feat(configuration): comment unnecessary template lines (#4222)

This adjusts the default configuration to mostly include commented configuration.

config.template.yml

@@ -218,13 +218,13 @@ webauthn:
 ##
 ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
 ## "Partner Auth API" in the management panel.
-duo_api:
-  disable: false
-  hostname: api-123456789.example.com
-  integration_key: ABCDEF
+# duo_api:
+  # disable: false
+  # hostname: api-123456789.example.com
+  # integration_key: ABCDEF
   ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
-  secret_key: 1234567890abcdefghifjkl
-  enable_self_enrollment: false
+  # secret_key: 1234567890abcdefghifjkl
+  # enable_self_enrollment: false
 
 ##
 ## NTP Configuration
@@ -281,7 +281,7 @@ authentication_backend:
   ## This is the recommended Authentication Provider in production
   ## because it allows Authelia to offload the stateful operations
   ## onto the LDAP service.
-  ldap:
+  # ldap:
     ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
     ## Acceptable options are as follows:
     ## - 'activedirectory' - For Microsoft Active Directory.
@@ -291,32 +291,32 @@ authentication_backend:
     ## Depending on the option here certain other values in this section have a default value, notably all of the
     ## attribute mappings have a default value that this config overrides, you can read more about these default values
     ## at https://www.authelia.com/c/ldap#defaults
-    implementation: custom
+    # implementation: custom
 
     ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
     ## Scheme can be ldap or ldaps in the format (port optional).
-    url: ldap://127.0.0.1
+    # url: ldap://127.0.0.1
 
     ## The dial timeout for LDAP.
-    timeout: 5s
+    # timeout: 5s
 
     ## Use StartTLS with the LDAP connection.
-    start_tls: false
+    # start_tls: false
 
-    tls:
+    # tls:
       ## Server Name for certificate validation (in case it's not set correctly in the URL).
       # server_name: ldap.example.com
 
       ## Skip verifying the server certificate (to allow a self-signed certificate).
       ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
       ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
-      skip_verify: false
+      # skip_verify: false
 
       ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
-      minimum_version: TLS1.2
+      # minimum_version: TLS1.2
 
       ## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
-      maximum_version: TLS1.3
+      # maximum_version: TLS1.3
 
       ## The certificate chain used with the private_key if the server requests TLS Client Authentication
       ## i.e. Mutual TLS.
@@ -393,7 +393,7 @@ authentication_backend:
 
     ## The distinguished name of the container searched for objects in the directory information tree.
     ## See also: additional_users_dn, additional_groups_dn.
-    base_dn: dc=example,dc=com
+    # base_dn: dc=example,dc=com
 
     ## The attribute holding the username of the user. This attribute is used to populate the username in the session
     ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
@@ -407,7 +407,7 @@ authentication_backend:
 
     ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
     ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
-    additional_users_dn: ou=users
+    # additional_users_dn: ou=users
 
     ## The users filter used in search queries to find the user profile based on input filled in login form.
     ## Various placeholders are available in the user filter which you can read about in the documentation which can
@@ -421,11 +421,11 @@ authentication_backend:
     ##
     ## To allow sign in both with username and email, one can use a filter like
     ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
-    users_filter: (&({username_attribute}={input})(objectClass=person))
+    # users_filter: (&({username_attribute}={input})(objectClass=person))
 
     ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
     ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
-    additional_groups_dn: ou=groups
+    # additional_groups_dn: ou=groups
 
     ## The groups filter used in search queries to find the groups based on relevant authenticated user.
     ## Various placeholders are available in the groups filter which you can read about in the documentation which can
@@ -433,7 +433,7 @@ authentication_backend:
     ##
     ## If your groups use the `groupOfUniqueNames` structure use this instead:
     ##    (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
-    groups_filter: (&(member={dn})(objectClass=groupOfNames))
+    # groups_filter: (&(member={dn})(objectClass=groupOfNames))
 
     ## The attribute holding the name of the group.
     # group_name_attribute: cn
@@ -447,12 +447,12 @@ authentication_backend:
 
     ## Follow referrals returned by the server.
     ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
-    permit_referrals: false
+    # permit_referrals: false
 
     ## The username and password of the admin user.
-    user: cn=admin,dc=example,dc=com
+    # user: cn=admin,dc=example,dc=com
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: password
+    # password: password
 
   ##
   ## File (Authentication Provider)
@@ -566,18 +566,18 @@ access_control:
   ## resource if there is no policy to be applied to the user.
   default_policy: deny
 
-  networks:
-    - name: internal
-      networks:
-        - 10.10.0.0/16
-        - 192.168.2.0/24
-    - name: VPN
-      networks: 10.9.0.0/16
+  # networks:
+    # - name: internal
+    #   networks:
+        # - 10.10.0.0/16
+        # - 192.168.2.0/24
+    # - name: VPN
+    #   networks: 10.9.0.0/16
 
