Self-Hosted ZITADEL Configuration: Runtime Settings & Environment Variables

Instrumentation:  ServiceName: "zitadel" # ZITADEL_INSTRUMENTATION_SERVICENAME  Trace:    Fraction: 1.0 # ZITADEL_INSTRUMENTATION_TRACE_FRACTION    # Trust incoming trace context from remote services for distributed tracing.    # Enable only in controlled environments; defaults to false for security.    TrustRemoteSpans: false # ZITADEL_INSTRUMENTATION_TRACE_TRUSTREMOTESPANS    Exporter:      # The following exporter types are supported:      # "none": Disables trace exporting      # "auto": Delegates to standard OTEL env vars (OTEL_TRACES_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT)      # "stdOut": Exports traces to standard output      # "stdErr": Exports traces to standard error      # "grpc": Exports traces using the OTEL gRPC exporter (recommended)      # "http": Exports traces using the OTEL HTTP exporter      # "google": Exports traces to Google Cloud. Need to configure GoogleProjectID below!      Type: "none" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_INSECURE      # Interval for batching traces before export      BatchDuration: 1s # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_BATCHDURATION      # Project ID for Google Cloud Trace exporter      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_GOOGLEPROJECTID  Metric:    Exporter:      # The following exporter types are supported:      # "none": Disables metric exporting      # "auto": Delegates to standard OTEL env vars (OTEL_METRICS_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT)      # "stdOut": Exports metrics to standard output      # "stdErr": Exports metrics to standard error      # "grpc": Exports metrics using the OTEL gRPC exporter (recommended)      # "http": Exports metrics using the OTEL HTTP exporter      # "google": Exports metrics to Google Cloud. Need to configure GoogleProjectID below!      # "prometheus": Exposes metrics via an HTTP endpoint for Prometheus to scrape      Type: "none" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_INSECURE      # Interval at which metrics are exported      BatchDuration: 1m # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_BATCHDURATION      # Project ID for Google Cloud Trace exporter      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_GOOGLEPROJECTID    # Structured logging can print logs on standard error and/or export them using OTEL.  Log:    # Log lines lower than this level are not emitted.    Level: "INFO" # ZITADEL_INSTRUMENTATION_LOG_LEVEL    # Streams enable logging for specific parts of the application.    Streams: # ZITADEL_INSTRUMENTATION_LOG_STREAMS (comma separated list)      - runtime # General runtime logs, such as startup and shutdown messages.      - ready # Logs related to readiness and health checks. (zitadel ready command)      - request # Logs for incoming API and HTTP requests.      - event_handler # Logs for event handling in projections.      - queue # Logs for the job queue processing.      #- event_pusher # Logs for event pushing to the database. Warning: contains sensitive information.    # Mask replaces sensitive information with Value in logs matched by Key    Mask:      # Keys are the attribute keys to be masked in logs.      # Keys are unqualified attribute names and apply to all attributes with the specified name,      # regardless of their position in the attribute hierarchy.      # Eg. "some_key" matches "some_key" and "parent.some_key" etc.      # When the key matches a group of attributes (e.g. slog.Group), all attribute values in the      # group are masked and the structure of the group is preserved.      # When the key matches a non-group attribute whose value is a nested object/array      # (e.g. added via slog.Any), the entire value is replaced with Value and its structure is not preserved.      Keys: # ZITADEL_INSTRUMENTATION_LOG_MASK_KEYS (comma separated list)        # - "first_name"        # - "last_name"      # Value is the string that replaces the original value of masked attributes.      Value: "****" # ZITADEL_INSTRUMENTATION_LOG_MASK_VALUE    # Enable printing structured logs to standard error in the specified format.    # When disabled, the legacy Log configuration is used.    # Important: when legacy Log is customized, please add a format and customize before upgrading to v5    # The following formats are supported:    #   - "disabled": Disables logging (or fallback to legacy Log config)    #   - "text": Logs are printed on StdErr as human-readable text    #   - "json": Logs are printed on StdErr as JSON objects    #   - "gcp": JSON formatted logs compatible with Google Cloud Platform logging.    #   - "gcp_error_reporting": JSON formatted logs compatible with Google Cloud Platform Error Reporting.    Format: "disabled" # ZITADEL_INSTRUMENTATION_LOG_STDERR    # Adds the source file and line number where the log line was emitted.    # Not to be confused with the source of an error.    AddSource: true # ZITADEL_INSTRUMENTATION_LOG_ADDSOURCE    # Configure how errors are logged.    Errors:      # Adds the source file, line number and function where the error was created.      ReportLocation: true # ZITADEL_INSTRUMENTATION_LOG_ERRORS_REPORTLOCATION      # Adds stack traces to logged errors.      StackTrace: false # ZITADEL_INSTRUMENTATION_LOG_ERRORS_STACKTRACE    Exporter:      # The following exporter types are supported:      #   - "none": Disables OTEL log exporter      #   - "auto": Delegates to standard OTEL env vars (OTEL_LOGS_EXPORTER, OTEL_EXPORTER_OTLP_ENDPOINT)      #   - "stdOut": Exports OTEL logs to standard output      #   - "stdErr": Exports OTEL logs to standard error      #   - "grpc": Exports OTEL logs using the OTEL gRPC exporter (recommended)      #   - "http": Exports OTEL logs using the OTEL HTTP exporter      Type: "none" # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_INSECURE      # Interval at which logs are batched for export      BatchDuration: 1s # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_BATCHDURATION  Profile:    Exporter:      # The following profiler types are supported:      # "none": Disables profiling      # "google": Exports profiling data to Google Cloud Profiler      Type: "none" # ZITADEL_INSTRUMENTATION_PROFILE_TYPE      # Project ID for Google Cloud Profiler      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_PROFILE_GOOGLEPROJECTID# Legacy logging (Deprecated, see Instrumentation.Slog)Log:  Level: info # ZITADEL_LOG_LEVEL  Formatter:    Format: text # ZITADEL_LOG_FORMATTER_FORMAT# Exposes metrics on /debug/metrics (Deprecated, see Instrumentation.Metric.Prometheus)Metrics:  # Select type otel (OpenTelemetry) or none (disables collection and endpoint)  Type: otel # ZITADEL_METRICS_TYPE# Collects and exports tracing information (Deprecated, see Instrumentation.Trace)Tracing:  # Choose one in "otel", "google", "log" and "none"  # Depending on the type there are different configuration options  # for type 'otel' is used for standard [open telemetry](https://opentelemetry.io)  # Fraction: 1.0  # Endpoint: 'otel.collector.endpoint'  # ServiceName: 'ZITADEL' # Name of the service in traces  #  # type 'log' or '' disables tracing  #  # for type 'google'  # ProjectID: ''  # Fraction: 1.0  Type: none # ZITADEL_TRACING_TYPE  Fraction: 1.0 # ZITADEL_TRACING_FRACTION  # The endpoint of the otel collector endpoint  Endpoint: "" #ZITADEL_TRACING_ENDPOINT  # The name of the service in traces  ServiceName: "ZITADEL" #ZITADEL_TRACING_SERVICENAME# Profiler enables capturing profiling data (CPU, Memory, ...) for performance analysisProfiler:  # Choose one of "google" and "none"  # Depending on the type there are different configuration options  # for type 'google'  # ProjectID: google-project-id  #  # type 'none' or '' disables profiling  Type: none # ZITADEL_PROFILER_TYPE  # projectID for google  ProjectID: ''  # ZITADEL_PROFILER_PROJECTIDTelemetry:  # As long as Enabled is true, ZITADEL tries to send usage data to the configured Telemetry.Endpoints.  # Data is projected by ZITADEL even if Enabled is false.  # This means that switching this to true makes ZITADEL try to send past data.  Enabled: false # ZITADEL_TELEMETRY_ENABLED  # Push telemetry data to all these endpoints at least once using an HTTP POST request.  # If one endpoint returns an unsuccessful response code or times out,  # ZITADEL retries to push the data point to all configured endpoints until it succeeds.  # Configure delivery guarantees and intervals in the section Projections.Customizations.Telemetry  # The endpoints can be reconfigured at runtime.  # Ten redirects are followed.  # If you change this configuration at runtime, remaining data that is not successfully delivered to the old endpoints is sent to the new endpoints.  Endpoints:    - https://httpbin.org/post  # These headers are sent with every request to the configured endpoints.  # Configure headers by environment variable using a JSON string with header values as arrays, like this:  # ZITADEL_TELEMETRY_HEADERS='{"header1": ["value1"], "header2": ["value2", "value3"]}'  Headers: # ZITADEL_TELEMETRY_HEADERS  # single-value: "single-value"  # multi-value:  #   - "multi-value-1"  #   - "multi-value-2"  # The maximum number of data points that are queried before they are sent to the configured endpoints.  Limit: 100 # ZITADEL_TELEMETRY_LIMIT# Port ZITADEL will listen onPort: 8080 # ZITADEL_PORT# ExternalPort is the port on which end users access ZITADEL.# It can differ from Port e.g. if a reverse proxy forwards the traffic to ZITADEL# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domainExternalPort: 8080 # ZITADEL_EXTERNALPORT# ExternalDomain is the domain on which end users access ZITADEL.# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domainExternalDomain: localhost # ZITADEL_EXTERNALDOMAIN# ExternalSecure specifies if ZITADEL is exposed externally using HTTPS or HTTP.# Read more about external access: https://zitadel.com/docs/self-hosting/manage/custom-domainExternalSecure: true # ZITADEL_EXTERNALSECURETLS:  # If enabled, ZITADEL will serve all traffic over TLS (HTTPS and gRPC)  # you must then also provide a private key and certificate to be used for the connection  # either directly or by a path to the corresponding file  Enabled: true # ZITADEL_TLS_ENABLED  # Path to the private key of the TLS certificate, will be loaded into the key  # and overwrite any existing value  # E.g. /path/to/key/file.pem  KeyPath: # ZITADEL_TLS_KEYPATH  # Private key of the TLS certificate (KeyPath has a higher priority than Key)  # base64 encoded content of a pem file  Key: # ZITADEL_TLS_KEY  # Path to the certificate for the TLS connection, will be loaded into the Cert  # and overwrite any existing value  # E.g. /path/to/cert/file.pem  CertPath: # ZITADEL_TLS_CERTPATH  # Certificate for the TLS connection (CertPath will this overwrite if specified)  # base64 encoded content of a pem file  Cert: # ZITADEL_TLS_CERT# Header name of HTTP2 (incl. gRPC) calls from which the instance will be matched# Deprecated: Use the InstanceHostHeaders insteadHTTP2HostHeader: ":authority" # ZITADEL_HTTP2HOSTHEADER# Header name of HTTP1 calls from which the instance will be matched# Deprecated: Use the InstanceHostHeaders insteadHTTP1HostHeader: "host" # ZITADEL_HTTP1HOSTHEADER# Ordered header name list, which will be used to match the instanceInstanceHostHeaders: # ZITADEL_INSTANCEHOSTHEADERS  - "x-zitadel-instance-host"# Ordered header name list, which will be used as the public hostPublicHostHeaders: # ZITADEL_PUBLICHOSTHEADERS  - "x-zitadel-public-host"WebAuthNName: ZITADEL # ZITADEL_WEBAUTHNNAMEDatabase:  # Postgres is the default database of ZITADEL  postgres:    # DSN is a full PostgreSQL connection URL (see    # https://www.postgresql.org/docs/current/libpq-connect.html#LIBPQ-CONNSTRING).    # When set, individual connection fields (Host, Port, Database, User, Admin,    # Options) are ignored.    # Format: postgresql://user:password@host:port/dbname?sslmode=disable    # Note: In DSN mode, zitadel init cannot use the Admin connection to create    # a separate target database/user. The DB and user from the DSN must already    # exist and have sufficient privileges, or the DSN must directly point to    # the final ZITADEL database.    DSN: "" # ZITADEL_DATABASE_POSTGRES_DSN    Host: localhost # ZITADEL_DATABASE_POSTGRES_HOST    Port: 5432 # ZITADEL_DATABASE_POSTGRES_PORT    Database: zitadel # ZITADEL_DATABASE_POSTGRES_DATABASE    AwaitInitialConn: 0m # ZITADEL_DATABASE_POSTGRES_AWAITINITIALCONN    MaxOpenConns: 10 # ZITADEL_DATABASE_POSTGRES_MAXOPENCONNS    MaxIdleConns: 5 # ZITADEL_DATABASE_POSTGRES_MAXIDLECONNS    MaxConnLifetime: 30m # ZITADEL_DATABASE_POSTGRES_MAXCONNLIFETIME    MaxConnIdleTime: 5m # ZITADEL_DATABASE_POSTGRES_MAXCONNIDLETIME    Options: "" # ZITADEL_DATABASE_POSTGRES_OPTIONS    User:      Username: zitadel # ZITADEL_DATABASE_POSTGRES_USER_USERNAME      Password: "" # ZITADEL_DATABASE_POSTGRES_USER_PASSWORD      SSL:        Mode: disable # ZITADEL_DATABASE_POSTGRES_USER_SSL_MODE        RootCert: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_ROOTCERT        Cert: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_CERT        Key: "" # ZITADEL_DATABASE_POSTGRES_USER_SSL_KEY    Admin:      # By default, ExistingDatabase is not specified in the connection string      # If the connection resolves to a database that is not existing in your system, configure an existing one here      # It is used in zitadel init to connect to postgres and create a dedicated database for ZITADEL.      ExistingDatabase: # ZITADEL_DATABASE_POSTGRES_ADMIN_EXISTINGDATABASE      Username: postgres # ZITADEL_DATABASE_POSTGRES_ADMIN_USERNAME      Password: postgres # ZITADEL_DATABASE_POSTGRES_ADMIN_PASSWORD      SSL:        Mode: disable # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_MODE        RootCert: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_ROOTCERT        Cert: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_CERT        Key: "" # ZITADEL_DATABASE_POSTGRES_ADMIN_SSL_KEY# Caches are EXPERIMENTAL. The following config may have breaking changes in the future.# If no config is provided, caching is disabled by default.Caches:  # Connectors are reused by caches.  Connectors:    # Memory connector works with local server memory.    # It is the simplest (and probably fastest) cache implementation.    # Unsuitable for deployments with multiple containers,    # as each container's cache may hold a different state of the same object.    Memory:      Enabled: false      # AutoPrune removes invalidated or expired object from the cache.      AutoPrune:        Interval: 1m        TimeOut: 5s    # Postgres connector uses the configured database (postgres or cockraochdb) as cache.    # It is suitable for deployments with multiple containers.    # The cache is enabled by default because it is the default cache states for IdP form callbacks    Postgres:      Enabled: true      AutoPrune:        Interval: 15m        TimeOut: 30s    Redis:      Enabled: false      # URL is a full Redis connection URL (see      # https://redis.io/docs/latest/develop/tools/cli/#host-port-password-and-database).      # When set, individual connection fields      # (Addr, Username, Password, Network, EnableTLS) are ignored.      # Pool, timeout, retry, and circuit breaker settings can still be used as overlays.      # Format: redis://user:password@host:port/db or rediss://... for TLS.      # Note: ZITADEL ignores the `/db` path when selecting Redis databases; DBs are chosen      # internally via DBOffset + purpose. Use `/0` in the URL to avoid confusion.      URL: "" # ZITADEL_CACHES_CONNECTORS_REDIS_URL      # The network type, either tcp or unix.      # Default is tcp.      # Network string      # host:port address.      Addr: localhost:6379      # ClientName will execute the `CLIENT SETNAME ClientName` command for each conn.      ClientName: ""      # Use the specified Username to authenticate the current connection      # with one of the connections defined in the ACL list when connecting      # to a Redis 6.0 instance, or greater, that is using the Redis ACL system.      Username: ""      # Optional password. Must match the password specified in the      # requirepass server configuration option (if connecting to a Redis 5.0 instance, or lower),      # or the User Password when connecting to a Redis 6.0 instance, or greater,      # that is using the Redis ACL system.      Password: ""      # Each ZITADEL cache uses an incremental DB namespace.      # This option offsets the first DB so it doesn't conflict with other databases on the same server.      # Note that ZITADEL uses FLUSHDB command to truncate a cache.      # This can have destructive consequences when overlapping DB namespaces are used.      DBOffset: 10      # Maximum number of retries before giving up.      # Default is 3 retries; -1 (not 0) disables retries.      MaxRetries: 3      # Minimum backoff between each retry.      # Default is 8 milliseconds; -1 disables backoff.      MinRetryBackoff: 8ms      # Maximum backoff between each retry.      # Default is 512 milliseconds; -1 disables backoff.      MaxRetryBackoff: 512ms      # Dial timeout for establishing new connections.      # Default is 5 seconds.      DialTimeout: 1s      # Timeout for socket reads. If reached, commands will fail      # with a timeout instead of blocking. Supported values:      #   - `0` - default timeout (3 seconds).      #   - `-1` - no timeout (block indefinitely).      #   - `-2` - disables SetReadDeadline calls completely.      ReadTimeout: 100ms      # Timeout for socket writes. If reached, commands will fail      # with a timeout instead of blocking.  Supported values:      #   - `0` - default timeout (3 seconds).      #   - `-1` - no timeout (block indefinitely).      #   - `-2` - disables SetWriteDeadline calls completely.      WriteTimeout: 100ms      # Type of connection pool.      # true for FIFO pool, false for LIFO pool.      # Note that FIFO has slightly higher overhead compared to LIFO,      # but it helps closing idle connections faster reducing the pool size.      PoolFIFO: false      # Base number of socket connections.      # Default is 10 connections per every available CPU as reported by runtime.GOMAXPROCS.      # If there is not enough connections in the pool, new connections will be allocated in excess of PoolSize,      # you can limit it through MaxActiveConns      PoolSize: 20      # Amount of time client waits for connection if all connections      # are busy before returning an error.      # Default is ReadTimeout + 1 second.      PoolTimeout: 100ms      # Minimum number of idle connections which is useful when establishing      # new connection is slow.      # Default is 0. the idle connections are not closed by default.      MinIdleConns: 5      # Maximum number of idle connections.      # Default is 0. the idle connections are not closed by default.      MaxIdleConns: 10      # Maximum number of connections allocated by the pool at a given time.      # When zero, there is no limit on the number of connections in the pool.      MaxActiveConns: 40      # ConnMaxIdleTime is the maximum amount of time a connection may be idle.      # Should be less than server's timeout.      # Expired connections may be closed lazily before reuse.      # If d <= 0, connections are not closed due to a connection's idle time.      # Default is 30 minutes. -1 disables idle timeout check.      ConnMaxIdleTime: 30m      # ConnMaxLifetime is the maximum amount of time a connection may be reused.      # Expired connections may be closed lazily before reuse.      # If <= 0, connections are not closed due to a connection's age.      # Default is to not close idle connections.      ConnMaxLifetime: -1      # Enable TLS server authentication using the default system bundle.      EnableTLS: false      # Disable set-lib on connect. Default is false.      DisableIndentity: false      # Add suffix to client name. Default is empty.      IdentitySuffix: ""      # Implementation of [Circuit Breaker Pattern](https://learn.microsoft.com/en-us/previous-versions/msp-n-p/dn589784(v=pandp.10)?redirectedfrom=MSDN)      CircuitBreaker:        # Interval when the counters are reset to 0.        # 0 interval never resets the counters until the CB is opened.        Interval: 0        # Amount of consecutive failures permitted        MaxConsecutiveFailures: 5        # The ratio of failed requests out of total requests        MaxFailureRatio: 0.1        # Timeout after opening of the CB, until the state is set to half-open.        Timeout: 60s        # The allowed amount of requests that are allowed to pass when the CB is half-open.        MaxRetryRequests: 1  # Instance caches auth middleware instances, gettable by domain or ID.  Instance:    # Connector must be enabled above.    # When connector is empty, this cache will be disabled.    Connector: ""    MaxAge: 1h    LastUseAge: 10m    # Log enables cache-specific logging. Default to error log to stderr when omitted.    Log:      Level: error      AddSource: true      Formatter:        Format: text  # Milestones caches instance milestone state, gettable by instance ID  Milestones:    Connector: ""    MaxAge: 1h    LastUseAge: 10m    Log:      Level: error      AddSource: true      Formatter:        Format: text  # Organization cache, gettable by Organization Domain or ID.  Organization:    Connector: ""    MaxAge: 1h    LastUseAge: 10m    Log:      Level: error      AddSource: true      Formatter:        Format: text  # IdP callbacks using form POST cache, required for handling them securely and without possible too big request urls.  IdPFormCallbacks:    Connector: "postgres"    MaxAge: 1h    LastUseAge: 10m    Log:      Level: error      AddSource: true      Formatter:        Format: text  # Federated logouts store the information needed to handle federated logout and their state transfer  FederatedLogouts:    Connector: "postgres"    MaxAge: 1h    LastUseAge: 10m    Log:      Level: error      AddSource: true      Formatter:        Format: textMachine:  # Cloud-hosted VMs need to specify their metadata endpoint so that the machine can be uniquely identified.  Identification:    # Use private IP to identify machines uniquely    PrivateIp:      Enabled: true # ZITADEL_MACHINE_IDENTIFICATION_PRIVATEIP_ENABLED    # Use hostname to identify machines uniquely    # You want the process to be identified uniquely, so this works well in k8s where each pod gets its own    # unique hostname, but not as well in some other hosting environments.    Hostname:      Enabled: false # ZITADEL_MACHINE_IDENTIFICATION_HOSTNAME_ENABLED    # Use a webhook response to identify machines uniquely    # Google Cloud Configuration    Webhook:      Enabled: true # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_ENABLED      Url: "http://metadata.google.internal/computeMetadata/v1/instance/id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL      Headers:        "Metadata-Flavor": "Google"    #    # AWS EC2 IMDSv1 Configuration: https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/instancedata-data-retrieval.html    # Webhook:    #   Url: "http://169.254.169.254/latest/meta-data/ami-id" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL    #    # AWS ECS v4 Configuration: https://docs.aws.amazon.com/AmazonECS/latest/developerguide/task-metadata-endpoint-v4.html    # Webhook:    #   Url: "${ECS_CONTAINER_METADATA_URI_V4}" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL    #   JPath: "$.DockerId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH    #    # Azure Configuration: https://docs.microsoft.com/en-us/azure/virtual-machines/windows/instance-metadata-service?tabs=linux    # Webhook:    #   Url: "http://169.254.169.254/metadata/instance?api-version=2021-02-01" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_URL    #   JPath: "$.compute.vmId" # ZITADEL_MACHINE_IDENTIFICATION_WEBHOOK_JPATH# Storage for assets like user avatar, organization logo, icon, font, ...AssetStorage:  Type: db # ZITADEL_ASSET_STORAGE_TYPE  # HTTP cache control settings for serving assets in the assets API and login UI  # the assets will also be served with an etag and last-modified header  Cache:    MaxAge: 5s # ZITADEL_ASSETSTORAGE_CACHE_MAXAGE    # 168h are 7 days    SharedMaxAge: 168h # ZITADEL_ASSETSTORAGE_CACHE_SHAREDMAXAGE# The Projections section defines the behavior for the scheduled and synchronous events projections.Projections:  # The maximum duration a transaction remains open  # before it spots left folding additional events  # and updates the table.  