scale-catalog/stable/meshcentral/14.3.0/ix_values.yaml

1002 lines
55 KiB
YAML
Raw Permalink Normal View History

2024-07-13 07:59:30 +00:00
image:
repository: ghcr.io/ylianst/meshcentral
pullPolicy: IfNotPresent
tag: 1.1.21@sha256:5a328e842d804ba6c28491fc371f0c270a30b053f8f10351c84a0ddede0699d9
workload:
main:
podSpec:
containers:
main:
command:
- node
- meshcentral/meshcentral
securityContext:
container:
readOnlyRootFilesystem: false
runAsNonRoot: false
runAsUser: 0
runAsGroup: 0
# - Values with the character _ in-front of them are pruned. Add or remove _ to disable or enable options
# - More in-depth info for each options can be found here: https://github.com/Ylianst/MeshCentral/blob/master/meshcentral-config-schema.json
# - Check for this chart's specific info in our webpage https://truecharts.org
# - Last sync with upstream config schema: Oct 29, 2022
# - Any service that uses port other than 443, need to be manually configured.
meshcentral:
settings:
# - The actual main port as seen externally on the Internet, this setting is often used when a reverse-proxy is used.
aliasPort: 443
# - When set, relayPort value is ignored. Set this to a DNS name the points to this server. When the server is accessed using the DNS name, the main web server port is used as a web relay port.
relayDNS: []
# - Automatically downloads all agent error logs into meshcentral-data/agenterrorlogs.txt.
agentLogDump: false
# - Automatically activates and transfers any agent crash dump files to the server in meshcentral-data/coredumps.
agentCoreDump: false
# - List of non-administrator users that have access to mesh agent crash dumps.
_agentCoreDumpUsers: []
# - When code signing an agent using authenticode, lock the agent to only allow connection to this server. (This is in testing, the default value will change to true in the future).
_agentSignLock: false
# - The time stamping server to use when code signing Windows executables. When set to false, the executables are not time stamped.
_agentTimeStampServer: http://timestamp.comodoca.com/authenticode
# - The HTTP proxy to use when contacting the time stamping server, if false, no proxy is used. By default, the npmproxy value is used.
_agentTimeStampProxy:
# - When set to true, MeshCentral will only grab the required TCP listening ports or fail. It will not try to use the next available port of it's busy.
_exactPorts: false
# - Set this to the primary DNS name of this MeshCentral server.
cert: mc.domain.com
# - Force MeshCentral to use the HTTPS and MPS certificates even if the name does not match the expected DNS value.
keepCerts: false
# - When enabled, only MeshCentral WAN features are enabled and agents will connect to the server using a well known DNS name.
WANonly: false
# - When enabled, only MeshCentral LAN features are enabled and agents will find the server using multicast LAN packets.
LANonly: false
allowLoginToken: false
# - Controls the Strict-Transport-Security header, default is 1 year. Set to false to remove, true to force enable, or string to set a custom value. If set to null, MeshCentral will enable if a trusted certificate is set.
_StrictTransportSecurity: null
# - When enabled, the MeshCentral web site can be embedded within another website's iframe.
allowFraming: false
# - Options: strict | lax | none | true
_cookieIpCheck: lax
# - When enabled, allows use of WebRTC to allow direct network traffic between the agent and browser.
webRTC: false
# - By default, a nice looking 404 error page is displayed when needed. Set this to false to disable it.
nice404: true
# - When specified, sends data to the browser at x seconds interval and expects a response from the browser.
_browserPing: 300
# - When specified, sends data to the browser at x seconds interval.
_browserPong: 300
# - Loads all agent binaries in RAM for faster agent updates.
_agentsInRam: false
# - When specified, sends data to the agent at x seconds interval and expects a response from the agent.
_agentPing: 300
# - When specified, sends data to the agent at x seconds interval.
_agentPong: 300
# - When enabled, MeshCentral will automatically monitor and manage Intel AMT devices.
_amtManager: true
# - If an agent attempts to connect to a unknown device group, automatically create a new device group and grant access to the specified user. Example: admin
_orphanAgentUser: null
# - How much time in seconds with no traffic from an agent before dropping the agent connection.
_agentIdleTimeout: 150
# - Adds a random length string to generated web pages to mitigate a BREACH attack.
_webPageLengthRandomization: true
# - Enables GZIP compression for web requests.
compression: true
# - Enables server-side, websocket per-message deflate compression.
wsCompression: true
# - Enables agent-side, websocket per-message deflate compression. wscompression must also be true for this to work.
agentWsCompression: true
# - Set to 1 to present the server from updating any agent.
_noAgentUpdate: 0
# - When set to 2, all agents that need to be updated will use the meshcore.js update system. With the default value of 1, the native update system is used.
_agentUpdateSystem: 1
# - Set to false to not allow temporary agents to be updated.
_temporaryAgentUpdate: true
# - Set to false to disable Intel AMT scanning on the local network, this is already disabled in WAN mode.
_amtScanner: true
# - Set to false to disable agent multicast scanning on the local network, this is already disabled in WAN mode.
_meshScanner: true
# - When false, users will only be able to set remote desktop image quality to 60%, this can reduce server bandwidth usage.
_allowHighQualityDesktop: true
# - When set with a valid email address, enables the MeshCentral web push notification feature. Allows administrators to send browser notifications to users even if they are not looking at the MeshCentral web site.
