-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathconfig.yml
106 lines (89 loc) · 3.25 KB
/
config.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
##################################
### KeePass4Web related config ###
##################################
# where to get keepass database from
# available: Filesystem, HTTP
db_backend: 'Filesystem'
# backend to authenticate users before anything else
# available: None, LDAP, OIDC, htpasswd
# None is only useful in single-user environments
auth_backend: 'None'
### Database backends ###
# filesystem specific configuration, db_backend = 'Filesystem'
Filesystem:
db_location: './db.kdbx'
# optional, storing key files on the filesystem is not recommended
# keyfile_location: './db.key'
# http specific configuration, db_backend = 'HTTP'
HTTP:
# database_url: ''
# keyfile_url: ''
# credentials:
# username: ''
# password: ''
# bearer: ''
### Authentication backends ###
# ldap specific configuration, auth_backend = 'LDAP'
LDAP:
uri: 'ldap://127.0.0.1:389'
scope: 'subtree'
base_dn: 'OU=People,DC=example,DC=org'
filter: '(&(objectClass=inetOrgPerson)(memberOf=CN=keepass,OU=groups,DC=example,DC=org))'
# (unique) ldap attribute for user login
# Active Directory: sAMAccountName or userPrincipalName
# openLDAP/389 Directory Server/etc: uid
login_attribute: 'uid'
# ldap bind DN and password, leave empty for anonymous bind
bind: 'CN=ldap-read,OU=Special Users,DC=example,DC=org'
password: ''
# ldap attribute containing the keepass database and/or keyfile location for the authed user
# leave commented out to use static db/keyfile location from db backend
# database_attribute: 'keePass'
# keyfile_attribute: 'keePassKeyFile'
# open id connect specific configuration, auth_backend = 'OIDC'
OIDC:
# url to the issuer (discovery url)
# issuer: ''
client_id: ''
client_secret: ''
# required for logout without confirmation
# the token is pretty big and might not fit into a session cookie
# disable if issues arise
save_id_token: true
scopes:
- 'profile'
# scope containing the keepass_location and/or keyfile_location claims for the authed user
# leave commented out to use static db/keyfile location from db backend
# - 'keepass'
# htpasswd specific configuration, auth_backend = 'htpasswd'
htpasswd:
path: '.htpasswd'
# time till database gets closed (user idle time)
# user will have to reenter database password/keyfile
db_session_timeout: '10 minutes'
# interval to watch for user auth_backend changes (to present proper login page, even when user is idling)
auth_check_interval: '1 hour 5 minutes'
search:
# fields to search for matching entries
fields:
- title
- username
- tags
- notes
- url
# whether to search in user supplied fields and file names
extra_fields: true
# whether regexes in the search pattern are interpreted
allow_regex: false
# Secret key used for session cookies
# Must be at least 64 bytes long, obtained from a cryptographically secure source.
# Will be generated on the fly if not specified.
# Set a static key for sessions to survive server restarts.
# session_secret_key: ''
# Cookie session lifetime
session_lifetime: '1 hour'
# Cookie same site setting: strict/lax/none
# Redirecting backends might require lax here
cookie_samesite: 'strict'
listen: '::'
port: 8080