default: true) +ADMIN_FORCE_MFA={{ env "ADMIN_FORCE_MFA" }} + +##################################### +############## POW ################# +##################################### + +# The difficulty for a Proof-of-Work (PoW). +# The default is 20, which is reasonable for modern processors. +# This is currently only used for the user registration via UI. +# The value must be between 10 and 99. +# default: 20 +POW_DIFFICULTY=20 + +# The expiration duration in seconds for a PoW +# default: 30 +POW_EXP=30 + +##################################### +############# SERVER ################ +##################################### + +# The server address to listen on. Can bind to a specific IP. +# default: 0.0.0.0 +#LISTEN_ADDRESS=0.0.0.0 + +# The listen ports for HTTP / HTTPS, depending on the +# activated 'LISTEN_SCHEME' +# default: 8080 +#LISTEN_PORT_HTTP=8080 +# default: 8443 +#LISTEN_PORT_HTTPS=8443 + +# The scheme to use locally, valid values: +# http | https | http_https | unix_http | unix_https (default: http_https) +# For more details about the UNIX domain socket, check out its documentation page. +LISTEN_SCHEME=http + +# The Public URL of the whole deployment +# The LISTEN_SCHEME + PUB_URL must match the HTTP ORIGIN +# HEADER later on, which is especially important when running +# rauthy behind a reverse proxy. In case of a non-standard +# port (80/443), you need to add the port to the PUB_URL +PUB_URL={{ env "DOMAIN" }} + +# default value: number of available physical cores +#HTTP_WORKERS=1 + +# When rauthy is running behind a reverse proxy, set to true +# default: false +PROXY_MODE=true + +# A `\n` separated list of trusted proxy CIDRs. +# When `PROXY_MODE=true` or `PEER_IP_HEADER_NAME` is set, +# these are mandatory to be able to extract the real client +# IP properly and safely to prevent IP header spoofing. +# All requests with a different source will be blocked. +TRUSTED_PROXIES=" +127.0.0.1 +172.16.0.0/12 +10.0.0.0/8 +" + +# To bring support for applications using deep-linking, you can set custom URL +# schemes to be accepted when present in the `Origin` header. For instance, a +# Tauri app would set `tauri://` instead of `https://`. +# +# Provide the value as a space separated list of Strings, like for instance: +# "tauri myapp" +#ADDITIONAL_ALLOWED_ORIGIN_SCHEMES="tauri myapp" + +# To enable or disable the additional HTTP server to expose the /metrics endpoint +# default: true +METRICS_ENABLE=false + +# The IP address to listen on for the /metrics endpoint. +# You do not want to expose your metrics on a publicly reachable endpoint! +# default: 0.0.0.0 +#METRICS_ADDR=0.0.0.0 + +# The post to listen on for the /metrics endpoint. +# You do not want to expose your metrics on a publicly reachable endpoint! +# default: 9090 +#METRICS_PORT=9090 + +# If the Swagger UI should be served together with the /metrics route on the internal +# server. It it then reachable via: +# http://METRICS_ADDR:METRICS_PORT/docs/v1/swagger-ui/ +# default: true +#SWAGGER_UI_INTERNAL=true + +# If the Swagger UI should be served externally as well. This makes the link in the +# Admin UI work. +# +# CAUTION: The Swagger UI is open and does not require any login to be seen! +# Rauthy is open source, which means anyone could just download it and see on their +# own, but it may be a security concern to just expose less information. +# default: false +#SWAGGER_UI_EXTERNAL=false + +# The interval in seconds in which keep-alives should be sent to SSE clients. +# Depending on your network setup, proxy timeouts, ... +# you may adjust this value to fit your needs. +# default: 30 +#SSE_KEEP_ALIVE=30 + +##################################### +############ TEMPLATES ############## +##################################### + +# You can overwrite some default email templating values here. +# If you want