| services.authelia.instances.<name>.secrets.oidcHmacSecretFile | Path to your HMAC secret used to sign OIDC JWTs.
|
| services.sourcehut.settings."todo.sr.ht".oauth-client-secret | todo.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.kanidm.provision.systems.oauth2.<name>.scopeMaps | Maps kanidm groups to returned oauth scopes
|
| services.kanidm.provision.systems.oauth2.<name>.originUrl | The redirect URL of the service
|
| services.mailman.ldap.enable | Whether to enable LDAP auth.
|
| services.strongswan-swanctl.swanctl.authorities | Section defining complementary attributes of certification authorities, each
in its own subsection with an arbitrary yet unique name
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps | Adds additional claims (and values) based on which kanidm groups an authenticating party belongs to
|
| services.discourse.mail.outgoing.authentication | Authentication type to use, see https://api.rubyonrails.org/classes/ActionMailer/Base.html
|
| services.tor.relay.onionServices.<name>.authorizeClient.clientNames | Only clients that are listed here are authorized to access the hidden service
|
| services.sourcehut.settings."lists.sr.ht".oauth-client-secret | lists.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.sourcehut.settings."paste.sr.ht".oauth-client-secret | paste.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.sourcehut.settings."pages.sr.ht".oauth-client-secret | pages.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.postgresql.authentication | Defines how users authenticate themselves to the server
|
| services.kanidm.provision.systems.oauth2.<name>.present | Whether to ensure that this oauth2 resource server is present or absent.
|
| services.kanidm.provision.systems.oauth2.<name>.displayName | Display name
|
| services.davis.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.movim.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.slskd.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.kubernetes.apiserver.authorizationMode | Kubernetes apiserver authorization mode (AlwaysAllow/AlwaysDeny/ABAC/Webhook/RBAC/Node)
|
| services.borgbackup.repos.<name>.authorizedKeysAppendOnly | Public SSH keys that can only be used to append new data (archives) to the repository
|
| services.prometheus.remoteRead.*.basic_auth | Sets the Authorization header on every remote read request with the
configured username and password.
password and password_file are mutually exclusive.
|
| services.authelia.instances.<name>.settings.server.address | The address to listen on.
|
| services.sourcehut.settings."builds.sr.ht".oauth-client-secret | builds.sr.ht's OAuth client secret for meta.sr.ht.
|
| services.snipe-it.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.keycloak.settings.http-relative-path | The path relative to / for serving
resources.
In versions of Keycloak using Wildfly (<17),
this defaulted to /auth
|
| services.pinchflat.secretsFile | Secrets like SECRET_KEY_BASE and BASIC_AUTH_PASSWORD
should be passed to the service without adding them to the world-readable Nix store
|
| services.authelia.instances.<name>.secrets.sessionSecretFile | Path to your session secret
|
| services.prometheus.scrapeConfigs.*.authorization | Sets the Authorization header on every scrape request with the configured credentials.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.slot | Optional slot number of the token that stores the certificate.
|
| services.radicle.publicKey | An SSH public key (as an absolute file path or directly as a string),
usually generated by rad auth.
|
| services.kubernetes.apiserver.authorizationPolicy | Kubernetes apiserver authorization policy file
|
| services.kanidm.provision.systems.oauth2.<name>.imageFile | Application image to display in the WebUI
|
| services.prometheus.remoteWrite.*.basic_auth | Sets the Authorization header on every remote write request with the
configured username and password.
password and password_file are mutually exclusive.
|
| services.oncall.settings.db.conn.require_auth | Whether authentication is required to access the web app.
|
| services.tt-rss.singleUserMode | Operate in single user mode, disables all functionality related to
multiple users and authentication
|
| services.tailscaleAuth.user | User which runs tailscale-nginx-auth
|
| services.strongswan-swanctl.swanctl.authorities.<name>.file | Absolute path to the certificate to load
|
| services.gancio.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.fluidd.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.akkoma.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.strongswan-swanctl.swanctl.authorities.<name>.module | Optional PKCS#11 module name.
|
| services.authelia.instances.<name>.secrets.oidcIssuerPrivateKeyFile | Path to your private key file used to encrypt OIDC JWTs.
|
| services.strongswan-swanctl.swanctl.secrets.xauth | EAP secret section for a specific secret
|
| services.kanidm.provision.systems.oauth2.<name>.basicSecretFile | The basic secret to use for this service
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.joinType | Determines how multiple values are joined to create the claim value
|
| services.authelia.instances.<name>.settings.log.file_path | File path where the logs will be written
|
| services.tailscaleAuth.group | Group which runs tailscale-nginx-auth
|
| services.prometheus.scrapeConfigs.*.basic_auth | Sets the Authorization header on every scrape request with the
configured username and password.