_webPush:
# - Server administrator email given to the FireFox and Chrome push notification services.
email: null
# - Duration of a session cookie in minutes. Changing this affects how often the session needs to be automatically refreshed.
sessionTime: 60
# - Options: strict | lax | none
sessionSameSite: lax
# - Amount of time to keep various events in the database, in seconds.
dbExpire:
# - Amount of time in seconds that events are kept in the database.
events: 1728000
# - Amount of time in seconds that device power events are kept in the database.
powerevents: 864000
# - Amount of time in seconds that server statistics are kept in the database.
statsevents: 2592000
# - Execute this when the server startup is completed. The first parameter will be the server version.
_RunOnServerStarted: null
# - Execute this when the server has been updated. The first parameter will be the server version.
_RunOnServerUpdated: null
# - Execute this when the server has to restart due to an error. The first parameter will be the server version.
_RunOnServerError: null
# - When true, this server uses MeshCentral.com a push notification relay for Android notifications. Push notifications work even if the Android app is not open.
_publicPushNotifications: false
# - When true, enabled a server modules that efficiently splits a remote desktop stream to multiple browsers. Also allows slow browsers to not slow down the session for fast ones, this comes at the cost of extra server memory and processing for all remote desktop sessions.
_desktopMultiplex: false
# - If set, a user from a banned IP address will be redirected to this URL.
_ipBlockedUserRedirect: null
# - When set, only users from allowed IP address ranges can connect to the server. Example: 192.168.2.100,192.168.1.0/24
_userAllowedIP: null
# - When set, users from these denied IP address ranges will not be able to connect to the server. Example: 192.168.2.100,192.168.1.0/24
_userBlockedIP: null
# - When set, only agents from allowed IP address ranges can connect to the server. Example: 192.168.2.100,192.168.1.0/24
_agentAllowedIP: null
# - When set, agents from these denied IP address ranges will not be able to connect to the server. Example: 192.168.2.100,192.168.1.0/24
_agentBlockedIP: null
# - File path and name of the authentication log to be created. This log can be parsed by Fail2ban.
_authLog: null
# - Users in this list are allowed to send and receive inter-user messages. This can be used to implement bots or other software where MeshCentral is used as data transport. See interuser websocket command in the code.
_InterUserMessaging: []
# - Users in this list are allowed to see and manage all device groups within their domain.
_manageAllDeviceGroups: []
# - Users in this list are allowed to manage all users in all domains.
_manageCrossDomain: []
# - When this server is in LAN mode, you may discover this server using a multicast discovery tool. When discovery happens, the name and info fields are sent back to the discovery tool.
_localDiscovery:
name: null
info: null
# - When set, encrypts all LAN discovery traffic to agents and tools using this key. This is only useful in LAN/Hybrid mode when agents and tools user multicast to find the server.
key: null
# - When true, indicates that a TLS offloader is in front of the MeshCentral server. More typically, set this to the IP address of the reverse proxy or TLS offloader so that IP forwarding headers will be trusted. For example: 127.0.0.1,192.168.1.100
_tlsOffload: false
# - Trust forwarded headers from these IPs or domains. Providing the magic string "CloudFlare" will cause the server to download the IP address list of trusted CloudFlare proxies directly from CloudFlare on each server start. For example: 127.0.0.1,proxy.example.com,CloudFlare
_trustedProxy: null
# - The Management Presence Server (MPS), this is the server that received Intel AMT Client Initiated Remote Access (CIRA) connections.
_mpsPort: 4433
_mpsAliasPort: null
_mpsAliasHost: null
# - When set to true, indicate that TLS is being performed by a device in front of MeshCentral.
_mpsTlsOffload: false
# - When set to true, the MPS server will only accept TLS 1.2 and 1.3 connections. Older Intel AMT devices will not be able to connect.
_mpsHighSecurity: false
# - Send syslog events over the network (RFC3164) to a target hostname:port. For example: localhost:514
_syslogtcp: null
# - The STUN servers used for WebRTC, if not specified the Google and Mozilla servers and used when the server is not in LAN mode.
_webrtcConfig:
iceServers:
- urls: ""
# - Enabled the MeshCentral built-in Crowdsec bouncer. This section is passed directly to the bouncer, all of the settings are documented at https://www.npmjs.com/package/@crowdsec/express-bouncer
_crowdsec:
# - The URL of your LAPI instance. Ex: http://localhost:8080
url: null
# - The bouncer key (generated via cscli).
apiKey: null
# - Action to perform if the CrowdSec agent can't be contacted. Options: bypass | captcha | ban
failbackRemediation: ban
autobackup:
mongoDumpPath: /usr/bin/mongodump
backupIntervalHours: 24
keepLastDaysBackup: 10
zipPassword: ""
backupPath: /opt/meshcentral/meshcentral-backup
# - Enabled automated upload of the server backups to a Google Drive account, once enabled you need to go in "My Server" tab as administrator to associate the account.
_googleDrive:
# - The name of the folder to create in the Google Drive account.
folderName: MeshCentral-Backups
# - The maximum number of files to keep in the Google Drive folder, older files will be removed if needed.
maxFiles: 10
# - Enabled automated upload of the server backups to a WebDAV account.
_webdav:
# - WebDAV account URL.
url: ""
# - WebDAV account username.
username: ""
# - WebDAV account password.
password: ""
# - The name of the folder to create in the WebDAV account.
folderName: MeshCentral-Backups
# - The maximum number of files to keep in the WebDAV folder, older files will be removed if needed.
maxFiles: 10
_redirects:
meshcommander: https://www.meshcommander.com/
# - This section described a policy for how many times an IP address is allowed to attempt to login incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.