-  rules:
+  # rules:
     ## Rules applied to everyone
-    - domain: 'public.example.com'
-      policy: bypass
+    # - domain: 'public.example.com'
+    #   policy: bypass
 
     ## Domain Regex examples. Generally we recommend just using a standard domain.
     # - domain_regex: '^(?P<User>\w+)\.example\.com$'
@@ -591,64 +591,64 @@ access_control:
     # - domain_regex: '^.*\.example\.com$'
     #   policy: two_factor
 
-    - domain: 'secure.example.com'
-      policy: one_factor
+    # - domain: 'secure.example.com'
+    #   policy: one_factor
     ## Network based rule, if not provided any network matches.
-      networks:
-        - internal
-        - VPN
-        - 192.168.1.0/24
-        - 10.0.0.1
+    #   networks:
+        # - internal
+        # - VPN
+        # - 192.168.1.0/24
+        # - 10.0.0.1
 
-    - domain:
-        - 'secure.example.com'
-        - 'private.example.com'
-      policy: two_factor
+    # - domain:
+        # - 'secure.example.com'
+        # - 'private.example.com'
+    #   policy: two_factor
 
-    - domain: 'singlefactor.example.com'
-      policy: one_factor
+    # - domain: 'singlefactor.example.com'
+    #   policy: one_factor
 
     ## Rules applied to 'admins' group
-    - domain: 'mx2.mail.example.com'
-      subject: 'group:admins'
-      policy: deny
+    # - domain: 'mx2.mail.example.com'
+    #   subject: 'group:admins'
+    #   policy: deny
 
-    - domain: '*.example.com'
-      subject:
-        - 'group:admins'
-        - 'group:moderators'
-      policy: two_factor
+    # - domain: '*.example.com'
+    #   subject:
+        # - 'group:admins'
+        # - 'group:moderators'
+    #   policy: two_factor
 
     ## Rules applied to 'dev' group
-    - domain: 'dev.example.com'
-      resources:
-        - '^/groups/dev/.*$'
-      subject: 'group:dev'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/groups/dev/.*$'
+    #   subject: 'group:dev'
+    #   policy: two_factor
 
     ## Rules applied to user 'john'
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/john/.*$'
-      subject: 'user:john'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/users/john/.*$'
+    #   subject: 'user:john'
+    #   policy: two_factor
 
     ## Rules applied to user 'harry'
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/harry/.*$'
-      subject: 'user:harry'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/users/harry/.*$'
+    #   subject: 'user:harry'
+    #   policy: two_factor
 
     ## Rules applied to user 'bob'
-    - domain: '*.mail.example.com'
-      subject: 'user:bob'
-      policy: two_factor
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/bob/.*$'
-      subject: 'user:bob'
-      policy: two_factor
+    # - domain: '*.mail.example.com'
+    #   subject: 'user:bob'
+    #   policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+    #     - '^/users/bob/.*$'
+    #   subject: 'user:bob'
+    #   policy: two_factor
 
 ##
 ## Session Provider Configuration
@@ -694,9 +694,9 @@ session:
   ##
   ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
   ##
-  redis:
-    host: 127.0.0.1
-    port: 6379
+  # redis:
+    # host: 127.0.0.1
+    # port: 6379
     ## Use a unix socket instead
     # host: /var/run/redis/redis.sock
 
@@ -704,16 +704,16 @@ session:
     # username: authelia
 
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: authelia
+    # password: authelia
 
     ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
-    database_index: 0
+    # database_index: 0
 
     ## The maximum number of concurrent active connections to Redis.
-    maximum_active_connections: 8
+    # maximum_active_connections: 8
 
     ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
-    minimum_idle_connections: 0
+    # minimum_idle_connections: 0
 
     ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
     # tls:
@@ -728,6 +728,82 @@ session:
       ## Minimum TLS version for the connection.
       # minimum_version: TLS1.2
 
+      ## Maximum TLS version for the connection.
+      # maximum_version: TLS1.3
+
+      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # certificate_chain: |
+        # -----BEGIN CERTIFICATE-----
+        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
+        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
+        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
+        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
+        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
+        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
+        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
+        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
+        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
+        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
+        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
+        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
+        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+        # -----BEGIN CERTIFICATE-----
+        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
+        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
+        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
+        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
+        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
+        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
+        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
+        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
+        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
+        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
+        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
+        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
+        # qocikt3WAdU^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+
+      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # private_key: |
+        #  -----BEGIN RSA PRIVATE KEY-----
+        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
+        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
+        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
+        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
+        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
+        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
+        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
+        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
+        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
+        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
+        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
+        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
+        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
+        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
+        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
+        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
+        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
+        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
+        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
+        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
+        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
+        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
+        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
+        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
+        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
+        # DO NOT USE==
+        # -----END RSA PRIVATE KEY-----
+
     ## The Redis HA configuration options.
     ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
     # high_availability:
@@ -777,7 +853,7 @@ regulation:
 ## Storage Provider Configuration
 ##
 ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
-storage:
+# storage:
   ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
   ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
   # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
@@ -791,19 +867,20 @@ storage:
   ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
   ##
   # local:
+    ## Path to the SQLite3 Database.
     # path: /config/db.sqlite3
 
