Files
truecharts/charts/stable/twofauth/values.yaml
T
TrueCharts Bot 4761e5f2ae BREAKING CHANGE(twofauth): Update image docker.io/2fauth/2fauth 7.0.1 → 8.0.1 (#49958)
This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [docker.io/2fauth/2fauth](https://redirect.github.com/Bubka/2FAuth) |
major | `4209283` → `4a1f329` |

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/18710) for more information.

Add the preset `:preserveSemverRanges` to your config if you don't want
to pin your dependencies.

---

### Release Notes

<details>
<summary>Bubka/2FAuth (docker.io/2fauth/2fauth)</summary>

###
[`v8.0.1`](https://redirect.github.com/Bubka/2FAuth/blob/HEAD/changelog.md#801---2026-07-05)

[Compare
Source](https://redirect.github.com/Bubka/2FAuth/compare/v8.0.0...v8.0.1)

##### Fixed

- [issue
#&#8203;558](https://redirect.github.com/Bubka/2FAuth/issues/558) docker
container crashes while startup
- [issue
#&#8203;561](https://redirect.github.com/Bubka/2FAuth/issues/561)
Container fails to start when fixing Passport key permissions in
rootless Docker

###
[`v8.0.0`](https://redirect.github.com/Bubka/2FAuth/blob/HEAD/changelog.md#800---2026-06-25)

[Compare
Source](https://redirect.github.com/Bubka/2FAuth/compare/v7.0.1...v8.0.0)

2FAuth already bumps to v8 because of the upgrade of the Laravel PHP
framework it is built on.

> \[!WARNING]
> One of the underlying components has changed the way authentication
tokens are generated, so your personal access tokens will become
invalid. This is, strictly speaking, a breaking change, but the impact
is limited (not everyone uses PAT) and generating new tokens is not a
big deal. I'm sorry about that nonetheless.

Despite the short time that has passed since v7, I found time to make
two improvements to the user experience:

- You can now switch between groups without having to open the selection
menu. Groups are displayed as chips directly below the search bar for
quick switching. The groups displayed in the chips list are the ones you
choose to make visible. A new option is available in the Group edit form
to do so.
- Lengthy pages in the Settings and Admin sections now have a navigation
menu that lets you scrolls to the desired section. Don't be surprised —
I took this opportunity to reorganize the *Settings > Options* page, as
all the additions over time had made it a bit messy.

You can disable any of this from the *Settings > Options* page if you
want to restore the previous behaviour.

This release also includes several security fixes, including one that
affects authentication via a reverse proxy with the following
consequence:

> \[!WARNING]
> To ensure authentication at 2FAuth level, your auth proxy must now be
identified as trusted with the
[TRUSTED\_PROXIES](https://docs.2fauth.app/getting-started/config/env-vars/#trusted_proxies)
environment variable.

##### Added

- Group switching can be done directly from the main view using chips
- The lengthy Settings and Admin pages now come with a quick navigation
menu that lets you scroll directly to the desired section.
- The docker image is now tagged with shifting major and minor tags
([#&#8203;541](https://redirect.github.com/Bubka/2FAuth/issues/541)).

##### New env vars

- `PHP_MEMORY_LIMIT_TEMP_OVERRIDE`: Temporary PHP memory limit applied
during QR code detection to prevent `exhausted memory error`
([doc](https://docs.2fauth.app/getting-started/config/env-vars/#PHP_MEMORY_LIMIT_TEMP_OVERRIDE)).

##### Security fix

- Fix of a possible user impersonation and admin privilege escalation
issue when using an [authentication
proxy](https://docs.2fauth.app/security/authentication/auth-proxy/) (thx
[@&#8203;Dokaoista](https://redirect.github.com/Dokaoista)).
- Fix of SSRF vulnerability via dns rebinding during imageLink resource
fetching (thx [@&#8203;5ud0er / Tarmo
Technologies](https://redirect.github.com/5ud0er)).
- Block IPv6 NAT64 addresses in SSRF guard (thx
[@&#8203;tonghuaroot](https://redirect.github.com/tonghuaroot)).
- Fix missing authorization on share recipients endpoint allowing
cross-user account enumeration (thx
[@&#8203;de3erve-hunter](https://redirect.github.com/de3erve-hunter)).