maxInvalidLogin:
# - Ranges of IP addresses that are not subject to invalid login limitations. For example: 192.168.1.0/24,172.16.0.1
_exclude: ""
# - Time in minutes over which the a maximum number of invalid login attempts is allowed from an IP address.
time: 10
# - Maximum number of invalid login attempts from an IP address in the time period.
count: 10
# - Additional time in minute that login attempts will be denied once the invalid login limit is reached.
coolofftime: 30
# - This section described a policy for how many times an IP address is allowed to attempt to perform two-factor authentication (2FA) incorrectly. By default it's 10 times in 10 minutes, but this can be changed here.
maxInvalid2fa:
# - Ranges of IP addresses that are not subject to invalid 2FA limitations. For example: 192.168.1.0/24,172.16.0.1
_exclude: ""
# - Time in minutes over which the a maximum number of invalid 2FA attempts is allowed from an IP address.
time: 10
# - Maximum number of invalid 2FA attempts from an IP address in the time period.
count: 10
# - Additional time in minute that 2FA attempts will be denied once the invalid login limit is reached.
coolofftime: 30
# - When present, this section will enable the Intel AMT provisioning server on the local network. This is used for Intel AMT bare-metal ACM activation.
_amtProvisioningServer:
# - Port number that provisioning server will listen to.
port: 9971
# - The agent-less device group to add Intel AMT devices to once they are activated. Must be of format: mesh/domain/id
deviceGroup: null
# - The MEBX password to set during activation. This password must be at least 8 characters long and have 1 lower, 1 upper, 1 alpha-numeric and 1 non-alpha numeric character.
newMebxPassword: null
# - The trusted FQDN or provisioning server value the remote device will have. This can be set in MEBx or using the DHCP server option 15 on the local network.
trustedFqdn: null
# - The IP address of this server. This address will be used when creating the USB setup.bin file to indicate what IP address to send the hello data to.
ip: null
plugins:
enabled: false
# - Connects MeshCentral to the SendGrid email server, allows MeshCentral to send email messages for 2FA or user notification.
_sendgrid:
# - Email address used in the messages from field.
from: null
# - The SendGrid API key.
apiKey: null
# - When set to false, the email format and DNS MX record are not checked.
verifyemail: true
_smtp:
# - Optional hostname of the client, this defaults to the hostname of the machine. This is useful for SMTP relays.
name: null
# - Hostname of the SMTP server.
host: null
# - SMTP server port number.
port: null
# - Email address used in the messages from field.
from: null
tls: true
_auth:
clientId: null
clientSecret: null
refreshToken: null
tlscertcheck: true
tlsstrict: true
# - When set to false, the email format and DNS MX record are not checked
verifyemail: true
# - Connects MeshCentral to a SMS text messaging provider, allows MeshCentral to send SMS messages for 2FA or user notification. Options: One of the following blocks
_sms:
# - twillio
provider: twillio
sid: null
auth: null
from: null
# # - plivo
# provider: plivo
# id: null
# token: null
# from: nyll
# # - telnyx
# provider: telnyx
# apikey: null
# from: null
# # - url
# provider: url
# url: "tc.common.names.fullname"
# - This section allow MeshCentral to send messages over user messaging networks like Telegram
_messaging:
# - Configure Telegram messaging system
_telegram:
apiid: ""
apihash: ""
session: ""
# - Configure Discord messaging system
_discord:
# - An optional HTTP link to the discord server the user must join to get notifications.
serverurl: ""
# - A Discord bot token that MeshCentral will use to login to Discord.
token: ""
# - Configure XMPP messaging system
_xmpp:
service: ""
credentials:
username: ""
password: ""
# - Any settings in this section is used as default setting for all domains
_domaindefaults:
title: Default Title
domains:
"":
# - HTTPS URL when to get the TLS certificate that MeshAgent's will see when connecting to this server. This setting is used when a reverse proxy like Traefik is used in front of MeshCentral.
certUrl: https://mc.domain.com
# - The title of this web site. All web pages will have this title.
title: MeshCentral
# - Secondary title text that is placed on the upper right on the title on many web pages.
title2: TrueCharts
# - When enabled, the server will send reduced sized web pages.
minify: true
# - 0 = User selects day/night mode, 1 = Always night mode, 2 = Always day mode
nightMode: 0
# - Valid numbers are 1 and 2, changes the style of the login page and some secondary pages.
siteStyle: 2
# - When set to false, this setting will disable the mobile site.
mobileSite: true
# - Set to true to enable IP KVM device support in this domain.
ipkvm: false
# - When set to true, allow new user accounts to be created from the login page.
newAccounts: false
# - When set this password will be required in order to create a new account from the login screen.
_newAccountsPass: ""
# - When set to true, users will get a CAPTCHA when creating a new account from the login screen.
_newAccountsCaptcha: false
_newAccountsUserGroups: []
# - When enabled, the username of each account is also the email address of the account.
userNameIsEmail: false
_newAccountsRights: []
_newAccountEmailDomains: []
# - The maximum number of devices a user can see on the devices page at the same time. By default all devices will show, but this may need to be limited on servers with large number of devices.
_maxDeviceView: 1000
_userQuota: 1048576
_meshQuota: 248576
# - Requires that users add the value ?key=xxx in the URL in order to see the web site.
_loginKey: []
# - Requires that agents add the value ?key=xxx in the URL in order to connect. This is not automatic and needs to be manually added in the meshagent.msh file.
_agentKey: []
# - Web site .png logo file that is 450x66 in size placed in meshcentral-data that is used on the top of many pages.
_titlePicture: ""
# - Web site .png logo file placed in meshcentral-data that used on the login page when sitestyle is 2.
_loginPicture: ""
# - Redirects HTTP root requests to this URL. When in use, direct users to /login to see the normal login page.
_rootRedirect: ""
# - Redirects HTTP root requests to this URL only where user is not already logged in. When in use, direct users to /login to see the normal login page.