   ##
   ## MySQL / MariaDB (Storage Provider)
   ##
-  mysql:
-    host: 127.0.0.1
-    port: 3306
-    database: authelia
-    username: authelia
+  # mysql:
+    # host: 127.0.0.1
+    # port: 3306
+    # database: authelia
+    # username: authelia
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: mypassword
-    timeout: 5s
+    # password: mypassword
+    # timeout: 5s
 
   ##
   ## PostgreSQL (Storage Provider)
@@ -814,7 +891,7 @@ storage:
     # database: authelia
     # schema: public
     # username: authelia
-  #   ## Password can also be set using a secret: https://www.authelia.com/c/secrets
+    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
     # password: mypassword
     # timeout: 5s
     # ssl:
@@ -850,55 +927,131 @@ notifier:
   ##        (only works for unauthenticated connections)
   ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
   ##     (configure in tls section)
-  smtp:
+  # smtp:
     ## The SMTP host to connect to.
-    host: 127.0.0.1
+    # host: 127.0.0.1
 
     ## The port to connect to the SMTP host on.
-    port: 1025
+    # port: 1025
 
     ## The connection timeout.
-    timeout: 5s
+    # timeout: 5s
 
     ## The username used for SMTP authentication.
-    username: test
+    # username: test
 
     ## The password used for SMTP authentication.
     ## Can also be set using a secret: https://www.authelia.com/c/secrets
-    password: password
+    # password: password
 
     ## The sender is used to is used for the MAIL FROM command and the FROM header.
     ## If this is not defined and the username is an email, we use the username as this value. This can either be just
     ## an email address or the RFC5322 'Name <email address>' format.
-    sender: "Authelia <admin@example.com>"
+    # sender: "Authelia <admin@example.com>"
 
     ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
-    identifier: localhost
+    # identifier: localhost
 
     ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
-    subject: "[Authelia] {title}"
+    # subject: "[Authelia] {title}"
 
     ## This address is used during the startup check to verify the email configuration is correct.
     ## It's not important what it is except if your email server only allows local delivery.
-    startup_check_address: test@authelia.com
+    # startup_check_address: test@authelia.com
 
     ## By default we require some form of TLS. This disables this check though is not advised.
-    disable_require_tls: false
+    # disable_require_tls: false
 
     ## Disables sending HTML formatted emails.
-    disable_html_emails: false
+    # disable_html_emails: false
 
-    tls:
+    # tls:
       ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
       # server_name: smtp.example.com
 
       ## Skip verifying the server certificate (to allow a self-signed certificate).
       ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
       ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
-      skip_verify: false
+      # skip_verify: false
 
       ## Minimum TLS version for either StartTLS or SMTPS.
-      minimum_version: TLS1.2
+      # minimum_version: TLS1.2
+
+      ## Maximum TLS version for either StartTLS or SMTPS.
+      # maximum_version: TLS1.3
+
+      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # certificate_chain: |
+        # -----BEGIN CERTIFICATE-----
+        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
+        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
+        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
+        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
+        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
+        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
+        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
+        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
+        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
+        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
+        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
+        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
+        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+        # -----BEGIN CERTIFICATE-----
+        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
+        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
+        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
+        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
+        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
+        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
+        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
+        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
+        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
+        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
+        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
+        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
+        # qocikt3WAdU^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+
+      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # private_key: |
+        #  -----BEGIN RSA PRIVATE KEY-----
+        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
+        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
+        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
+        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
+        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
+        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
+        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
+        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
+        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
+        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
+        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
+        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
+        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
+        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
+        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
+        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
+        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
+        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
+        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
+        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
+        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
+        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
+        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
+        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
+        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
+        # DO NOT USE==
+        # -----END RSA PRIVATE KEY-----
 
 ##
 ## Identity Providers

internal/configuration/config.template.yml

@@ -218,13 +218,13 @@ webauthn:
 ##
 ## Parameters used to contact the Duo API. Those are generated when you protect an application of type
 ## "Partner Auth API" in the management panel.
-duo_api:
-  disable: false
-  hostname: api-123456789.example.com
-  integration_key: ABCDEF
+# duo_api:
+  # disable: false
+  # hostname: api-123456789.example.com
+  # integration_key: ABCDEF
   ## Secret can also be set using a secret: https://www.authelia.com/c/secrets
-  secret_key: 1234567890abcdefghifjkl
-  enable_self_enrollment: false
+  # secret_key: 1234567890abcdefghifjkl
+  # enable_self_enrollment: false
 