to modify the basic templates themselves, this is +# currently only possible with a custom build from source. +# The content however can mostly be set here. +# If the below values are not set, the default will be taken. + +# New Password E-Mail +#TPL_EN_PASSWORD_NEW_SUBJECT="New Password" +#TPL_EN_PASSWORD_NEW_HEADER="New password for" +#TPL_EN_PASSWORD_NEW_TEXT="" +#TPL_EN_PASSWORD_NEW_CLICK_LINK="Click the link below to get forwarded to the password form." +#TPL_EN_PASSWORD_NEW_VALIDITY="This link is only valid for a short period of time for security reasons." +#TPL_EN_PASSWORD_NEW_EXPIRES="Link expires:" +#TPL_EN_PASSWORD_NEW_BUTTON="Set Password" +#TPL_EN_PASSWORD_NEW_FOOTER="" + +#TPL_DE_PASSWORD_NEW_SUBJECT="Passwort Reset angefordert" +#TPL_DE_PASSWORD_NEW_HEADER="Passwort Reset angefordert für" +#TPL_DE_PASSWORD_NEW_TEXT="" +#TPL_DE_PASSWORD_NEW_CLICK_LINK="Klicken Sie auf den unten stehenden Link für den Passwort Reset." +#TPL_DE_PASSWORD_NEW_VALIDITY="Dieser Link ist aus Sicherheitsgründen nur für kurze Zeit gültig." +#TPL_DE_PASSWORD_NEW_EXPIRES="Link gültig bis:" +#TPL_DE_PASSWORD_NEW_BUTTON="Passwort Setzen" +#TPL_DE_PASSWORD_NEW_FOOTER="" + +# Password Reset E-Mail +#TPL_EN_RESET_SUBJECT="Password Reset Request" +#TPL_EN_RESET_HEADER="Password reset request for" +#TPL_EN_RESET_TEXT="" +#TPL_EN_RESET_CLICK_LINK="Click the link below to get forwarded to the password request form." +#TPL_EN_RESET_VALIDITY="This link is only valid for a short period of time for security reasons." +#TPL_EN_RESET_EXPIRES="Link expires:" +#TPL_EN_RESET_BUTTON="Reset Password" +#TPL_EN_RESET_FOOTER="" + +#TPL_DE_RESET_SUBJECT="Passwort Reset angefordert" +#TPL_DE_RESET_HEADER="Passwort Reset angefordert für" +#TPL_DE_RESET_TEXT="" +#TPL_DE_RESET_CLICK_LINK="Klicken Sie auf den unten stehenden Link für den Passwort Reset." +#TPL_DE_RESET_VALIDITY="Dieser Link ist aus Sicherheitsgründen nur für kurze Zeit gültig." +#TPL_DE_RESET_EXPIRES="Link gültig bis:" +#TPL_DE_RESET_BUTTON="Passwort Zurücksetzen" +#TPL_DE_RESET_FOOTER="" + +##################################### +############### TLS ################# +##################################### + +## UI + API TLS + +# Overwrite the path to the TLS certificate file in PEM +# format for rauthy (default: tls/tls.crt) +#TLS_CERT=tls/tls.crt +# Overwrite the path to the TLS private key file in PEM +# format for rauthy. If the path / filename ends with +# '.der', rauthy will parse it as DER, otherwise as PEM. +# (default: tls/tls.key) +#TLS_KEY=tls/tls.key + +## Database / Cache internal TLS + +# If given, these keys / certificates will be used to establish +# TLS connections between nodes. +HQL_TLS_RAFT_KEY=tls/key.pem +HQL_TLS_RAFT_CERT=tls/cert-chain.pem +HQL_TLS_RAFT_DANGER_TLS_NO_VERIFY=true + +HQL_TLS_API_KEY=tls/key.pem +HQL_TLS_API_CERT=tls/cert-chain.pem +HQL_TLS_API_DANGER_TLS_NO_VERIFY=true + +##################################### +############# WEBAUTHN ############## +##################################### + +# The 'Relaying Party (RP) ID' - effective domain name +# (default: localhost) +# CAUTION: When this changes, already registered devices will stop +# working and users cannot log in anymore! +RP_ID={{ env "DOMAIN" }} + +# Url containing the effective domain name +# (default: http://localhost:8080) +# CAUTION: Must include the port number! +RP_ORIGIN=https://{{ env "DOMAIN" }}:443 + +# Non critical RP Name +# Has no security properties and may be changed without issues +# (default: Rauthy Webauthn) +RP_NAME='Rauthy Webauthn' + +# The Cache lifetime in seconds for Webauthn requests. Within +# this time, a webauthn request must have been validated. +# (default: 60) +#WEBAUTHN_REQ_EXP=60 + +# The Cache lifetime for additional Webauthn Data like auth +# codes and so on. Should not be lower than WEBAUTHN_REQ_EXP. +# The