_unknownUserRootRedirect: ""
# - Text that will be shown on the login screen.
welcomeText: Welcome to TrueCharts MeshCentral
# - Name of the PNG or JPEG file that will be shown on the login screen. Put this file in the meshcentral-data folder and place the file name here.
_welcomePicture: null
# - When enabled, the welcomePicture will show as a fullscreen background on the login screen.
_welcomePictureFullScreen: false
# - Text that will be displayed on the top of the messenger window when no username or device name is displayed.
_meshMessengerTitle: TrueCharts MeshCentral
# - Name of a .png image file that is placed in meshcentral-data that is displayed on the top of the messenger web page. When null, the default image is displayed.
_meshMessengerPicture: null
# - Sum of: 1 = Hide header, 2 = Hide tab, 4 = Hide footer, 8 = Hide title, 16 = Hide left bar, 32 = Hide back buttons
_hide: 0
# - This is a HTML string displayed at the bottom of the web page when a user is logged in.
_footer: null
# - This is a HTML string displayed at the bottom of the web page when a user is not logged in.
_loginfooter: null
# - Allow users to save SSH, RDP, VNC device credentials on the server that can be used by any other user.
_allowSavingDeviceCredentials: true
# - This value is normally auto-detected, when set to true, MeshCentral assumes that the TLS certificate comes from a trusted CA and will insure download tools perform certificate checking.
_trustedCert: null
# - When set to false, the desktop/terminal sharing link feature is not available.
_guestDeviceSharing:
# - When set, limits the maximum length of a guest session, in minutes.
maxSessionTime: null
# - Number of days a device can be inactive before it's removed. 0 disables this feature. Device group setting will override this value.
_autoRemoveInactiveDevices: 0
# - When set to true, the devices search box will match on both the server name and client name of a device.
_deviceSearchBarServerAndClientName: false
# - When set to true, MeshCentral Assistant can create it's own guest sharing links.
_agentSelfGuestSharing:
# - When set, limits the self-created guest sharing link to this number of minutes.
expire: null
# - When set, your can try click the run button to run on of these scripts on the remote device.
_PreconfiguredScripts:
# - Name of the script.
- name: null
# - The type of script. Options: bat | ps1 | sh | agent
type: null
# - How to run this script, does not apply to agent scripts. Options: agent | userfirst | user
runas: null
# - The command or \\r\\n separated commands to run, if set do not use the file key.
_cmd: null
# - The script file path and name, if set do not use the cmd key. This file path starts in meshcentral-data.
file: null
# - When set, you can right click on the input button in the desktop tab and instantly remotely type one of these pre-configured strings.
_preConfiguredRemoteInput:
# - Name of the text string.
- name: null
# - Text string that will be remotely typed when selected.
value: null
_altMessenging:
# - Name of the alternative messaging service, for example: "Jitsi".
- name: null
# - URL to the alternative messaging services, for example: "https://meet.jit.si/myserver-{0}", for a device {0}, {1}, {2}, {3} is the device id. For a user, {0} is the userid, {1} is full userid with dashes, {2} is real name with no spaces, {3} is real name with dash instead of spaces.
url: null
# - If specified, this is the URL that is used on the administrator side, for example: "https://meet.jit.si/myserver-{0}", for a device {0}, {1}, {2}, {3} is the device id. For a user, {0} is the userid, {1} is full userid with dashes, {2} is real name with no spaces, {3} is real name with dash instead of spaces.
localurl: null
# - Indicate if this button should be shown in the user or device type. If omitted, it will be displayed in both. Options: null | user | device
type: null
deviceMeshRouterLinks:
# - Display a RDP link in the device tab when supported
rdp: true
# - Display a SSH link in the device tab when supported
ssh: true
# - Display a SCP link in the device tab when supported
scp: true
_extralinks:
# - Name of the link to be displayed on the web site.
- name: null
# - Protocol. Valid values are: Options: custom | http | https | rdp | ssh | scp | mcrdesktop | mcrfiles.
protocol: null
# - The port on the remote device.
port: null
# - Target IP address. If not specified, the target of the connection is the remote device running the MeshAgent.
ip: null
# - The local port MeshCentral Router would bind to. By default, a random available port is used.
localport: null
# - Array of node/<domain>/<id> or mesh/<domain>/<id> or tag:<tag> strings. When set, the link will only show up for the specified devices, device groups or device tag.
filter: []
myServer:
# - Allows administrators to backup the server from the My Server tab. This option can only enabled when the NeDB database is in use. For other databases, this option disabled and the setting is ignored.
Backup: true
# - Allows administrators to restore the server from the My Server tab. This option can only enabled when the NeDB database is in use. For other databases, this option disabled and the setting is ignored.