 ##
 ## NTP Configuration
@@ -281,7 +281,7 @@ authentication_backend:
   ## This is the recommended Authentication Provider in production
   ## because it allows Authelia to offload the stateful operations
   ## onto the LDAP service.
-  ldap:
+  # ldap:
     ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
     ## Acceptable options are as follows:
     ## - 'activedirectory' - For Microsoft Active Directory.
@@ -291,32 +291,32 @@ authentication_backend:
     ## Depending on the option here certain other values in this section have a default value, notably all of the
     ## attribute mappings have a default value that this config overrides, you can read more about these default values
     ## at https://www.authelia.com/c/ldap#defaults
-    implementation: custom
+    # implementation: custom
 
     ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
     ## Scheme can be ldap or ldaps in the format (port optional).
-    url: ldap://127.0.0.1
+    # url: ldap://127.0.0.1
 
     ## The dial timeout for LDAP.
-    timeout: 5s
+    # timeout: 5s
 
     ## Use StartTLS with the LDAP connection.
-    start_tls: false
+    # start_tls: false
 
-    tls:
+    # tls:
       ## Server Name for certificate validation (in case it's not set correctly in the URL).
       # server_name: ldap.example.com
 
       ## Skip verifying the server certificate (to allow a self-signed certificate).
       ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
       ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
-      skip_verify: false
+      # skip_verify: false
 
       ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
-      minimum_version: TLS1.2
+      # minimum_version: TLS1.2
 
       ## Maximum TLS version for either Secure LDAP or LDAP StartTLS.
-      maximum_version: TLS1.3
+      # maximum_version: TLS1.3
 
       ## The certificate chain used with the private_key if the server requests TLS Client Authentication
       ## i.e. Mutual TLS.
@@ -393,7 +393,7 @@ authentication_backend:
 
     ## The distinguished name of the container searched for objects in the directory information tree.
     ## See also: additional_users_dn, additional_groups_dn.
-    base_dn: dc=example,dc=com
+    # base_dn: dc=example,dc=com
 
     ## The attribute holding the username of the user. This attribute is used to populate the username in the session
     ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
@@ -407,7 +407,7 @@ authentication_backend:
 
     ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
     ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
-    additional_users_dn: ou=users
+    # additional_users_dn: ou=users
 
     ## The users filter used in search queries to find the user profile based on input filled in login form.
     ## Various placeholders are available in the user filter which you can read about in the documentation which can
@@ -421,11 +421,11 @@ authentication_backend:
     ##
     ## To allow sign in both with username and email, one can use a filter like
     ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
-    users_filter: (&({username_attribute}={input})(objectClass=person))
+    # users_filter: (&({username_attribute}={input})(objectClass=person))
 
     ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
     ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
-    additional_groups_dn: ou=groups
+    # additional_groups_dn: ou=groups
 
     ## The groups filter used in search queries to find the groups based on relevant authenticated user.
     ## Various placeholders are available in the groups filter which you can read about in the documentation which can
@@ -433,7 +433,7 @@ authentication_backend:
     ##
     ## If your groups use the `groupOfUniqueNames` structure use this instead:
     ##    (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
-    groups_filter: (&(member={dn})(objectClass=groupOfNames))
+    # groups_filter: (&(member={dn})(objectClass=groupOfNames))
 
     ## The attribute holding the name of the group.
     # group_name_attribute: cn
@@ -447,12 +447,12 @@ authentication_backend:
 
     ## Follow referrals returned by the server.
     ## This is especially useful for environments where read-only servers exist. Only implemented for write operations.
-    permit_referrals: false
+    # permit_referrals: false
 
     ## The username and password of the admin user.
-    user: cn=admin,dc=example,dc=com
+    # user: cn=admin,dc=example,dc=com
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: password
+    # password: password
 
   ##
   ## File (Authentication Provider)
@@ -566,18 +566,18 @@ access_control:
   ## resource if there is no policy to be applied to the user.
   default_policy: deny
 
-  networks:
-    - name: internal
-      networks:
-        - 10.10.0.0/16
-        - 192.168.2.0/24
-    - name: VPN
-      networks: 10.9.0.0/16
+  # networks:
+    # - name: internal
+    #   networks:
+        # - 10.10.0.0/16
+        # - 192.168.2.0/24
+    # - name: VPN
+    #   networks: 10.9.0.0/16
 
