The theme to display.

hg.sr.ht's OAuth client id for meta.sr.ht.

The authentication mechanism.

The authentication mechanism.

Principal identifier (email, repo, etc.)

Your Authelia config.yml as a Nix attribute set

man.sr.ht's OAuth client id for meta.sr.ht.

git.sr.ht's OAuth client id for meta.sr.ht.

hub.sr.ht's OAuth client id for meta.sr.ht.

It is recommended you keep your secrets separate from the configuration

todo.sr.ht's OAuth client id for meta.sr.ht.

Level of verbosity for logs.

Path to your JWT secret used during identity verificaton.

Password for basic auth

lists.sr.ht's OAuth client id for meta.sr.ht.

pages.sr.ht's OAuth client id for meta.sr.ht.

paste.sr.ht's OAuth client id for meta.sr.ht.

Public SSH keys that are given full write access to this repository

Authorized clients for a v3 onion service, as a list of public key, in the format:

descriptor:x25519:<base32-public-key>

See torrc manual.

Format the logs are written as.

Configuring authelia's secret files via the secrets attribute set is intended to be convenient and help catch cases where values are required to run at all

Whether to enable LDAP auth.

builds.sr.ht's OAuth client id for meta.sr.ht.

hg.sr.ht's OAuth client secret for meta.sr.ht.

Here you can provide authelia with configuration files or directories

git.sr.ht's OAuth client secret for meta.sr.ht.

hub.sr.ht's OAuth client secret for meta.sr.ht.

man.sr.ht's OAuth client secret for meta.sr.ht.

A list of signing keys for each substitute server to be authorized as a source of substitutes

Whether this is a public client (enforces PKCE, doesn't use a basic secret)

The login method

Path to your HMAC secret used to sign OIDC JWTs.

Basic Auth protection for a vhost

Basic Auth protection for a vhost

Basic Auth protection for a vhost

todo.sr.ht's OAuth client secret for meta.sr.ht.

Maps kanidm groups to returned oauth scopes

The redirect URL of the service

Basic Auth protection for a vhost

The path relative to / for serving resources.

Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD should be passed to the service without adding them to the world-readable Nix store

Section defining complementary attributes of certification authorities, each in its own subsection with an arbitrary yet unique name

Authentication type to use, see https://api.rubyonrails.org/classes/ActionMailer/Base.html

Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to

Only clients that are listed here are authorized to access the hidden service

lists.sr.ht's OAuth client secret for meta.sr.ht.

paste.sr.ht's OAuth client secret for meta.sr.ht.

pages.sr.ht's OAuth client secret for meta.sr.ht.

The OAuth2 client identifier.

The OAuth2 client identifier.

Defines how users authenticate themselves to the server

Defines how users authenticate themselves to the server

Whether to ensure that this oauth2 resource server is present or absent.

An SSH public key (as an absolute file path or directly as a string), usually generated by rad auth.

Display name

Operate in single user mode, disables all functionality related to multiple users and authentication

User which runs tailscale-nginx-auth

Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node)

The address to listen on.

Public SSH keys that can only be used to append new data (archives) to the repository

Sets the Authorization header on every remote read request with the configured username and password. password and password_file are mutually exclusive.

Basic Auth protection for a vhost

Basic Auth protection for a vhost

Basic Auth protection for a vhost

Basic Auth protection for a vhost

Basic Auth protection for a vhost

builds.sr.ht's OAuth client secret for meta.sr.ht.

Sets the Authorization header on every scrape request with the configured credentials.

Path to your session secret

Optional slot number of the token that stores the certificate.

Kubernetes apiserver authorization policy file

Sets the Authorization header on every remote write request with the configured username and password. password and password_file are mutually exclusive.

Application image to display in the WebUI

Whether authentication is required to access the web app.

Group which runs tailscale-nginx-auth

Absolute path to the certificate to load

Optional PKCS#11 module name.

Path to your private key file used to encrypt OIDC JWTs.

EAP secret section for a specific secret

The basic secret to use for this service

File path where the logs will be written

Determines how multiple values are joined to create the claim value

Hex-encoded CKA_ID or handle of the certificate on a token or TPM, respectively

Sets the Authorization header on every scrape request with the configured username and password. password and password_file are mutually exclusive.

Basic Auth password file for a vhost

Basic Auth password file for a vhost

Basic Auth password file for a vhost

Identity the EAP/XAuth secret belongs to

When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.

Maps kanidm groups to values for the claim.

The username/email in case SMTP auth is enabled.

Basic Auth password file for a vhost

The certificates may use a relative path from the swanctl x509ca directory or an absolute path

Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.

Enable legacy crypto on this client

HTTP username

HTTP password

List of CRL distribution points (ldap, http, or file URI)