TransactionDuration: 1m # ZITADEL_PROJECTIONS_TRANSACTIONDURATION  # Time interval between scheduled projections  RequeueEvery: 60s # ZITADEL_PROJECTIONS_REQUEUEEVERY  # Time between retried database statements resulting from projected events  RetryFailedAfter: 1s # ZITADEL_PROJECTIONS_RETRYFAILEDAFTER  # Retried execution number of database statements resulting from projected events  MaxFailureCount: 5 # ZITADEL_PROJECTIONS_MAXFAILURECOUNT  # Limit of returned events per query  BulkLimit: 200 # ZITADEL_PROJECTIONS_BULKLIMIT  # Only instances are projected, for which at least a projection-relevant event exists within the timeframe  # from HandleActiveInstances duration in the past until the projection's current time  # If set to 0 (default), every instance is always considered active  HandleActiveInstances: 0s # ZITADEL_PROJECTIONS_HANDLEACTIVEINSTANCES  # Maximum amount of instances cached as active  # If set to 0, every instance is always considered active  MaxActiveInstances: 0 # ZITADEL_PROJECTIONS_MAXACTIVEINSTANCES  # Limits the amount of concurrently running projection triggers  # If set to 0, 1/3 of database.MaxOpenConns is used  # The number must be lower than the Database.MaxOpenConns  # A good starting point is to set this to Database.MaxOpenConns / 3  # so that there are enough connections free for other operations (e.g. writing events, reading projections, notifications, ...)  MaxParallelTriggers: 0 # ZITADEL_PROJECTIONS_MAXPARALLELTRIGGERS  # In the Customizations section, all settings from above can be overwritten for each specific projection  Customizations:    custom_texts:      BulkLimit: 400    project_grant_fields:      TransactionDuration: 0s      BulkLimit: 2000    org_domain_verified_fields:      TransactionDuration: 0s      BulkLimit: 2000    execution_handler:      BulkLimit: 10    # The Notifications projection is used for preparing the messages (emails and SMS) to be sent to users    Notifications:      # As notification projections don't result in database statements, retries don't have an effect      MaxFailureCount: 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONS_MAXFAILURECOUNT    password_complexities:      TransactionDuration: 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_PASSWORD_COMPLEXITIES_TRANSACTIONDURATION    lockout_policy:      TransactionDuration: 2s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_LOCKOUT_POLICY_TRANSACTIONDURATION    # The NotificationsQuotas projection is used for calling quota webhooks    NotificationsQuotas:      # As quota notification projections don't result in database statements, retries don't have an effect      MaxFailureCount: 10 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_MAXFAILURECOUNT      # Quota notifications are not so time critical. Setting RequeueEvery every five minutes doesn't annoy the db too much.      RequeueEvery: 300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONSQUOTAS_REQUEUEEVERY      # Sending emails can take longer than 500ms      TransactionDuration: 5s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_NOTIFICATIONQUOTAS_TRANSACTIONDURATION    milestones:      BulkLimit: 50    # The Telemetry projection is used for calling telemetry webhooks    Telemetry:      # As sending telemetry data doesn't result in database statements, retries don't have any effects      MaxFailureCount: 0 # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_MAXFAILURECOUNT      # Telemetry data synchronization is not time critical. Setting RequeueEvery to 55 minutes doesn't annoy the database too much.      RequeueEvery: 3300s # ZITADEL_PROJECTIONS_CUSTOMIZATIONS_TELEMETRY_REQUEUEEVERYNotifications:  # Notifications can be processed by either a sequential mode (legacy) or a new parallel mode.  # The parallel mode is currently only recommended for Postgres databases.  # If legacy mode is enabled, the worker config below is ignored.  LegacyEnabled: true # ZITADEL_NOTIFICATIONS_LEGACYENABLED  # The amount of workers processing the notification request events.  # If set to 0, no notification request events will be handled. This can be useful when running in  # multi binary / pod setup and allowing only certain executables to process the events.  Workers: 1 # ZITADEL_NOTIFICATIONS_WORKERS  # The maximum duration a job can do it's work before it is considered as failed.  TransactionDuration: 10s # ZITADEL_NOTIFICATIONS_TRANSACTIONDURATION  # Automatically cancel the notification after the amount of failed attempts  MaxAttempts: 3 # ZITADEL_NOTIFICATIONS_MAXATTEMPTS  # Automatically cancel the notification if it cannot be handled within a specific time  MaxTtl: 5m  # ZITADEL_NOTIFICATIONS_MAXTTLExecutions:  # The amount of workers processing the execution request events.  # If set to 0, no execution request events will be handled. This can be useful when running in  # multi binary / pod setup and allowing only certain executables to process the events.  Workers: 1 # ZITADEL_EXECUTIONS_WORKERS  # The maximum duration a job can do it's work before it is considered as failed.  # This maximum duration is prioritized in case that the sum of the target's timeouts is higher,  # to limit the runtime of a singular execution.  TransactionDuration: 10s # ZITADEL_EXECUTIONS_TRANSACTIONDURATION  # Automatically cancel the notification if it cannot be handled within a specific time  MaxTtl: 5m  # ZITADEL_EXECUTIONS_MAXTTL  # List of domains and IPs that are not valid execution target's endpoints  # Wildcard sub domains are currently unsupported  DenyList: # ZITADEL_EXECUTIONS_DENYLIST (comma separated list)    - localhost    - "127.0.0.0/8"    - "::1"    - "0.0.0.0"    - "::"Auth:  # See Projections.BulkLimit  SearchLimit: 1000 # ZITADEL_AUTH_SEARCHLIMIT  Spooler:    # See Projections.TransationDuration    TransactionDuration: 10s #ZITADEL_AUTH_SPOOLER_TRANSACTIONDURATION    # See Projections.BulkLimit    BulkLimit: 100 #ZITADEL_AUTH_SPOOLER_BULKLIMIT    # See Projections.MaxFailureCount    FailureCountUntilSkip: 5 #ZITADEL_AUTH_SPOOLER_FAILURECOUNTUNTILSKIP  # Defines the amount of auth requests stored in the LRU caches.  # There are two caches implemented one for id and one for code  AmountOfCachedAuthRequests: 0 #ZITADEL_AUTH_AMOUNTOFCACHEDAUTHREQUESTSAdmin:  # See Projections.BulkLimit  SearchLimit: 1000 # ZITADEL_ADMIN_SEARCHLIMIT  Spooler:    # See Projections.TransationDuration    TransactionDuration: 10s    # See Projections.BulkLimit    BulkLimit: 200    # See Projections.MaxFailureCount    FailureCountUntilSkip: 5UserAgentCookie:  Name: zitadel.useragent # ZITADEL_USERAGENTCOOKIE_NAME  # 8760h are 365 days, one year  MaxAge: 8760h # ZITADEL_USERAGENTCOOKIE_MAXAGEOIDC:  CodeMethodS256: true # ZITADEL_OIDC_CODEMETHODS256  AuthMethodPost: true # ZITADEL_OIDC_AUTHMETHODPOST  AuthMethodPrivateKeyJWT: true # ZITADEL_OIDC_AUTHMETHODPRIVATEKEYJWT  GrantTypeRefreshToken: true # ZITADEL_OIDC_GRANTTYPEREFRESHTOKEN  RequestObjectSupported: true # ZITADEL_OIDC_REQUESTOBJECTSUPPORTED  # Sets the default values for lifetime and expiration for OIDC  # This default can be overwritten in the default instance configuration and for each instance during runtime  # !!! Changing this after the initial setup will have no impact without a restart !!!  DefaultAccessTokenLifetime: 12h # ZITADEL_OIDC_DEFAULTACCESSTOKENLIFETIME  DefaultIdTokenLifetime: 12h # ZITADEL_OIDC_DEFAULTIDTOKENLIFETIME  # 720h are 30 days, one month  DefaultRefreshTokenIdleExpiration: 720h # ZITADEL_OIDC_DEFAULTREFRESHTOKENIDLEEXPIRATION  # 2160h are 90 days, three months  DefaultRefreshTokenExpiration: 2160h # ZITADEL_OIDC_DEFAULTREFRESHTOKENEXPIRATION  # HTTP Cache-Control max-age header value to set on the jwks endpoint.  # Only used when the web keys feature is enabled.  0 sets a no-store value.  JWKSCacheControlMaxAge: 5m # ZITADEL_OIDC_JWKSCACHECONTROLMAXAGE  CustomEndpoints:    Auth:      Path: /oauth/v2/authorize # ZITADEL_OIDC_CUSTOMENDPOINTS_AUTH_PATH    Token:      Path: /oauth/v2/token # ZITADEL_OIDC_CUSTOMENDPOINTS_TOKEN_PATH    Introspection:      Path: /oauth/v2/introspect # ZITADEL_OIDC_CUSTOMENDPOINTS_INTROSPECTION_PATH    Userinfo:      Path: /oidc/v1/userinfo # ZITADEL_OIDC_CUSTOMENDPOINTS_USERINFO_PATH    Revocation:      Path: /oauth/v2/revoke # ZITADEL_OIDC_CUSTOMENDPOINTS_REVOCATION_PATH    EndSession:      Path: /oidc/v1/end_session # ZITADEL_OIDC_CUSTOMENDPOINTS_ENDSESSION_PATH    Keys:      Path: /oauth/v2/keys # ZITADEL_OIDC_CUSTOMENDPOINTS_KEYS_PATH    DeviceAuth:      Path: /oauth/v2/device_authorization # ZITADEL_OIDC_CUSTOMENDPOINTS_DEVICEAUTH_PATH  DeviceAuth:    Lifetime: 5m # ZITADEL_OIDC_DEVICEAUTH_LIFETIME    PollInterval: 5s # ZITADEL_OIDC_DEVICEAUTH_POLLINTERVAL    UserCode:      CharSet: "BCDFGHJKLMNPQRSTVWXZ" # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARSET      CharAmount: 8 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_CHARAMOUNT      DashInterval: 4 # ZITADEL_OIDC_DEVICEAUTH_USERCODE_DASHINTERVAL  DefaultLoginURLV2: "/ui/v2/login/login?authRequest=" # ZITADEL_OIDC_DEFAULTLOGINURLV2  DefaultLogoutURLV2: "/ui/v2/login/logout?post_logout_redirect=" # ZITADEL_OIDC_DEFAULTLOGOUTURLV2  # Internal cache age for public keys to speed up validations (e.g. id_token_hints) on the authorization endpoint.  