-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathconfig.docker.yaml
164 lines (152 loc) · 5.07 KB
/
config.docker.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
# The base path of Dex and the external name of the OpenID Connect service.
# This is the canonical URL that all clients MUST use to refer to Dex. If a
# path is provided, Dex's HTTP service will listen at a non-root URL.
issuer: {{.Env.DEX_URL}}
storage:
type: memory
# type: sqlite3
# config:
# file: /var/dex/dex.db
# type: mysql
# config:
# host: 127.0.0.1
# port: 3306
# database: dex
# user: mysql
# password: mysql
# ssl:
# mode: "false"
web:
http: 0.0.0.0:5556
https: 0.0.0.0:5554
tlsCert: {{.Env.DEXPATH}}/tls.crt
tlsKey: {{.Env.DEXPATH}}/tls.key
allowedOrigins: ['*'] # .Env.DNS3L_FQDN
grpc:
addr: 0.0.0.0:5557
telemetry:
http: 0.0.0.0:5558
# Dex UI configuration
frontend:
issuer: DNS3L
theme: light
extra:
helpURL: {{.Env.HELP_URL}}
clientURL: {{.Env.DNS3L_URL}}
oauth2:
# https://openid.net/specs/openid-connect-core-1_0.html#Authentication
responseTypes: ["code", "token", "id_token"]
skipApprovalScreen: true
alwaysShowLoginScreen: false
# Note: Prod SHOULD NOT provide mock and local
# passwordConnector: # local or ldap or mock
passwordConnector: {{if eq .Env.ldap "true"}}{{.Env.LDAP_CONNECTOR_ID}}{{else}}mock-passwd{{end}}
staticClients:
- id: dns3l-app
# Web based usage with Authorization Code Grant
# https://tools.ietf.org/html/rfc6749#section-4.1
redirectURIs:
- {{.Env.DNS3L_URL}}
- {{.Env.DNS3L_URL}}/
- {{.Env.DNS3L_URL}}/login
- {{.Env.DNS3L_URL}}/callback
name: 'DNS3L App'
public: true
- id: dns3l-cli
# CLI/Console usage with Resource Owner Password Credentials Grant
# https://tools.ietf.org/html/rfc6749#section-4.3
secret: {{.Env.DNS3L_CLI_SECRET}}
name: 'DNS3L CLI'
- id: dns3l-api
# CLI/Console usage with Resource Owner Password Credentials Grant
# https://tools.ietf.org/html/rfc6749#section-4.3
secret: {{.Env.DNS3L_API_SECRET}}
name: 'DNS3L API'
- id: dns3ld
# dns3ld can only validate against a single client ID actually...
# https://github.com/dns3l/dns3l-core/issues/59
secret: {{.Env.DNS3L_DAEMON_SECRET}}
name: 'DNS3L daemon validator'
trustedPeers:
- dns3l-app # new scope: audience:server:client_id:dns3ld
- dns3l-api # new scope: audience:server:client_id:dns3ld
- dns3l-cli # new scope: audience:server:client_id:dns3ld
{{if eq .Env.production "false" -}}
# Note: Prod SHOULD NOT provide mock and local
enablePasswordDB: true
staticPasswords:
- name: {{.Env.DNS3L_USERNAME}}
email: {{.Env.DNS3L_USERMAIL}}
username: {{.Env.DNS3L_USER}}
userID: {{.Env.DNS3L_USER_UUID}}
# echo "foobar" | htpasswd -n -B -C 10 -i certbot
hash: {{.Env.DNS3L_PASS_HASH}}
{{- end}}
connectors:
{{- if and (eq .Env.production "true") (eq .Env.ldap "false")}}
- type: mockPassword
id: mock-passwd
name: "Dex Mock..."
config:
username: {{.Env.DNS3L_USER}}
password: {{.Env.DNS3L_PASS}}
{{- end}}
{{- if eq .Env.production "false"}}
- type: mockCallback
id: mock-noauth
name: "Dex Mock"
- type: mockPassword
id: mock-passwd
name: "Dex Mock..."
config:
username: {{.Env.DNS3L_USER}}
password: {{.Env.DNS3L_PASS}}
{{- end}}
{{- if eq .Env.ldap "true"}}
- type: ldap
id: {{.Env.LDAP_CONNECTOR_ID}}
name: {{.Env.LDAP_CONNECTOR_NAME}}
config:
# Host and optional port of the LDAP server in the form "host:port".
# If the port is not supplied, it will be guessed based on "insecureNoSSL",
# and "startTLS" flags. 389 for insecure or StartTLS connections, 636
# otherwise.
host: {{.Env.LDAP_CONNECTOR_HOST}}
insecureSkipVerify: {{.Env.LDAP_TLS_VERIFY}}
startTLS: {{.Env.LDAP_STARTTLS}}
bindDN: {{.Env.LDAP_BindDN}}
bindPW: {{.Env.LDAP_BindPW}}
usernamePrompt: {{.Env.LDAP_CONNECTOR_PROMPT}}
userSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=person)(uid=<username>))".
baseDN: {{.Env.LDAP_USER_BASE}}
filter: {{.Env.LDAP_USER_FILTER}}
username: {{.Env.LDAP_USER_UID_ATTR}}
# "DN" (case sensitive) is a special attribute name. It indicates that
# this value should be taken from the entity's DN not an attribute on
# the entity.
idAttr: {{.Env.LDAP_USER_ID_ATTR}}
emailAttr: {{.Env.LDAP_USER_MAIL_ATTR}}
nameAttr: {{.Env.LDAP_USER_NAME_ATTR}}
groupSearch:
# BaseDN to start the search from. It will translate to the query
# "(&(objectClass=group)(member=<user uid>))".
baseDN: {{.Env.LDAP_GROUP_BASE}}
filter: {{.Env.LDAP_GROUP_FILTER}}
# Following list contains field pairs that are used to match a user to a group. It adds an additional
# requirement to the filter that an attribute in the group must match the user's attribute value.
# A user is a member of a group when their DN matches the value of a "member" attribute on the group entity.
userMatchers:
- userAttr: {{.Env.LDAP_GROUP_USER_ATTR}}
groupAttr: {{.Env.LDAP_GROUP_MEMBER_ATTR}}
nameAttr: {{.Env.LDAP_GROUP_NAME_ATTR}}
{{- end}}
expiry:
deviceRequests: 5m
signingKeys: 3h
idTokens: 30m
authRequests: 30m
refreshTokens:
validForIfNotUsed: 1h
# absoluteLifetime: 1h