Restore: true
# - Allows administrators to see the server crash log the server from the My Server tab.
ErrorLog: true
# - Allows administrators to access the server console from the My Server tab.
Console: true
# - Allows administrators to access the server trace tab from from the My Server tab.
Trace: true
_passwordRequirements:
# - Minimum number of characters allowed for the account password.
min: null
# - Maximum number of characters allowed for the account password.
max: null
# - Minimum number of upper case characters required in the password.
upper: null
# - Minimum number of lower case characters required in the password.
lower: null
# - Minimum number of numeric characters required in the password.
numeric: null
# - Minimum number of non-alpha-numeric characters required in the password.
nonalpha: null
# - Number of days after which the user is required to change the account password.
reset: null
# - Set to false to disable email 2FA.
email2factor: true
# - Set to false to disable SMS 2FA.
sms2factor: true
# - Set to false to disable push notification 2FA.
push2factor: true
# - Set to false to disable one-time-password 2FA.
otp2factor: true
# - Set to false to disable user messaging 2FA.
msg2factor: true
# - Set to false to disable 2FA backup codes.
backupcode2factor: true
# - Set to false to disable single 2FA warning.
single2factorWarning: true
# - When set to true, prevents any changes to 2FA.
lock2factor: false
# - Requires that all accounts setup 2FA.
force2factor: false
# - IP addresses where 2FA login is skipped, for example: 127.0.0.1,192.168.2.0/24
skip2factor: null
# - Number of old passwords the server should remember and not allow the user to switch back to.
oldPasswordBan: null
# - Uses WildLeek to block use of the 10000 most commonly used passwords.
banCommonPasswords: true
# - Allows users to create alternative username/passwords for their account. Set to false to disallow all users, or set to a userid array to only all some users.
loginTokens: true
# - Maximum about of time the to wait for a 2FA token on the login page in seconds.
twoFactorTimeout:
# - If true and user account has FIDO key setup, 2FA login screen will automatically request FIDO 2FA.
autofido2fa: false
# - Maximum number of FIDO/YubikeyOTP hardware 2FA keys that can be setup in a user account.
maxfidokeys: null
# - If set to false, the account reset option on the login screen will not be available to users.
allowaccountreset: true
# - Number of days that a user is allowed to remember this device for when completing 2FA. Set this to 0 to remove this option.
_twoFactorCookieDurationDays: 30
# - Type of user authentication to use, this can be SSPI on Windows or LDAP. If not set, username/password is used. Options: null | sspi | ldap
_auth: null
# - The LDAP value to use as a user's unique account identifier. Use "ldapUserKey" or "ldapUserBinaryKey".
_ldapUserKey: null
# - The LDAP value to use as a user's unique account identifier, when specified in this field, the values will be HEX converted.
_ldapUserBinaryKey: objectSid
# - The LDAP value to use for the user name, you can also compose the name by setting this value to, for example: "{{{givenName}}} {{{sn}}}"
_ldapUserName: displayName
# - The LDAP value to use for the user's email address.
_ldapUserEmail: mail
# - The LDAP value to use for the user's real name, you can also compose the name by setting this value to, for example: "{{{givenName}}} {{{sn}}}"
_ldapUserRealName: name
# - The LDAP value to use for the user's phone number.
_ldapUserPhoneNumber: telephoneNumber
# - The LDAP value to use for the user's image.
_ldapUserImage: thumbnailPhoto
# - When set to a filename, for example /opt/meshcentral/meshcentral-data/ldapusers.txt, MeshCentral will save the LDAP user object to this file each time a user logs in. This is used for debugging LDAP issues.
_ldapSaveUserToFile: null
# - The LDAP value to use for the user's group memberships.
_ldapUserGroups: memberOf
# - When set to true or set to an object, MeshCentral will synchronize LDAP user memberships to MeshCentral user groups.
_ldapSyncWithUserGroups:
# - When set to a string or array of strings, only LDAP membership groups that includes one of the strings will be synchronized with MeshCentral user groups.
filter: []
# - A list of LDAP groups. Users must be part of at least one of these groups to allow login. If null, all users are allowed to login.
_ldapUserRequiredGroupMembership: []
# - LDAP options passed to ldapauth-fork
_ldapOptions:
URL: "ldap://1.2.3.4:389"
BindDN: "CN=svc_meshcentral,CN=Users,DC=meshcentral,DC=local"
BindCredentials: "Password.1"
SearchBase: "DC=meshcentral,DC=local"
SearchFilter: "(sAMAccountName={{username}})"
# - Enabled a feature where you can set one or more invitation codes in a device group. You can then give a invitation link to users who can use it to download the agent.
_agentInviteCodes: false
# - When enabled, all newly installed MeshAgents will be instructed to no use a HTTP/HTTPS proxy even if one is configured on the remote system
_agentNoProxy: false
# - This section is used to indicate if parts of the meshagent.tag file should be used to set server-side device properties.
_agentTag:
# - Action taken if one of the lines in meshagent.tag contains ~ServerName:name. 0=Ignore, 1=Set.
ServerName: 0
# - Action taken if one of the lines in meshagent.tag contains ~ServerDesc:desc. 0=Ignore, 1=Set, 2=SetIfEmpty.
ServerDesc: 0
# - Action taken if one of the lines in meshagent.tag contains ~ServerTags:tag1,tag2,tag3. 0=Ignore, 1=Set, 2=SetIfEmpty, 3=Append.
ServerTags: 0
# - Enables the geo-location feature and device location map in the user interface, this feature is not being worked on.
geoLocation: true
# - When enabled, activates the built-in web-based VNC client.
novnc: true
# - When enabled, activates the built-in web-based RDP client.
mstsc: true
# - When enabled, activates the built-in web-based SSH client.
ssh: true
# - Path where to find custom email templates for this domain.
_webEmailsPath: null
_customUI: null
# - This section is used to customize user consent prompts, these show up when asking if a remote session is allowed or not.
_consentMessages:
Title: null
Desktop: null
Terminal: null
Files: null
# - How long in seconds to show the user consent dialog box.
consentTimeout: 30
# - If true, user consent is accepted after the timeout.
autoAcceptOnTimeout: false
# - This section is user to customize user notifications when a remote desktop, terminal or file session is connected to a remote system.