-  rules:
+  # rules:
     ## Rules applied to everyone
-    - domain: 'public.example.com'
-      policy: bypass
+    # - domain: 'public.example.com'
+    #   policy: bypass
 
     ## Domain Regex examples. Generally we recommend just using a standard domain.
     # - domain_regex: '^(?P<User>\w+)\.example\.com$'
@@ -591,64 +591,64 @@ access_control:
     # - domain_regex: '^.*\.example\.com$'
     #   policy: two_factor
 
-    - domain: 'secure.example.com'
-      policy: one_factor
+    # - domain: 'secure.example.com'
+    #   policy: one_factor
     ## Network based rule, if not provided any network matches.
-      networks:
-        - internal
-        - VPN
-        - 192.168.1.0/24
-        - 10.0.0.1
+    #   networks:
+        # - internal
+        # - VPN
+        # - 192.168.1.0/24
+        # - 10.0.0.1
 
-    - domain:
-        - 'secure.example.com'
-        - 'private.example.com'
-      policy: two_factor
+    # - domain:
+        # - 'secure.example.com'
+        # - 'private.example.com'
+    #   policy: two_factor
 
-    - domain: 'singlefactor.example.com'
-      policy: one_factor
+    # - domain: 'singlefactor.example.com'
+    #   policy: one_factor
 
     ## Rules applied to 'admins' group
-    - domain: 'mx2.mail.example.com'
-      subject: 'group:admins'
-      policy: deny
+    # - domain: 'mx2.mail.example.com'
+    #   subject: 'group:admins'
+    #   policy: deny
 
-    - domain: '*.example.com'
-      subject:
-        - 'group:admins'
-        - 'group:moderators'
-      policy: two_factor
+    # - domain: '*.example.com'
+    #   subject:
+        # - 'group:admins'
+        # - 'group:moderators'
+    #   policy: two_factor
 
     ## Rules applied to 'dev' group
-    - domain: 'dev.example.com'
-      resources:
-        - '^/groups/dev/.*$'
-      subject: 'group:dev'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/groups/dev/.*$'
+    #   subject: 'group:dev'
+    #   policy: two_factor
 
     ## Rules applied to user 'john'
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/john/.*$'
-      subject: 'user:john'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/users/john/.*$'
+    #   subject: 'user:john'
+    #   policy: two_factor
 
     ## Rules applied to user 'harry'
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/harry/.*$'
-      subject: 'user:harry'
-      policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+        # - '^/users/harry/.*$'
+    #   subject: 'user:harry'
+    #   policy: two_factor
 
     ## Rules applied to user 'bob'
-    - domain: '*.mail.example.com'
-      subject: 'user:bob'
-      policy: two_factor
-    - domain: 'dev.example.com'
-      resources:
-        - '^/users/bob/.*$'
-      subject: 'user:bob'
-      policy: two_factor
+    # - domain: '*.mail.example.com'
+    #   subject: 'user:bob'
+    #   policy: two_factor
+    # - domain: 'dev.example.com'
+    #   resources:
+    #     - '^/users/bob/.*$'
+    #   subject: 'user:bob'
+    #   policy: two_factor
 
 ##
 ## Session Provider Configuration
@@ -694,9 +694,9 @@ session:
   ##
   ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
   ##
-  redis:
-    host: 127.0.0.1
-    port: 6379
+  # redis:
+    # host: 127.0.0.1
+    # port: 6379
     ## Use a unix socket instead
     # host: /var/run/redis/redis.sock
 
@@ -704,16 +704,16 @@ session:
     # username: authelia
 
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: authelia
+    # password: authelia
 
     ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
-    database_index: 0
+    # database_index: 0
 
     ## The maximum number of concurrent active connections to Redis.
-    maximum_active_connections: 8
+    # maximum_active_connections: 8
 
     ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
-    minimum_idle_connections: 0
+    # minimum_idle_connections: 0
 
     ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
     # tls:
@@ -728,6 +728,82 @@ session:
       ## Minimum TLS version for the connection.
       # minimum_version: TLS1.2
 