##### Fixed

- [issue
#&#8203;540](https://redirect.github.com/Bubka/2FAuth/issues/540)
Scan/Import QR Code Not working
- [issue
#&#8203;543](https://redirect.github.com/Bubka/2FAuth/issues/543)
Scan/Import Google Authentificator QR Code
- [issue
#&#8203;549](https://redirect.github.com/Bubka/2FAuth/issues/549)
Unshare action in Manage mode does not remove sharing
- UI elements overlapping during transitions on Manage mode enter/leave

</details>

---

### Configuration

📅 **Schedule**: (UTC)

- Branch creation
  - At any time (no schedule defined)
- Automerge
  - At any time (no schedule defined)

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Renovate
Bot](https://redirect.github.com/renovatebot/renovate).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xMzAuMSIsInVwZGF0ZWRJblZlciI6IjQzLjEzMC4xIiwidGFyZ2V0QnJhbmNoIjoibWFzdGVyIiwibGFiZWxzIjpbImFwcC90d29mYXV0aCIsInJlbm92YXRlL2NvbnRhaW5lciIsInR5cGUvbWFqb3IiXX0=-->
2026-07-07 20:53:02 +02:00

123 lines
3.6 KiB
YAML

# yaml-language-server: $schema=./values.schema.json
image:
repository: docker.io/2fauth/2fauth
pullPolicy: IfNotPresent
tag: 8.0.1@sha256:4a1f329e42b9bdfb625db3094bd6f79a2f44640b6259d4cdb9f336c676bf120e
securityContext:
container:
readOnlyRootFilesystem: false
runAsUser: 1000
runAsGroup: 1000
twofauth:
app:
name: 2FAuth
site_owner: mail@example.com
session_lifetime: 120
trusted_proxies: []
mail:
driver: log
host: ""
port: 587
from: ""
user: ""
pass: ""
# TLS | STARTTLS | SSL
encryption: STARTTLS
from_name: 2FAuth
from_address: changeme@example.com
auth:
# web-guard | reverse-proxy-guard
guard: web-guard
# show if guard uses reverse-proxy-guard
proxy_header_for_user: ""
proxy_header_for_email: ""
proxy_logout_url: ""
webauthn:
name: 2FAuth
id: ""
icon: ""
# required | preferred | discouraged
user_verified: preferred
workload:
main:
podSpec:
containers:
main:
probes:
liveness:
path: /infos
readiness:
path: /infos
startup:
type: tcp
env:
# APP
APP_ENV: local
APP_KEY:
secretKeyRef:
name: twofauth-secret
key: APP_KEY
APP_NAME: "{{ .Values.twofauth.app.name }}"
SITE_OWNER: "{{ .Values.twofauth.app.site_owner }}"
APP_URL: "{{ .Values.chartContext.appUrl }}"
SESSION_LIFETIME: "{{ .Values.twofauth.app.session_lifetime }}"
TRUSTED_PROXIES: '{{ join "," .Values.twofauth.app.trusted_proxies }}'
# MAIL
MAIL_DRIVER: "{{ .Values.twofauth.mail.driver }}"
MAIL_HOST: "{{ .Values.twofauth.mail.host }}"
MAIL_PORT: "{{ .Values.twofauth.mail.port }}"
MAIL_FROM: "{{ .Values.twofauth.mail.from }}"
MAIL_USERNAME: "{{ .Values.twofauth.mail.user }}"
MAIL_PASSWORD: "{{ .Values.twofauth.mail.pass }}"
MAIL_ENCRYPTION: "{{ .Values.twofauth.mail.encryption }}"
MAIL_FROM_NAME: "{{ .Values.twofauth.mail.from_name }}"
MAIL_FROM_ADDRESS: "{{ .Values.twofauth.mail.from_address }}"
# AUTH
AUTHENTICATION_GUARD: "{{ .Values.twofauth.auth.guard }}"
AUTH_PROXY_HEADER_FOR_USER: "{{ .Values.twofauth.auth.proxy_header_for_user }}"
AUTH_PROXY_HEADER_FOR_EMAIL: "{{ .Values.twofauth.auth.proxy_header_for_email }}"
PROXY_LOGOUT_URL: "{{ .Values.twofauth.auth.proxy_logout_url }}"
# WebAuthn:
WEBAUTHN_NAME: "{{ .Values.twofauth.webauthn.name }}"
WEBAUTHN_ID: "{{ .Values.twofauth.webauthn.id }}"
# Optional image data in BASE64 (128 bytes maximum) or an image url
WEBAUTHN_ICON: "{{ .Values.twofauth.webauthn.icon }}"
WEBAUTHN_USER_VERIFICATION: "{{ .Values.twofauth.webauthn.user_verified }}"
# Postgres
DB_CONNECTION: pgsql
DB_DATABASE: "{{ .Values.cnpg.main.database }}"
DB_USERNAME: "{{ .Values.cnpg.main.user }}"
DB_PORT: 5432
DB_HOST:
secretKeyRef:
name: cnpg-main-urls
key: host
DB_PASSWORD:
secretKeyRef:
name: cnpg-main-user
key: password
service:
main:
ports:
main:
protocol: http
targetPort: 8000
port: 8000
persistence:
config:
enabled: true
mountPath: /2fauth
varrun:
enabled: false
cnpg:
main:
enabled: true
user: twofauth
database: twofauth