password and password_file are mutually exclusive.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.handle | Hex-encoded CKA_ID or handle of the certificate on a token or TPM,
respectively
|
| services.strongswan-swanctl.swanctl.secrets.xauth.<name>.id | Identity the EAP/XAuth secret belongs to
|
| services.kanidm.provision.systems.oauth2.<name>.originLanding | When redirecting from the Kanidm Apps Listing page, some linked applications may need to land on a specific page to trigger oauth2/oidc interactions.
|
| services.kanidm.provision.systems.oauth2.<name>.claimMaps.<name>.valuesByGroup | Maps kanidm groups to values for the claim.
|
| services.strongswan-swanctl.swanctl.authorities.<name>.cacert | The certificates may use a relative path from the swanctl
x509ca directory or an absolute path
|
| services.kanidm.provision.systems.oauth2.<name>.enableLegacyCrypto | Enable legacy crypto on this client
|
| services.prometheus.remoteRead.*.basic_auth.username | HTTP username
|
| services.prometheus.remoteRead.*.basic_auth.password | HTTP password
|
| services.strongswan-swanctl.swanctl.authorities.<name>.crl_uris | List of CRL distribution points (ldap, http, or file URI)
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saeAddToMacAllow | If set, all sae password entries that have a non-wildcard MAC associated to
them will additionally be used to populate the MAC allow list
|
| services.davis.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.movim.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.slskd.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.prometheus.remoteWrite.*.basic_auth.password | HTTP password
|
| services.prometheus.remoteWrite.*.basic_auth.username | HTTP username
|
| services.kanidm.provision.systems.oauth2.<name>.preferShortUsername | Use 'name' instead of 'spn' in the preferred_username claim
|
| services.plausible.mail.smtp.user | The username/email in case SMTP auth is enabled.
|
| services.snipe-it.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.strongswan-swanctl.swanctl.authorities.<name>.ocsp_uris | List of OCSP URIs
|
| services.prometheus.scrapeConfigs.*.azure_sd_configs.*.authentication_method | The authentication method, either OAuth or ManagedIdentity
|
| services.tailscaleAuth.enable | Whether to enable tailscale.nginx-auth, to authenticate users via tailscale.
|
| services.authelia.instances.<name>.settings.log.keep_stdout | Whether to also log to stdout when a file_path is defined.
|
| services.gitlab-runner.services.<name>.authenticationTokenConfigFile | Absolute path to a file containing environment variables used for
gitlab-runner registrations with runner authentication tokens
|
| services.draupnir.secrets.web.synapseHTTPAntispam.authorization | File containing the secret token when using the Synapse HTTP Antispam module
to be used in place of
services.draupnir.settings.web.synapseHTTPAntispam.authorization
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.readPermissions | The read permissions to include for this token
|
| services.authelia.instances.<name>.secrets.storageEncryptionKeyFile | Path to your storage encryption key.
|
| services.influxdb2.provision.organizations.<name>.auths.<name>.writePermissions | The read permissions to include for this token
|
| services.kanidm.provision.systems.oauth2.<name>.removeOrphanedClaimMaps | Whether claim maps not specified here but present in kanidm should be removed from kanidm.
|
| services.nextcloud.settings.mail_smtpauth | This depends on mail_smtpmode
|
| services.strongswan-swanctl.swanctl.secrets.xauth.<name>.secret | Value of the EAP/XAuth secret
|
| services.librenms.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.agorakit.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.cachix-watch-store.cachixTokenFile | Required file that needs to contain the cachix auth token.
|
| services.fluidd.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.akkoma.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.gancio.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.dolibarr.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.kanboard.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.fediwall.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.matomo.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.tailscaleAuth.package | The tailscale-nginx-auth package to use.
|
| services.mainsail.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.monica.nginx.basicAuthFile | Basic Auth password file for a vhost
|
| services.pixelfed.nginx.basicAuth | Basic Auth protection for a vhost
|
| services.hostapd.radios.<name>.networks.<name>.authentication.saePasswords.*.id | If this attribute is given with non-zero length, it will set the password identifier
for this entry
|
| services.prometheus.scrapeConfigs.*.basic_auth.username | HTTP username
|
| services.prometheus.scrapeConfigs.*.basic_auth.password | HTTP password
|
| services.hostapd.radios.<name>.networks.<name>.authentication.wpaPasswordFile | Sets the password for WPA-PSK
|
| services.freeciv.settings.Guests | Whether to enable guests to login if auth is enabled.
|
| services.radicle.httpd.nginx.basicAuth | Basic Auth protection for a vhost
|