+      ## Maximum TLS version for the connection.
+      # maximum_version: TLS1.3
+
+      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # certificate_chain: |
+        # -----BEGIN CERTIFICATE-----
+        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
+        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
+        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
+        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
+        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
+        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
+        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
+        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
+        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
+        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
+        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
+        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
+        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+        # -----BEGIN CERTIFICATE-----
+        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
+        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
+        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
+        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
+        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
+        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
+        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
+        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
+        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
+        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
+        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
+        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
+        # qocikt3WAdU^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+
+      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # private_key: |
+        #  -----BEGIN RSA PRIVATE KEY-----
+        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
+        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
+        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
+        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
+        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
+        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
+        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
+        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
+        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
+        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
+        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
+        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
+        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
+        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
+        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
+        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
+        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
+        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
+        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
+        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
+        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
+        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
+        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
+        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
+        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
+        # DO NOT USE==
+        # -----END RSA PRIVATE KEY-----
+
     ## The Redis HA configuration options.
     ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
     # high_availability:
@@ -777,7 +853,7 @@ regulation:
 ## Storage Provider Configuration
 ##
 ## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
-storage:
+# storage:
   ## The encryption key that is used to encrypt sensitive information in the database. Must be a string with a minimum
   ## length of 20. Please see the docs if you configure this with an undesirable key and need to change it.
   # encryption_key: you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this
@@ -791,19 +867,20 @@ storage:
   ## Important: Kubernetes (or HA) users must read https://www.authelia.com/t/statelessness
   ##
   # local:
+    ## Path to the SQLite3 Database.
     # path: /config/db.sqlite3
 
   ##
   ## MySQL / MariaDB (Storage Provider)
   ##
-  mysql:
-    host: 127.0.0.1
-    port: 3306
-    database: authelia
-    username: authelia
+  # mysql:
+    # host: 127.0.0.1
+    # port: 3306
+    # database: authelia
+    # username: authelia
     ## Password can also be set using a secret: https://www.authelia.com/c/secrets
-    password: mypassword
-    timeout: 5s
+    # password: mypassword
+    # timeout: 5s
 
   ##
   ## PostgreSQL (Storage Provider)
@@ -814,7 +891,7 @@ storage:
     # database: authelia
     # schema: public
     # username: authelia
-  #   ## Password can also be set using a secret: https://www.authelia.com/c/secrets
+    ## Password can also be set using a secret: https://www.authelia.com/c/secrets
     # password: mypassword
     # timeout: 5s
     # ssl:
@@ -850,55 +927,131 @@ notifier:
   ##        (only works for unauthenticated connections)
   ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
   ##     (configure in tls section)
-  smtp:
+  # smtp:
     ## The SMTP host to connect to.
-    host: 127.0.0.1
+    # host: 127.0.0.1
 
     ## The port to connect to the SMTP host on.
-    port: 1025
+    # port: 1025
 
     ## The connection timeout.
-    timeout: 5s
+    # timeout: 5s
 
     ## The username used for SMTP authentication.
-    username: test
+    # username: test
 
     ## The password used for SMTP authentication.
     ## Can also be set using a secret: https://www.authelia.com/c/secrets
-    password: password
+    # password: password
 
     ## The sender is used to is used for the MAIL FROM command and the FROM header.
     ## If this is not defined and the username is an email, we use the username as this value. This can either be just
     ## an email address or the RFC5322 'Name <email address>' format.
-    sender: "Authelia <admin@example.com>"
+    # sender: "Authelia <admin@example.com>"
 
     ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
-    identifier: localhost
+    # identifier: localhost
 
     ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
-    subject: "[Authelia] {title}"
+    # subject: "[Authelia] {title}"
 
     ## This address is used during the startup check to verify the email configuration is correct.
     ## It's not important what it is except if your email server only allows local delivery.
-    startup_check_address: test@authelia.com
+    # startup_check_address: test@authelia.com
 
     ## By default we require some form of TLS. This disables this check though is not advised.
-    disable_require_tls: false
+    # disable_require_tls: false
 
     ## Disables sending HTML formatted emails.
-    disable_html_emails: false
+    # disable_html_emails: false
 
-    tls:
+    # tls:
       ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
       # server_name: smtp.example.com
 
       ## Skip verifying the server certificate (to allow a self-signed certificate).
       ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
       ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
-      skip_verify: false
+      # skip_verify: false
 