PublicKeyCacheMaxAge: 24h # ZITADEL_OIDC_PUBLICKEYCACHEMAXAGE  # Lifetime of the token used to notify clients through OIDC back-channel logout.  # Deprecated: use BackChannelLogout.TokenLifetime instead  DefaultBackChannelLogoutLifetime: 15m # ZITADEL_OIDC_DEFAULTBACKCHANNELLOGOUTLIFETIME  BackChannelLogout:    # The amount of workers processing the back-channel logout notifications.    # If set to 0, no notifications will be handled. This can be useful when running in    # multi binary / pod setup and allowing only certain executables to process the events.    Workers: 1 # ZITADEL_OIDC_BACKCHANNELLOGOUT_WORKERS    # The maximum duration a job can do it's work before it is considered as failed.    TransactionDuration: 10s # ZITADEL_OIDC_BACKCHANNELLOGOUT_TRANSACTIONDURATION    # Automatically cancel the notification after the amount of failed attempts    MaxAttempts: 3 # ZITADEL_OIDC_BACKCHANNELLOGOUT_MAXATTEMPTS    # Automatically cancel the notification if it cannot be handled within a specific time    MaxTtl: 5m  # ZITADEL_OIDC_BACKCHANNELLOGOUT_MAXTTL    # Lifetime of the token used to notify clients through OIDC back-channel logout.    TokenLifetime: 15m # ZITADEL_OIDC_BACKCHANNELLOGOUT_TOKENLIFETIMESAML:  DefaultLoginURLV2: "/ui/v2/login/login?samlRequest=" # ZITADEL_SAML_DEFAULTLOGINURLV2  ProviderConfig:    MetadataConfig:      Path: "/metadata" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_PATH      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_METADATACONFIG_SIGNATUREALGORITHM    IDPConfig:      SignatureAlgorithm: "http://www.w3.org/2001/04/xmldsig-more#rsa-sha256" # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_SIGNATUREALGORITHM      WantAuthRequestsSigned: true # ZITADEL_SAML_PROVIDERCONFIG_IDPCONFIG_WANTAUTHREQUESTSSIGNED      Endpoints:    #Organisation:    #  Name: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_NAME    #  URL: https://zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_ORGANISATION_URL    #ContactPerson:    #  ContactType: "technical" # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_CONTACTTYPE    #  Company: ZITADEL # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_COMPANY    #  EmailAddress: hi@zitadel.com # ZITADEL_SAML_PROVIDERCONFIG_CONTACTPERSON_EMAILADDRESSSCIM:  DocumentationUrl: https://zitadel.com/docs/guides/manage/user/scim2  AuthenticationSchemes:    - Name: Zitadel authentication token      Description: Authentication scheme using the OAuth Bearer Token Standard      SpecUri: https://www.rfc-editor.org/info/rfc6750      DocumentationUri: https://zitadel.com/docs/guides/integrate/service-accounts/authenticate-service-accounts      Type: oauthbearertoken  # default values whether an email/phone is considered verified when a users email/phone is created or updated  EmailVerified: true # ZITADEL_SCIM_EMAILVERIFIED  PhoneVerified: true # ZITADEL_SCIM_PHONEVERIFIED  MaxRequestBodySize: 1_000_000 # ZITADEL_SCIM_MAXREQUESTBODYSIZE  Bulk:    MaxOperationsCount: 100 # ZITADEL_SCIM_BULK_MAXOPERATIONSCOUNTLogin:  LanguageCookieName: zitadel.login.lang # ZITADEL_LOGIN_LANGUAGECOOKIENAME  CSRFCookieName: zitadel.login.csrf # ZITADEL_LOGIN_CSRFCOOKIENAME  Cache:    MaxAge: 12h # ZITADEL_LOGIN_CACHE_MAXAGE    # 168h is 7 days, one week    SharedMaxAge: 168h # ZITADEL_LOGIN_CACHE_SHAREDMAXAGE  DefaultPaths:    BasePath: "/ui/v2/login/"    # PasswordSetPath is used to create the link for setting a password during user registration or password reset    PasswordSetPath: "password/set?code={{.Code}}&userId={{.UserID}}&organization={{.OrgID}}" # ZITADEL_LOGIN_DEFAULTPATHS_PASSWORDSETPATH    # EmailCodePath is used to create the link for verifying the user's email address    EmailCodePath: "verify?code={{.Code}}&userId={{.UserID}}&organization={{.OrgID}}"    # OTPEmailPath is used to create the link for verifying the user's OTP during login    OTPEmailPath: "otp/email?code={{.Code}}&userId={{.UserID}}&sessionId={{.SessionID}}"    # PasskeySetPath is used to create the link for adding a passkey to the user's account though the login UI    PasskeySetPath: "passkey/set?codeId={{.CodeID}}&code={{.Code}}&userId={{.UserID}}&organization={{.OrgID}}"    # DomainClaimedPath is used to create the link to the login UI after an organization has claimed a domain and the user's loginname was updated    DomainClaimedPath: "loginname?loginName={{.TempUsername}}&organization={{.OrgID}}"Console:  ShortCache:    MaxAge: 0m # ZITADEL_CONSOLE_SHORTCACHE_MAXAGE    SharedMaxAge: 5m # ZITADEL_CONSOLE_SHORTCACHE_SHAREDMAXAGE  LongCache:    MaxAge: 12h # ZITADEL_CONSOLE_LONGCACHE_MAXAGE    # 168h is 7 days, one week    SharedMaxAge: 168h # ZITADEL_CONSOLE_LONGCACHE_SHAREDMAXAGE  InstanceManagementURL: "" # ZITADEL_CONSOLE_INSTANCEMANAGEMENTURL  PostHog:    URL: "" # ZITADEL_CONSOLE_POSTHOG_URL    Token: "" # ZITADEL_CONSOLE_POSTHOG_TOKENEncryptionKeys:  DomainVerification:    EncryptionKeyID: "domainVerificationKey" # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_DOMAINVERIFICATION_DECRYPTIONKEYIDS (comma separated list)  IDPConfig:    EncryptionKeyID: "idpConfigKey" # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_IDPCONFIG_DECRYPTIONKEYIDS (comma separated list)  OIDC:    EncryptionKeyID: "oidcKey" # ZITADEL_ENCRYPTIONKEYS_OIDC_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_OIDC_DECRYPTIONKEYIDS (comma separated list)  SAML:    EncryptionKeyID: "samlKey" # ZITADEL_ENCRYPTIONKEYS_SAML_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SAML_DECRYPTIONKEYIDS (comma separated list)  OTP:    EncryptionKeyID: "otpKey" # ZITADEL_ENCRYPTIONKEYS_OTP_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_OTP_DECRYPTIONKEYIDS (comma separated list)  SMS:    EncryptionKeyID: "smsKey" # ZITADEL_ENCRYPTIONKEYS_SMS_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SMS_DECRYPTIONKEYIDS (comma separated list)  SMTP:    EncryptionKeyID: "smtpKey" # ZITADEL_ENCRYPTIONKEYS_SMTP_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_SMTP_DECRYPTIONKEYIDS (comma separated list)  User:    EncryptionKeyID: "userKey" # ZITADEL_ENCRYPTIONKEYS_USER_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_USER_DECRYPTIONKEYIDS (comma separated list)  Target:    EncryptionKeyID: "targetKey" # ZITADEL_ENCRYPTIONKEYS_TARGET_ENCRYPTIONKEYID    DecryptionKeyIDs: # ZITADEL_ENCRYPTIONKEYS_TARGET_DECRYPTIONKEYIDS (comma separated list)  CSRFCookieKeyID: "csrfCookieKey" # ZITADEL_ENCRYPTIONKEYS_CSRFCOOKIEKEYID  UserAgentCookieKeyID: "userAgentCookieKey" # ZITADEL_ENCRYPTIONKEYS_USERAGENTCOOKIEKEYIDSystemAPIUsers:  # - superuser:  #   Path: /path/to/superuser/key.pem  #   Memberships:  #     - MemberType: Organization  #       Roles: "ORG_OWNER"  #       AggregateID: "123456789012345678"  #     - MemberType: Project  #       Roles: "PROJECT_OWNER"# # Add keys for authentication of the systemAPI here:# # you can specify any name for the user, but they will have to match the `issuer` and `sub` claim in the JWT:# - superuser:#     # you can provide the key either by reference with the path. The data in this file has to either be a public RSA#     # key or a public X.509 certificate#     Path: /path/to/superuser/key.pem#     Memberships:#       # MemberType System allows the user to access all APIs for all instances or organizations#       - MemberType: System#         Roles:#           - "SYSTEM_OWNER"#           # Actually, we don't recommend adding IAM_OWNER and ORG_OWNER to the System membership, as this basically enables god mode for the system user#           - "IAM_OWNER"#           - "ORG_OWNER"#       # MemberType IAM and Organization let you restrict access to a specific instance or organization by specifying the AggregateID#       - MemberType: IAM#         Roles: "IAM_OWNER"#         AggregateID: "123456789012345678"#       - MemberType: Organization#         Roles: "ORG_OWNER"#         AggregateID: "123456789012345678"# - superuser2:#     # If no memberships are specified, the user has a membership of type System with the role "SYSTEM_OWNER"#     KeyData: <base64 encoded key>     # or you can directly embed it as base64 encoded value or X.509 certificate contents# Configure the SystemAPIUsers by environment variable using JSON notation:# ZITADEL_SYSTEMAPIUSERS='{"systemuser":{"Path":"/path/to/superuser/key.pem"},"systemuser2":{"KeyData":"<base64 encoded key>"}}'SystemDefaults:  SecretGenerators:    MachineKeySize: 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_MACHINEKEYSIZE    ApplicationKeySize: 2048 # ZITADEL_SYSTEMDEFAULTS_SECRETGENERATORS_APPLICATIONKEYSIZE  PasswordHasher:    # Set hasher configuration for user passwords.    # Passwords previously hashed with a different algorithm    # or cost are automatically re-hashed using this config,    # upon password validation or update.    Hasher:      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2", "sha2"      # Depending on the algorithm, different configuration options take effect.      Algorithm: bcrypt # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ALGORITHM      # Cost takes effect for the algorithms bcrypt and scrypt      Cost: 14 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_COST      # Time takes effect for the algorithms argon2i and argon2id      Time: 3 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_TIME      # Memory takes effect for the algorithms argon2i and argon2id      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_MEMORY      # Threads takes effect for the algorithms argon2i and argon2id      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_THREADS      # Rounds takes effect for the algorithm pbkdf2 and sha2      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_ROUNDS      # Hash takes effect for the algorithm pbkdf2 and sha2      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512" for pbkdf2      # Can be "sha256" or "sha512" for sha2      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_HASHER_HASH    # Verifiers enable the possibility of verifying    # passwords that are previously hashed using another    # algorithm then the Hasher.    # This can be used when migrating from one algorithm to another,    # or when importing users with hashed passwords.    # There is no need to enable a Verifier of the same algorithm    # as the Hasher.    #    # The format of the encoded hash strings must comply    # with https://github.com/P-H-C/phc-string-format/blob/master/phc-sf-spec.md    # https://passlib.readthedocs.io/en/stable/modular_crypt_format.html    #    # Supported verifiers: (uncomment to enable)    Verifiers: # ZITADEL_SYSTEMDEFAULTS_PASSWORDHASHER_VERIFIERS    #   - "argon2"   # verifier for both argon2i and argon2id.    #   - "bcrypt"    #   - "md5"      # md5Crypt with salt and password shuffling.    #   - "md5plain" # md5 digest of a password without salt    #   - "md5salted" # md5 digest of a salted password    #   - "phpass"    #   - "sha2" # crypt(3) SHA-256 and SHA-512    #   - "scrypt"    #   - "pbkdf2"   # verifier for all pbkdf2 hash modes.  SecretHasher:    # Set hasher configuration for service accounts, API and OIDC client secrets.    Hasher:      # Supported algorithms: "argon2i", "argon2id", "bcrypt", "scrypt", "pbkdf2"      # Depending on the algorithm, different configuration options take effect.      Algorithm: bcrypt # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ALGORITHM      # Cost takes effect for the algorithms bcrypt and scrypt      Cost: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_COST      # Time takes effect for the algorithms argon2i and argon2id      Time: 3 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_TIME      # Memory takes effect for the algorithms argon2i and argon2id      Memory: 32768 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_MEMORY      # Threads takes effect for the algorithms argon2i and argon2id      Threads: 4 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_THREADS      # Rounds takes effect for the algorithm pbkdf2      Rounds: 290000 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_ROUNDS      # Hash takes effect for the algorithm pbkdf2      # Can be "sha1", "sha224", "sha256", "sha384" or "sha512"      Hash: sha256 # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_HASHER_HASH    Verifiers: # ZITADEL_SYSTEMDEFAULTS_SECRETHASHER_VERIFIERS  Multifactors:    OTP:      # If this is empty, the issuer is the requested domain      # This is helpful in scenarios with multiple ZITADEL environments or virtual instances      Issuer: "ZITADEL" # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_OTP_ISSUER    RecoveryCodes:      # The maximum number of recovery codes that a user can hold at any given time      MaxCount: 10 # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_RECOVERYCODES_MAXCOUNT      # The format of the recovery codes, supported: uuid, alphanumeric      Format: alphanumeric # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_RECOVERYCODES_FORMAT      # Length of the recovery codes (only applies to alphanumeric format)      Length: 10 # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_RECOVERYCODES_LENGTH      # Whether to include hyphens in the recovery codes (alphanumeric: hyphen in middle, uuid: keep/remove all hyphens)      WithHyphen: true # ZITADEL_SYSTEMDEFAULTS_MULTIFACTORS_RECOVERYCODES_WITHHYPHEN  Tarpit:    # The amount of failed attempts, the tarpit should start.    MinFailedAttempts: 5 # ZITADEL_SYSTEMDEFAULTS_TARPIT_MINFAILEDATTEMPTS    # The seconds that will be added per step.    StepDuration: 1s # ZITADEL_SYSTEMDEFAULTS_TARPIT_STEPDURATION    # The failed attempts that are needed to increase the tarpit by one step.    StepSize: 5 # ZITADEL_SYSTEMDEFAULTS_TARPIT_STEPSIZE    # The maximum duration the tarpit can reach.    MaxDuration: 10s # ZITADEL_SYSTEMDEFAULTS_TARPIT_MAXDURATION  DomainVerification:    VerificationGenerator:      Length: 32 # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_LENGTH      IncludeLowerLetters: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_SYSTEMDEFAULTS_DOMAINVERIFICATION_VERIFICATIONGENERATOR_INCLUDESYMBOLS  Notifications:    FileSystemPath: ".notifications/" # ZITADEL_SYSTEMDEFAULTS_NOTIFICATIONS_FILESYSTEMPATH  KeyConfig:    Size: 2048 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_SIZE    CertificateSize: 4096 # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATESIZE    PrivateKeyLifetime: 6h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PRIVATEKEYLIFETIME    PublicKeyLifetime: 30h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_PUBLICKEYLIFETIME    # 8766h are 1 year    CertificateLifetime: 8766h # ZITADEL_SYSTEMDEFAULTS_KEYCONFIG_CERTIFICATELIFETIME  # DefaultQueryLimit limits the number of items that can be queried in a single v3 API search request without explicitly passing a limit.  DefaultQueryLimit: 100 # ZITADEL_SYSTEMDEFAULTS_DEFAULTQUERYLIMIT  # MaxQueryLimit limits the number of items that can be queried in a single v3 API search request with explicitly passing a limit.  MaxQueryLimit: 1000 # ZITADEL_SYSTEMDEFAULTS_MAXQUERYLIMIT  # The maximum duration of the IDP intent lifetime after which the IDP intent expires and can not be retrieved or used anymore.  # Note that this time is measured only after the IdP intent was successful and not after the IDP intent was created.  MaxIdPIntentLifetime: 1h # ZITADEL_SYSTEMDEFAULTS_MAXIDPINTENTLIFETIMEActions:  HTTP:    # Wildcard sub domains are currently unsupported    DenyList: # ZITADEL_ACTIONS_HTTP_DENYLIST (comma separated list)      - localhost      - "127.0.0.0/8"      - "::1"      - "0.0.0.0"      - "::"LogStore:  Access:    Stdout:      # If enabled, all access logs are printed to the binary's standard output      Enabled: false # ZITADEL_LOGSTORE_ACCESS_STDOUT_ENABLED  Execution:    Stdout:      # If enabled, all execution logs are printed to the binary's standard output      Enabled: true # ZITADEL_LOGSTORE_EXECUTION_STDOUT_ENABLEDQuotas:  Access:    # If enabled, authenticated requests are counted and potentially limited depending on the configured quota of the instance    Enabled: false # ZITADEL_QUOTAS_ACCESS_ENABLED    Debounce:      MinFrequency: 0s # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MINFREQUENCY      MaxBulkSize: 0 # ZITADEL_QUOTAS_ACCESS_DEBOUNCE_MAXBULKSIZE    ExhaustedCookieKey: "zitadel.quota.exhausted" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEKEY    ExhaustedCookieMaxAge: "300s" # ZITADEL_QUOTAS_ACCESS_EXHAUSTEDCOOKIEMAXAGE  Execution:    # If enabled, all action executions are counted and potentially limited depending on the configured quota of the instance    Enabled: false # ZITADEL_QUOTAS_EXECUTION_DATABASE_ENABLED    Debounce:      MinFrequency: 0s # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MINFREQUENCY      MaxBulkSize: 0 # ZITADEL_QUOTAS_EXECUTION_DEBOUNCE_MAXBULKSIZEEventstore:  # Sets the maximum duration of transactions pushing events  PushTimeout: 15s #ZITADEL_EVENTSTORE_PUSHTIMEOUT  # Maximum amount of push retries in case of primary key violation on the sequence  MaxRetries: 5 #ZITADEL_EVENTSTORE_MAXRETRIES# The DefaultInstance section defines the default values for each new virtual instance that is created.