_notificationMessages:
Title: null
Desktop: null
Terminal: null
Files: null
# - Use this section to customize the agent branding.
_agentCustomization:
# - The name of the agent as displayed to the user.
displayName: MeshCentral Agent
# - The description of the agent as displayed to the user.
description: Mesh Agent Background Service
# - This will be used as the path to install the agent, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's.
companyName: Mesh Agent
# - The name of the background service, by default this is 'Mesh Agent' in Windows and 'meshagent' in other OS's but should be set to an all lower case, no space string.
serviceName: Mesh Agent
# - Text string to show in the agent installation dialog box.
installText: null
# - The filename of a image file in .png format located in meshcentral-data to display in the MeshCentral Agent installation dialog, image should be square and from 64x64 to 200x200.
image: null
# - The agent filename.
fileName: meshagent
# - Foreground text color, valid values are RBG in format 0,0,0 to 255,255,255 or format #000000 to #FFFFFF.
foregroundColor: null
# - Background color, valid values are RBG in format 0,0,0 to 255,255,255 or format #000000 to #FFFFFF.
backgroundColor: null
# - Use this section to set resource metadata of the Windows agents prior to signing. In Windows, you can right-click and select properties to view these values.
_agentFileInfo:
# - Sets the agent icon, this is the name of a .ico file with the file placed in the meshcentral-data folder.
icon: null
# - Executable file description.
fileDescription: null
# - Executable file version, in the form of 'n.n.n.n', for example: '1.2.3.4'.
fileVersion: null
# - Executable internal name.
internalName: null
# - Executable legal copyright.
legalCopyright: null
# - Executable original file name.
originalFilename: null
# - Executable product name.
productName: null
# - Executable product version. Any string format will work, but a alphabetic character is required for this value to show correctly in the Windows property box. For example: 'v1.2.3.4' will work, but '1.2.3.4' will not.
productVersion: null
# - Use this section to customize the MeshCentral Assistant.
_assistantCustomization:
# - Name to show as MeshCentral Assistant dialog title.
title: MeshCentral Assistant
# - The filename of a image file in .png format located in meshcentral-data to display in MeshCentral Assistant, image should be square and from 64x64 to 128x128.
image: null
# - The MeshCentral Assistant filename.
fileName: meshagent
# - Use this section to customize the MeshCentral Agent for Android.
_androidCustomization:
# - Displayed on top of the MeshCentral Agent for Android.
title: MeshCentral Agent
# - Subtitle displayed until the title on the toolbar.
subtitle: null
# - The filename of a image file in .png format located in meshcentral-data to display in MeshCentral Agent for Android, image should be square and from 64x64 to 128x128.
image: null
# - If set, a user from a banned IP address will be redirected to this URL."
_ipBlockedUserRedirect: null
# - When set, requires that a browser request have set HTTP header to allow user login. Example: '{ "Sec-Fetch-Dest": "iframe" }'
_userRequiredHttpHeader: null
# - When set, only users from allowed IP address ranges can connect to the server. Example: "192.168.2.100,192.168.1.0/24"
_userAllowedIP: null
# - When set, users from these denied IP address ranges will not be able to connect to the server. Example: "192.168.2.100,192.168.1.0/24"
_userBlockedIP: null
# - When set, only agents from allowed IP address ranges can connect to the server. Example: "192.168.2.100,192.168.1.0/24"
_agentAllowedIP: null
# - When set, agents from these denied IP address ranges will not be able to connect to the server. Example: "192.168.2.100,192.168.1.0/24"
_agentBlockedIP: null
# - When set, idle users will be disconnected after a set amounts of minutes.
_userSessionIdleTimeout: null
# - Use this section to require user consent for this domain.
_userConsentFlags:
# - Enable desktop notification for this domain.
desktopnotify: false
# - Enable terminal notification for this domain.
terminalnotify: false
# - Enable files notification for this domain.
filenotify: false
# - Enable desktop prompt for this domain.
desktopprompt: false
# - Enable terminal user prompt for this domain.
terminalprompt: false
# - Enable files prompt for this domain.
fileprompt: false
# - Enable remote desktop privacy bar for this domain.
desktopprivacybar: false
# - When users navigate thru the web interface, the URL on top will change to point to the current screen. This allows a user to refresh or bookmark the URL and come back to the correct screen. Setting false here will disable this feature.
_urlSwitching: true
# - This is the text that will be shown in the remote desktop privacy bar. You can use {0} to display the account realname or {1} to display the account identifier in the string.
_desktopPrivacyBarText: null
_limits:
# - Maximum number of devices in this domain.
MaxDevices: null
# - Maximum number of devices in this domain.
MaxUserAccounts: null
# - Maximum number of user sessions that can connect to this server for this domain.
MaxUserSessions: null
# - Maximum number of agents that can connect to this server for this domain.
MaxAgentSessions: null
# - Maximum number of sessions a single user can have. Each time a user opens a new browser tab or opens a new browser on a different computer, a new user session is created.
MaxSingleUserSessions: null
# - Values that affect the files feature
_files:
# - When false, removes the 'SFTP Connect' button from the files tab unless this is the only possible option.
sftpConnect: true
# - Values that affect the terminal feature
_terminal:
# - When false, removes the 'SSH Connect' button from the terminal tab unless this is the only possible option.
sshConnect: true
# - Indicate what terminal options are available when the user clicks the right mouse button on the terminal connect button. Options: any | root | user | login
linuxShell: any
# - Indicate what string the agent must write to the shell after starting a terminal session
launchCommand:
# - String to write after opening a Linux terminal.
linux: alias ls=\\'ls --color=auto\\';clear\\n
# - String to write after opening a macOS terminal.
darwin: null
# - String to write after opening a FreeBSD terminal.
freebsd: null
# - Values that affect the desktop feature"
_desktop:
# - When set to true, the remote desktop feature is view only.
viewonly: false
# - List of local network Intel AMT scanning options offered in the user interface. For example ["LabNetwork 192.168.15.0/23", "SalesNetwork 192.168.8.0/24"].