value is in seconds (default: 90) +#WEBAUTHN_DATA_EXP=90 + +# With webauthn enabled for a user, he needs to enter +# username / password on a new system. If these credentials are +# verified, rauthy will set an additional cookie, which will +# determine how long the user can then use only (safe) MFA +# passwordless webauthn login with yubikeys, apple touch id, +# Windows hello, ... until he needs to verify his credentials +# again. +# Passwordless login is generally much safer than logging in +# with a password. But sometimes it is possible, that the +# Webauthn devices do not force the user to include a second +# factor, which in that case would be a single factor login +# again. That is why we should ask for the original password +# in addition once in a while to set the cookie. +# The value is in hours (default: 2160) +#WEBAUTHN_RENEW_EXP=2160 + +# This feature can be set to 'true' to force User verification +# during the Webauthn ceremony. UV will be true, if the user +# does not only need to verify its presence by touching the key, +# but by also providing proof that he knows (or is) some secret +# via a PIN or biometric key for instance. With UV, we have a +# true MFA scenario where UV == false (user presence only) +# would be a 2FA scenario (with password). Be careful with this +# option, since Android and some special combinations of OS + +# browser to not support UV yet. +# (default: false) +#WEBAUTHN_FORCE_UV=false + +# Can be set to 'true' to disable password expiry for users +# that have at least one active passkey. When set to 'false', +# the same password expiry from the set policy will apply to +# these users as well. +# With this option active, rauthy will ignore any password +# expiry set by the password policy for Webauthn users. +# default: true +#WEBAUTHN_NO_PASSWORD_EXPIRY=true + +##################################### +######### User Pictures ############# +##################################### + +# The storage type for user pictures. +# By default, they are saved inside the Database, which is not ideal. +# If you only have a couple hundred users, this will be fine, but +# anything larger should use an S3 bucket if available. For single +# instance deployments, file storage to local disk is available +# as well, but this must not be used with multi replica / HA +# deployments. +# Images will ba reduced in size to max 192px on the longest side. +# They most often end up between 25 - 40kB in size. +# +# Available options: db file s3 disabled +# Default: db +#PICTURE_STORAGE_TYPE=db + +# If `PICTURE_STORAGE_TYPE=file`, the path where pictures will be +# saved can be changed with this value. +# default: ./pictures +#PICTURE_PATH="./pictures" + +# Access values for the S3 bucket if `PICTURE_STORAGE_TYPE=s3`. +# Not needed otherwise. +#PIC_S3_URL=https://s3.example.com +#PIC_S3_BUCKET=my_bucket +#PIC_S3_REGION=example +#PIC_S3_KEY=s3_key +#PIC_S3_SECRET=s3_secret +# default: true +#PIC_S3_PATH_STYLE=true + +# Set the upload limit for user picture uploads in MB. +# default: 10 +#PICTURE_UPLOAD_LIMIT_MB=10 + +# By default, user pictures can only be fetched with a valid +# session, an API Key with access to Users + Read, or with a +# valid token for this user. However, depending on where and +# how you are using Rauthy for your user management, you may +# want to make user pictures available publicly without any +# authentication. +# +# User Picture URLs are "safe" in a way that you cannot guess +# a valid URL. You will need to know the User ID + the Picture +# ID. Both values are generated cryptographically secure in the +# backend during creation. The Picture ID will also change +# with every new upload. +# +# default: false +#PICTURE_PUBLIC=false diff --git a/release/.git-keep-me b/release/.git-keep-me new file mode 100644 index 0000000..e69de29