# Check out https://zitadel.com/docs/concepts/structure/instance#multiple-virtual-instances for more information about virtual instances.# For the initial setup, the default values are used to create the first instance.# However, you might want to have your first instance created by the setup job to have a different configuration.# To overwrite the default values for the initial setup, configure the FirstInstance yaml section and pass it using the --steps flag.DefaultInstance:  InstanceName: ZITADEL # ZITADEL_DEFAULTINSTANCE_INSTANCENAME  DefaultLanguage: en # ZITADEL_DEFAULTINSTANCE_DEFAULTLANGUAGE  Org:    Name: ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_NAME    # In the DefaultInstance.Org.Human section, the initial organization's admin user with the role IAM_OWNER is defined.    # If DefaultInstance.Org.Machine.Machine is defined, a service account is created with the IAM_OWNER role.    Human:      # In case that UserLoginMustBeDomain is false (default) and if you don't overwrite the username with an email,      # it will be suffixed by the Organization Domain (org-name + domain from config).      # for example zitadel-admin in org `My Org` on domain.tld -> zitadel-admin@my-org.domain.tld      UserName: zitadel-admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_USERNAME      FirstName: ZITADEL # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_FIRSTNAME      LastName: Admin # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_LASTNAME      NickName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_NICKNAME      DisplayName: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_DISPLAYNAME      Email:        Address: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS        Verified: false # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED      PreferredLanguage: en # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE      Gender: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_GENDER      Phone:        Number: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_NUMBER        Verified: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PHONE_VERIFIED      Password: # ZITADEL_DEFAULTINSTANCE_ORG_HUMAN_PASSWORD    # In the DefaultInstance.Org.Machine section, the initial organization's admin user with the role IAM_OWNER is defined.    # If DefaultInstance.Org.Machine.Machine is defined, a service account is created with the IAM_OWNER role.    Machine:      Machine:        Username: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINE_USERNAME        Name: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINE_NAME      MachineKey:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINEKEY_EXPIRATIONDATE        # Currently, the only supported value is 1 for JSON        Type: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE      Pat:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_DEFAULTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE    LoginClient:      Machine:        Username: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME        Name: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME      Pat:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_DEFAULTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATE  SecretGenerators:    ClientSecret:      Length: 64 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_LENGTH      IncludeLowerLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_CLIENTSECRET_INCLUDESYMBOLS    InitializeUserCode:      Length: 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_LENGTH      Expiry: "72h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDESYMBOLS    EmailVerificationCode:      Length: 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_LENGTH      Expiry: "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_EMAILVERIFICATIONCODE_INCLUDESYMBOLS    PhoneVerificationCode:      Length: 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_LENGTH      Expiry: "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PHONEVERIFICATIONCODE_INCLUDESYMBOLS    PasswordVerificationCode:      Length: 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_LENGTH      Expiry: "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDVERIFICATIONCODE_INCLUDESYMBOLS    PasswordlessInitCode:      Length: 12 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_LENGTH      Expiry: "1h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_EXPIRY      IncludeLowerLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_PASSWORDLESSINITCODE_INCLUDESYMBOLS    DomainVerification:      Length: 32 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_LENGTH      IncludeLowerLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_DOMAINVERIFICATION_INCLUDESYMBOLS    OTPSMS:      Length: 8 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_LENGTH      Expiry: "5m" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDELOWERLETTERS      IncludeUpperLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPSMS_INCLUDESYMBOLS    OTPEmail:      Length: 8 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_LENGTH      Expiry: "5m" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDELOWERLETTERS      IncludeUpperLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_OTPEMAIL_INCLUDESYMBOLS    InviteCode:      Length: 6 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_LENGTH      Expiry: "72h" # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_EXPIRY      IncludeLowerLetters: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_INITIALIZEUSERCODE_INCLUDESYMBOLS    SigningKey:      Length: 36 # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_LENGTH      IncludeLowerLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDELOWERLETTERS      IncludeUpperLetters: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEUPPERLETTERS      IncludeDigits: true # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDEDIGITS      IncludeSymbols: false # ZITADEL_DEFAULTINSTANCE_SECRETGENERATORS_SIGNINGKEY_INCLUDESYMBOLS  PasswordComplexityPolicy:    MinLength: 8 # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_MINLENGTH    HasLowercase: true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASLOWERCASE    HasUppercase: true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASUPPERCASE    HasNumber: true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASNUMBER    HasSymbol: true # ZITADEL_DEFAULTINSTANCE_PASSWORDCOMPLEXITYPOLICY_HASSYMBOL  PasswordAgePolicy:    ExpireWarnDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_EXPIREWARNDAYS    MaxAgeDays: 0 # ZITADEL_DEFAULTINSTANCE_PASSWORDAGEPOLICY_MAXAGEDAYS  DomainPolicy:    UserLoginMustBeDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_USERLOGINMUSTBEDOMAIN    ValidateOrgDomains: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_VALIDATEORGDOMAINS    SMTPSenderAddressMatchesInstanceDomain: false # ZITADEL_DEFAULTINSTANCE_DOMAINPOLICY_SMTPSENDERADDRESSMATCHESINSTANCEDOMAIN  LoginPolicy:    AllowUsernamePassword: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWUSERNAMEPASSWORD    AllowRegister: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWREGISTER    AllowExternalIDP: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWEXTERNALIDP    ForceMFA: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_FORCEMFA    HidePasswordReset: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_HIDEPASSWORDRESET    IgnoreUnknownUsernames: false # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_IGNOREUNKNOWNUSERNAMES    AllowDomainDiscovery: true # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_ALLOWDOMAINDISCOVERY    # 1 is allowed, 0 is not allowed    PasswordlessType: 1 # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDLESSTYPE    # DefaultRedirectURL is empty by default because we use the Management Console UI    DefaultRedirectURI: # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_DEFAULTREDIRECTURI    # 240h = 10d    PasswordCheckLifetime: 240h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_PASSWORDCHECKLIFETIME    # 240h = 10d    ExternalLoginCheckLifetime: 