_amtScanOptions:
- Network 192.168.1.0/24
# - Information passed to the AMT manager module that impacts all Intel AMT device managed within this domain.
_amtManager:
# - When set to false, MeshCentral will use TLS to connect to Intel AMT, this is not recommended.
TlsConnections: true
# - When set to false, MeshCentral will not attempt a TLS ACM activation on Intel AMT v14+
TlsAcmActivation: false
# - List of username and passwords to try when connecting to Intel AMT.
AdminAccounts:
# - Intel AMT administrator username.
- user: admin
# - Intel AMT administrator password.
pass: null
# - List of up to 4 domain suffixes to configure in Intel AMT when activating CIRA.
EnvironmentDetection: []
# - Specifies a certificate and private key to use to issue Intel AMT TLS certificates. By default the MeshCentral self-signed root certificate is used.
TlsRootCert:
# - Name of the certificate file that is in .p12 or .pfx format in meshcentral-data, use this with certpfxpass.
certpfx: null
# - Password for the file specified in certpfx.
certpfxpass: null
# - Name of the certificate file in PEM format located in meshcentral-data. Using this with keyfile.
certfile: null
# - Name of the private key file in PEM format located in meshcentral-data. Using this with certfile.
keyfile: null
# - List of WIFI profiles to setup in any managed Intel AMT device with a WIFI network interface.
WifiProfiles:
# - WIFI profile name, if not specified the SSID is used.
name: null
# - SSID of the WIFI station.
ssid: null
# - WIFI authentication. Options: wpa-psk | wpa2-psk | wpa-8021x | wpa2-802.1x | wpa3-sae-802.1x | wpa3-owe-802.1x
authentication: wpa2-psk
# - WIFI encryption. Options: ccmp-aes | tkip-rc4
encryption: ccmp-aes
# - Password on the WIFI station
password: null
# - 802.1x settings for this WIFI profile. Only required if the WIFI authentication type has 802.1x
_802.1x:
# - Identifies the authentication protocol used to authenticate the access requestor to the AAA server. Options: EAP-TLS | EAP-TTLS/MSCHAPv2 | PEAPv0/EAP-MSCHAPv2 | PEAPv1/EAP-GTC | EAP-FAST/MSCHAPv2 | EAP-FAST/GTC | EAP-MD5 | EAP-PSK | EAP-SIM | EAP-AKA | EAP-FAST/TLS | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
authenticationProtocol: null
# - Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server. Options: Fullname | DomainSuffix | 2 | 3
serverCertificateNameComparison: FullName
# - The name compared against the subject name field in the certificate provided by the AAA server.
serverCertificateName: null
# - Indicates the activity setting of the 802.1X module in H0 state
availableInS0: true
# - A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.
protectedAccessCredentialHex: null
# - Optional password to extract the PAC (Protected Access Credential) information from the PAC data.
pacPassword: null
# - The domain within which Username is unique.
domain: null
# - Within the domain specified by Domain, Identifies the user that is requesting access to the network.
username: null
# - The password associated with the user identified by Username and Domain.
password: null
# - A string presented to the authentication server in 802.1x protocol exchange
roamingIdentity: null
# - Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session.
pxeTimeoutInSeconds: 120
# - 802.1x settings for the Intel AMT Wired interface. If set to false, any existing 802.1x wired profile will be removed from Intel AMT.
_802.1x:
# - Identifies the authentication protocol used to authenticate the access requestor to the AAA server. Options: EAP-TLS | EAP-TTLS/MSCHAPv2 | PEAPv0/EAP-MSCHAPv2 | PEAPv1/EAP-GTC | EAP-FAST/MSCHAPv2 | EAP-FAST/GTC | EAP-MD5 | EAP-PSK | EAP-SIM | EAP-AKA | EAP-FAST/TLS | 0 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10
authenticationProtocol: null
# - Determines the comparison algorithm used between the ServerCertificateName value and the subject name field of the certificate presented by the AAA server. Options: Fullname | DomainSuffix | 2 | 3
serverCertificateNameComparison: FullName
# - The name compared against the subject name field in the certificate provided by the AAA server.
serverCertificateName: null
# - Indicates the activity setting of the 802.1X module in H0 state
availableInS0: true
# - A credential used by the supplicant and AAA server to establish a mutually authenticated encrypted tunnel for confidential user authentication.
protectedAccessCredentialHex: null
# - Optional password to extract the PAC (Protected Access Credential) information from the PAC data.
pacPassword: null
# - The domain within which Username is unique.
domain: null
# - Within the domain specified by Domain, Identifies the user that is requesting access to the network.
username: null
# - The password associated with the user identified by Username and Domain.
password: null
# - A string presented to the authentication server in 802.1x protocol exchange
roamingIdentity: null
# - Timeout in seconds, in which the Intel(R) AMT will hold an authenticated 802.1X session.
pxeTimeoutInSeconds: 120
_amtAcmActivation:
log: null
# - When set to true, the certificate common name needs to match exactly the Intel AMT trusted FQDN or DHCP Option 15. If false, some flexibility may be given to the matching.
strictCommonName: false
certs:
certfiles: null
keyfile: null
# - This is used to create HTTP redirections. For example setting "redirects": { "example": "https://example.com" } will make it so that anyone accessing /example on the server will get redirected to the specified URL.