       ## Minimum TLS version for either StartTLS or SMTPS.
-      minimum_version: TLS1.2
+      # minimum_version: TLS1.2
+
+      ## Maximum TLS version for either StartTLS or SMTPS.
+      # maximum_version: TLS1.3
+
+      ## The certificate chain used with the private_key if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # certificate_chain: |
+        # -----BEGIN CERTIFICATE-----
+        # MIIC5jCCAc6gAwIBAgIRAK4Sj7FiN6PXo/urPfO4E7owDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAPKv3pSyP4ozGEiVLJ14dIWFCEGEgq7WUMI0SZZqQA2ID0L59U/Q
+        # /Usyy7uC9gfMUzODTpANtkOjFQcQAsxlR1FOjVBrX5QgjSvXwbQn3DtwMA7XWSl6
+        # LuYx2rBYSlMSN5UZQm/RxMtXfLK2b51WgEEYDFi+nECSqKzR4R54eOPkBEWRfvuY
+        # 91AMjlhpivg8e4JWkq4LVQUKbmiFYwIdK8XQiN4blY9WwXwJFYs5sQ/UYMwBFi0H
+        # kWOh7GEjfxgoUOPauIueZSMSlQp7zqAH39N0ZSYb6cS0Npj57QoWZSY3ak87ebcR
+        # Nf4rCvZLby7LoN7qYCKxmCaDD3x2+NYpWH8CAwEAAaM1MDMwDgYDVR0PAQH/BAQD
+        # AgWgMBMGA1UdJQQMMAoGCCsGAQUFBwMBMAwGA1UdEwEB/wQCMAAwDQYJKoZIhvcN
+        # AQELBQADggEBAHSITqIQSNzonFl3DzxHPEzr2hp6peo45buAAtu8FZHoA+U7Icfh
+        # /ZXjPg7Xz+hgFwM/DTNGXkMWacQA/PaNWvZspgRJf2AXvNbMSs2UQODr7Tbv+Fb4
+        # lyblmMUNYFMCFVAMU0eIxXAFq2qcwv8UMcQFT0Z/35s6PVOakYnAGGQjTfp5Ljuq
+        # wsdc/xWmM0cHWube6sdRRUD7SY20KU/kWzl8iFO0VbSSrDf1AlEhnLEkp1SPaxXg
+        # OdBnl98MeoramNiJ7NT6Jnyb3zZ578fjaWfThiBpagItI8GZmG4s4Ovh2JbheN8i
+        # ZsjNr9jqHTjhyLVbDRlmJzcqoj4JhbKs6/I^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+        # -----BEGIN CERTIFICATE-----
+        # MIIDBDCCAeygAwIBAgIRALJsPg21kA0zY4F1wUCIuoMwDQYJKoZIhvcNAQELBQAw
+        # EzERMA8GA1UEChMIQXV0aGVsaWEwHhcNNzAwMTAxMDAwMDAwWhcNNzEwMTAxMDAw
+        # MDAwWjATMREwDwYDVQQKEwhBdXRoZWxpYTCCASIwDQYJKoZIhvcNAQEBBQADggEP
+        # ADCCAQoCggEBAMXHBvVxUzYk0u34/DINMSF+uiOekKOAjOrC6Mi9Ww8ytPVO7t2S
+        # zfTvM+XnEJqkFQFgimERfG/eGhjF9XIEY6LtnXe8ATvOK4nTwdufzBaoeQu3Gd50
+        # 5VXr6OHRo//ErrGvFXwP3g8xLePABsi/fkH3oDN+ztewOBMDzpd+KgTrk8ysv2ou
+        # kNRMKFZZqASvCgv0LD5KWvUCnL6wgf1oTXG7aztduA4oSkUP321GpOmBC5+5ElU7
+        # ysoRzvD12o9QJ/IfEaulIX06w9yVMo60C/h6A3U6GdkT1SiyTIqR7v7KU/IWd/Qi
+        # Lfftcj91VhCmJ73Meff2e2S2PrpjdXbG5FMCAwEAAaNTMFEwDgYDVR0PAQH/BAQD
+        # AgKkMA8GA1UdJQQIMAYGBFUdJQAwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU
+        # Z7AtA3mzFc0InSBA5fiMfeLXA3owDQYJKoZIhvcNAQELBQADggEBAEE5hm1mtlk/
+        # kviCoHH4evbpw7rxPxDftIQlqYTtvMM4eWY/6icFoSZ4fUHEWYyps8SsPu/8f2tf
+        # 71LGgZn0FdHi1QU2H8m0HHK7TFw+5Q6RLrLdSyk0PItJ71s9en7r8pX820nAFEHZ
+        # HkOSfJZ7B5hFgUDkMtVM6bardXAhoqcMk4YCU96e9d4PB4eI+xGc+mNuYvov3RbB
+        # D0s8ICyojeyPVLerz4wHjZu68Z5frAzhZ68YbzNs8j2fIBKKHkHyLG1iQyF+LJVj
+        # 2PjCP+auJsj6fQQpMGoyGtpLcSDh+ptcTngUD8JsWipzTCjmaNqdPHAOYmcgtf4b
+        # qocikt3WAdU^invalid DO NOT USE=
+        # -----END CERTIFICATE-----
+
+      ## The private key used with the certificate_chain if the server requests TLS Client Authentication
+      ## i.e. Mutual TLS.
+      # private_key: |
+        #  -----BEGIN RSA PRIVATE KEY-----
+        # MIIEpAIBAAKCAQEA8q/elLI/ijMYSJUsnXh0hYUIQYSCrtZQwjRJlmpADYgPQvn1
+        # T9D9SzLLu4L2B8xTM4NOkA22Q6MVBxACzGVHUU6NUGtflCCNK9fBtCfcO3AwDtdZ
+        # KXou5jHasFhKUxI3lRlCb9HEy1d8srZvnVaAQRgMWL6cQJKorNHhHnh44+QERZF+
+        # +5j3UAyOWGmK+Dx7glaSrgtVBQpuaIVjAh0rxdCI3huVj1bBfAkVizmxD9RgzAEW
+        # LQeRY6HsYSN/GChQ49q4i55lIxKVCnvOoAff03RlJhvpxLQ2mPntChZlJjdqTzt5
+        # txE1/isK9ktvLsug3upgIrGYJoMPfHb41ilYfwIDAQABAoIBAQDTOdFf2JjHH1um
+        # aPgRAvNf9v7Nj5jytaRKs5nM6iNf46ls4QPreXnMhqSeSwj6lpNgBYxOgzC9Q+cc
+        # Y4ob/paJJPaIJTxmP8K/gyWcOQlNToL1l+eJ20eQoZm23NGr5fIsunSBwLEpTrdB
+        # ENqqtcwhW937K8Pxy/Q1nuLyU2bc6Tn/ivLozc8n27dpQWWKh8537VY7ancIaACr
+        # LJJLYxKqhQpjtBWAyCDvZQirnAOm9KnvIHaGXIswCZ4Xbsu0Y9NL+woARPyRVQvG
+        # jfxy4EmO9s1s6y7OObSukwKDSNihAKHx/VIbvVWx8g2Lv5fGOa+J2Y7o9Qurs8t5
+        # BQwMTt0BAoGBAPUw5Z32EszNepAeV3E2mPFUc5CLiqAxagZJuNDO2pKtyN29ETTR
+        # Ma4O1cWtGb6RqcNNN/Iukfkdk27Q5nC9VJSUUPYelOLc1WYOoUf6oKRzE72dkMQV
+        # R4bf6TkjD+OVR17fAfkswkGahZ5XA7j48KIQ+YC4jbnYKSxZTYyKPjH/AoGBAP1i
+        # tqXt36OVlP+y84wWqZSjMelBIVa9phDVGJmmhz3i1cMni8eLpJzWecA3pfnG6Tm9
+        # ze5M4whASleEt+M00gEvNaU9ND+z0wBfi+/DwJYIbv8PQdGrBiZFrPhTPjGQUldR
+        # lXccV2meeLZv7TagVxSi3DO6dSJfSEHyemd5j9mBAoGAX8Hv+0gOQZQCSOTAq8Nx
+        # 6dZcp9gHlNaXnMsP9eTDckOSzh636JPGvj6m+GPJSSbkURUIQ3oyokMNwFqvlNos
+        # fTaLhAOfjBZI9WnDTTQxpugWjphJ4HqbC67JC/qIiw5S6FdaEvGLEEoD4zoChywZ
+        # 9oGAn+fz2d/0/JAH/FpFPgsCgYEAp/ipZgPzziiZ9ov1wbdAQcWRj7RaWnssPFpX
+        # jXwEiXT3CgEMO4MJ4+KWIWOChrti3qFBg6i6lDyyS6Qyls7sLFbUdC7HlTcrOEMe
+        # rBoTcCI1GqZNlqWOVQ65ZIEiaI7o1vPBZo2GMQEZuq8mDKFsOMThvvTrM5cAep84
+        # n6HJR4ECgYABWcbsSnr0MKvVth/inxjbKapbZnp2HUCuw87Ie5zK2Of/tbC20wwk
+        # yKw3vrGoE3O1t1g2m2tn8UGGASeZ842jZWjIODdSi5+icysQGuULKt86h/woz2SQ
+        # 27GoE2i5mh6Yez6VAYbUuns3FcwIsMyWLq043Tu2DNkx9ijOOAuQzw^invalid..
+        # DO NOT USE==
+        # -----END RSA PRIVATE KEY-----
 
 ##
 ## Identity Providers

internal/configuration/schema/const.go

@@ -48,13 +48,13 @@ var ErrTLSVersionNotSupported = errors.New("supplied tls version isn't supported
 const ProfileRefreshDisabled = "disable"
 
 const (
-	// ProfileRefreshAlways represents a Value for refresh_interval that's the same as 0ms.
+	// ProfileRefreshAlways represents a value for refresh_interval that's the same as 0ms.
 	ProfileRefreshAlways = "always"
 
-	// RefreshIntervalDefault represents the default Value of refresh_interval.
+	// RefreshIntervalDefault represents the default value of refresh_interval.
 	RefreshIntervalDefault = "5m"
 
-	// RefreshIntervalAlways represents the duration Value refresh interval should have if set to always.
+	// RefreshIntervalAlways represents the duration value refresh interval should have if set to always.
 	RefreshIntervalAlways = 0 * time.Millisecond
 )