_redirects:
example: https://example.com
example1: https://example1.com
_yubikey:
id: null
secret: null
proxy: null
_httpHeaders: null
# - Key and values to add to the MeshAgent .msh file
agentConfig:
# - Needed if you use traefik https://github.com/traefik/traefik/issues/4487
- webSocketMaskOverride=1
# - Key and values to add to the MeshCentral Assistant .msh file
_assistantConfig: []
# - When false, users can't set the clipboard of a remove device.
clipboardGet: true
# - When false, users can't get the clipboard of a remove device.
clipboardSet: true
# - When false, removes the local recording feature on remote desktop.
localSessionRecording: true
_sessionRecording:
# - When enabled, only device users with the session recording feature turned on will be recorded. When false, all users are recorded.
onlySelectedUsers: false
# - When enabled, only device user groups with the session recording feature turned on will be recorded. When false, all users are recorded.
onlySelectedUserGroups: false
# - When enabled, only device groups with the session recording feature turned on will be recorded. When false, all devices are recorded.
onlySelectedDeviceGroups: false
# - The file path where recording files are kept.
filepath: null
# - If true, automatically index remote desktop recordings so that the plays can skip to any place in the file.
index: false
# - Maximum number of recording files to keep.
maxRecordings: null
# - Maximum number of days to keep a recording.
maxRecordingDays: null
# - Maximum number of recordings in megabytes. Once exceed, remove the oldest recordings.
maxRecordingSizeMegabytes: null
# - This is an array: 1 = Terminal, 2 = Desktop, 5 = Files, 100 = Intel AMT WSMAN, 101 = Intel AMT Redirection, 200 = Messenger
_protocols:
- 1
- 5
# - When set to false, hides the username and password prompt on login screen.
_showPasswordLogin: true
# - Connects MeshCentral to the SendGrid email server, allows MeshCentral to send email messages for 2FA or user notification.
_sendgrid:
# - Email address used in the messages from field.
from: null
# - The SendGrid API key.
apiKey: null
# - When set to false, the email format and DNS MX record are not checked.
verifyemail: true
# - Connects MeshCentral to a SMTP email server, allows MeshCentral to send email messages for 2FA or user notification.
_smtp:
# - Optional hostname of the client, this defaults to the hostname of the machine. This is useful for SMTP relays.
name: null
# - Hostname of the SMTP server.
host: null
# - SMTP server port number.
port: null
# - Email address used in the messages from field.
from: null
tls: true
_auth:
clientId: null
clientSecret: null
refreshToken: null
tlscertcheck: true
tlsstrict: true
# - When set to false, the email format and DNS MX record are not checked
verifyemail: true
# - Makes MeshCentral send emails using the Unix sendmail command. Allows MeshCentral to send email messages for 2FA or user notification.
_sendmail:
# - Possible values are unix or windows
newline: unix
# - Path to the sendmail command
path: sendmail
# - Array or arguments to pass to sendmail
_args: []
_authStrategies:
_twitter:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
clientid: null
clientsecret: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_google:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
clientid: null
clientsecret: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_github:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
clientid: null
clientsecret: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_reddit:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
clientid: null
clientsecret: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_azure:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
clientid: null
clientsecret: null
tenantid: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_jumpcloud:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
newAccounts: false
newAccountsUserGroups: []
entityid: null
idpurl: null
cert: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_saml:
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
disableRequestedAuthnContext: false
newAccounts: false
newAccountsUserGroups: []
newAccountsRights: []
entityid: null
idpurl: null
cert: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
_oidc:
# - If set, this will be used as the authorization URL. (If set tokenURL and userInfoURL need set also)
authorizationURL: null
# - Required, this is the URL that your SSO provider sends auth approval to.
callbackurl: null
clientid: null
clientsecret: null
# - Full URL of SSO portal
issuer: null
# - If set, this will be used as the token URL. (If set authorizationURL and userInfoURL need set also)
tokenURL: null
# - If set, this will be used as the user info URL. (If set authorizationURL and tokenURL need set also)
userInfoURL: null
# - Then set, the user will be redirected to this URL when hitting the logout link
logouturl: null
newAccounts: true
groups:
# - When set, the user must be part of one of the OIDC user groups to login to MeshCentral.
required: []
# - When set, users part of these groups will be promoted with site administrator in MeshCentral, users that are not part of these groups will be demoted.
siteadmin: []
sync:
enabled: false
# - When set, limits what OIDC groups are mirrored into MeshCentral user groups.
filter: []
service:
main:
ports:
main:
# Only use HTTPS if meshcental handles the certs
protocol: http
port: 10205
# mps:
# enabled: true
# ports:
# mps:
# enabled: true
# port: 4433
# targetPort: 4433
# amtprovisioner:
# enabled: true
# ports:
# amtprovisioner:
# enabled: true
# port: 9971
# targetPort: 9971
cnpg:
main:
enabled: true
username: meshcentral
database: meshcentral
persistence:
data:
enabled: true
mountPath: /opt/meshcentral/meshcentral-data
size: 256Gi
files:
enabled: true
mountPath: /opt/meshcentral/meshcentral-files
size: 256Gi
web:
enabled: true
mountPath: /opt/meshcentral/meshcentral-web
size: 256Gi
backups:
enabled: true
mountPath: /opt/meshcentral/meshcentral-backup
size: 256Gi
configfile:
enabled: true
type: secret
readOnly: true
defaultMode: "0600"
objectName: mesh-secret
mountPath: /opt/meshcentral/meshcentral-data/config.json
subPath: config.json
portal:
open:
enabled: true