240h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_EXTERNALLOGINCHECKLIFETIME    # 720h = 30d    MfaInitSkipLifetime: 720h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_MFAINITSKIPLIFETIME    SecondFactorCheckLifetime: 18h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_SECONDFACTORCHECKLIFETIME    MultiFactorCheckLifetime: 12h # ZITADEL_DEFAULTINSTANCE_LOGINPOLICY_MULTIFACTORCHECKLIFETIME  PrivacyPolicy:    TOSLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_TOSLINK    PrivacyLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_PRIVACYLINK    HelpLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_HELPLINK    SupportEmail: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_SUPPORTEMAIL    DocsLink: https://zitadel.com/docs # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_DOCSLINK    CustomLink: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINK    CustomLinkText: "" # ZITADEL_DEFAULTINSTANCE_PRIVACYPOLICY_CUSTOMLINKTEXT  NotificationPolicy:    PasswordChange: true # ZITADEL_DEFAULTINSTANCE_NOTIFICATIONPOLICY_PASSWORDCHANGE  LabelPolicy:    PrimaryColor: "#5469d4" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_PRIMARYCOLOR    BackgroundColor: "#fafafa" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_BACKGROUNDCOLOR    WarnColor: "#cd3d56" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_WARNCOLOR    FontColor: "#000000" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_FONTCOLOR    PrimaryColorDark: "#2073c4" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_PRIMARYCOLORDARK    BackgroundColorDark: "#111827" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_BACKGROUNDCOLORDARK    WarnColorDark: "#ff3b5b" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_WARNCOLORDARK    FontColorDark: "#ffffff" # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_FONTCOLORDARK    HideLoginNameSuffix: false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_HIDELOGINNAMESUFFIX    ErrorMsgPopup: false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_ERRORMSGPOPUP    DisableWatermark: false # ZITADEL_DEFAULTINSTANCE_LABELPOLICY_DISABLEWATERMARK  LockoutPolicy:    MaxPasswordAttempts: 0 # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_MAXPASSWORDATTEMPTS    MaxOTPAttempts: 0 # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_MAXOTPATTEMPTS    ShouldShowLockoutFailure: true # ZITADEL_DEFAULTINSTANCE_LOCKOUTPOLICY_SHOULDSHOWLOCKOUTFAILURE  EmailTemplate: CjwhZG9jdHlwZSBodG1sPgo8aHRtbCB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMTk5OS94aHRtbCIgeG1sbnM6dj0idXJuOnNjaGVtYXMtbWljcm9zb2Z0LWNvbTp2bWwiIHhtbG5zOm89InVybjpzY2hlbWFzLW1pY3Jvc29mdC1jb206b2ZmaWNlOm9mZmljZSI+CjxoZWFkPgogIDx0aXRsZT4KCiAgPC90aXRsZT4KICA8IS0tW2lmICFtc29dPjwhLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iWC1VQS1Db21wYXRpYmxlIiBjb250ZW50PSJJRT1lZGdlIj4KICA8IS0tPCFbZW5kaWZdLS0+CiAgPG1ldGEgaHR0cC1lcXVpdj0iQ29udGVudC1UeXBlIiBjb250ZW50PSJ0ZXh0L2h0bWw7IGNoYXJzZXQ9VVRGLTgiPgogIDxtZXRhIG5hbWU9InZpZXdwb3J0IiBjb250ZW50PSJ3aWR0aD1kZXZpY2Utd2lkdGgsIGluaXRpYWwtc2NhbGU9MSI+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KICAgICNvdXRsb29rIGEgeyBwYWRkaW5nOjA7IH0KICAgIGJvZHkgeyBtYXJnaW46MDtwYWRkaW5nOjA7LXdlYmtpdC10ZXh0LXNpemUtYWRqdXN0OjEwMCU7LW1zLXRleHQtc2l6ZS1hZGp1c3Q6MTAwJTsgfQogICAgdGFibGUsIHRkIHsgYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO21zby10YWJsZS1sc3BhY2U6MHB0O21zby10YWJsZS1yc3BhY2U6MHB0OyB9CiAgICBpbWcgeyBib3JkZXI6MDtoZWlnaHQ6YXV0bztsaW5lLWhlaWdodDoxMDAlOyBvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7LW1zLWludGVycG9sYXRpb24tbW9kZTpiaWN1YmljOyB9CiAgICBwIHsgZGlzcGxheTpibG9jazttYXJnaW46MTNweCAwOyB9CiAgPC9zdHlsZT4KICA8IS0tW2lmIG1zb10+CiAgPHhtbD4KICAgIDxvOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgICAgIDxvOkFsbG93UE5HLz4KICAgICAgPG86UGl4ZWxzUGVySW5jaD45NjwvbzpQaXhlbHNQZXJJbmNoPgogICAgPC9vOk9mZmljZURvY3VtZW50U2V0dGluZ3M+CiAgPC94bWw+CiAgPCFbZW5kaWZdLS0+CiAgPCEtLVtpZiBsdGUgbXNvIDExXT4KICA8c3R5bGUgdHlwZT0idGV4dC9jc3MiPgogICAgLm1qLW91dGxvb2stZ3JvdXAtZml4IHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyB9CiAgPC9zdHlsZT4KICA8IVtlbmRpZl0tLT4KCgogIDxzdHlsZSB0eXBlPSJ0ZXh0L2NzcyI+CiAgICBAbWVkaWEgb25seSBzY3JlZW4gYW5kIChtaW4td2lkdGg6NDgwcHgpIHsKICAgICAgLm1qLWNvbHVtbi1wZXItMTAwIHsgd2lkdGg6MTAwJSAhaW1wb3J0YW50OyBtYXgtd2lkdGg6IDEwMCU7IH0KICAgICAgLm1qLWNvbHVtbi1wZXItNjAgeyB3aWR0aDo2MCUgIWltcG9ydGFudDsgbWF4LXdpZHRoOiA2MCU7IH0KICAgIH0KICA8L3N0eWxlPgoKCiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4KCgoKICAgIEBtZWRpYSBvbmx5IHNjcmVlbiBhbmQgKG1heC13aWR0aDo0ODBweCkgewogICAgICB0YWJsZS5tai1mdWxsLXdpZHRoLW1vYmlsZSB7IHdpZHRoOiAxMDAlICFpbXBvcnRhbnQ7IH0KICAgICAgdGQubWotZnVsbC13aWR0aC1tb2JpbGUgeyB3aWR0aDogYXV0byAhaW1wb3J0YW50OyB9CiAgICB9CgogIDwvc3R5bGU+CiAgPHN0eWxlIHR5cGU9InRleHQvY3NzIj4uc2hhZG93IGEgewogICAgYm94LXNoYWRvdzogMHB4IDNweCAxcHggLTJweCByZ2JhKDAsIDAsIDAsIDAuMiksIDBweCAycHggMnB4IDBweCByZ2JhKDAsIDAsIDAsIDAuMTQpLCAwcHggMXB4IDVweCAwcHggcmdiYSgwLCAwLCAwLCAwLjEyKTsKICB9PC9zdHlsZT4KCiAge3tpZiAuRm9udFVSTH19CiAgPHN0eWxlPgogICAgQGZvbnQtZmFjZSB7CiAgICAgIGZvbnQtZmFtaWx5OiAne3suRm9udEZhY2VGYW1pbHl9fSc7CiAgICAgIGZvbnQtc3R5bGU6IG5vcm1hbDsKICAgICAgZm9udC1kaXNwbGF5OiBzd2FwOwogICAgICBzcmM6IHVybCh7ey5Gb250VVJMfX0pOwogICAgfQogIDwvc3R5bGU+CiAge3tlbmR9fQoKPC9oZWFkPgo8Ym9keSBzdHlsZT0id29yZC1zcGFjaW5nOm5vcm1hbDsiPgoKCjxkaXYKICAgICAgICBzdHlsZT0iIgo+CgogIDx0YWJsZQogICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJhY2tncm91bmQ6e3suQmFja2dyb3VuZENvbG9yfX07YmFja2dyb3VuZC1jb2xvcjp7ey5CYWNrZ3JvdW5kQ29sb3J9fTt3aWR0aDoxMDAlO2JvcmRlci1yYWRpdXM6MTZweDsiCiAgPgogICAgPHRib2R5PgogICAgPHRyPgogICAgICA8dGQ+CgoKICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIGNsYXNzPSIiIHN0eWxlPSJ3aWR0aDo4MDBweDsiIHdpZHRoPSI4MDAiID48dHI+PHRkIHN0eWxlPSJsaW5lLWhlaWdodDowcHg7Zm9udC1zaXplOjBweDttc28tbGluZS1oZWlnaHQtcnVsZTpleGFjdGx5OyI+PCFbZW5kaWZdLS0+CgoKICAgICAgICA8ZGl2ICBzdHlsZT0ibWFyZ2luOjBweCBhdXRvO2JvcmRlci1yYWRpdXM6MTZweDttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7Ym9yZGVyLXJhZGl1czoxNnB4OyIKICAgICAgICAgID4KICAgICAgICAgICAgPHRib2R5PgogICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iZGlyZWN0aW9uOmx0cjtmb250LXNpemU6MHB4O3BhZGRpbmc6MjBweCAwO3BhZGRpbmctbGVmdDowO3RleHQtYWxpZ246Y2VudGVyOyIKICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7IgogICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICA8dGQ+CgoKICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBhbGlnbj0iY2VudGVyIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgY2xhc3M9IiIgc3R5bGU9IndpZHRoOjgwMHB4OyIgd2lkdGg9IjgwMCIgPjx0cj48dGQgc3R5bGU9ImxpbmUtaGVpZ2h0OjBweDtmb250LXNpemU6MHB4O21zby1saW5lLWhlaWdodC1ydWxlOmV4YWN0bHk7Ij48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgICAgPGRpdiAgc3R5bGU9Im1hcmdpbjowcHggYXV0bzttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHN0eWxlPSJ3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImRpcmVjdGlvbjpsdHI7Zm9udC1zaXplOjBweDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiBzdHlsZT0id2lkdGg6ODAwcHg7IiA+PCFbZW5kaWZdLS0+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgY2xhc3M9Im1qLWNvbHVtbi1wZXItMTAwIG1qLW91dGxvb2stZ3JvdXAtZml4IiBzdHlsZT0iZm9udC1zaXplOjA7bGluZS1oZWlnaHQ6MDt0ZXh0LWFsaWduOmxlZnQ7ZGlzcGxheTppbmxpbmUtYmxvY2s7d2lkdGg6MTAwJTtkaXJlY3Rpb246bHRyOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiA+PHRyPjx0ZCBzdHlsZT0idmVydGljYWwtYWxpZ246dG9wO3dpZHRoOjgwMHB4OyIgPjwhW2VuZGlmXS0tPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8ZGl2CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBjbGFzcz0ibWotY29sdW1uLXBlci0xMDAgbWotb3V0bG9vay1ncm91cC1maXgiIHN0eWxlPSJmb250LXNpemU6MHB4O3RleHQtYWxpZ246bGVmdDtkaXJlY3Rpb246bHRyO2Rpc3BsYXk6aW5saW5lLWJsb2NrO3ZlcnRpY2FsLWFsaWduOnRvcDt3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHdpZHRoPSIxMDAlIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQgIHN0eWxlPSJ2ZXJ0aWNhbC1hbGlnbjp0b3A7cGFkZGluZzowOyI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7e2lmIC5Mb2dvVVJMfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRib2R5PgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzo1MHB4IDAgMzBweCAwO3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iYm9yZGVyLWNvbGxhcHNlOmNvbGxhcHNlO2JvcmRlci1zcGFjaW5nOjBweDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCAgc3R5bGU9IndpZHRoOjE4MHB4OyI+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGltZwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBoZWlnaHQ9ImF1dG8iIHNyYz0ie3suTG9nb1VSTH19IiBzdHlsZT0iYm9yZGVyOjA7Ym9yZGVyLXJhZGl1czo4cHg7ZGlzcGxheTpibG9jaztvdXRsaW5lOm5vbmU7dGV4dC1kZWNvcmF0aW9uOm5vbmU7aGVpZ2h0OmF1dG87d2lkdGg6MTAwJTtmb250LXNpemU6MTNweDsiIHdpZHRoPSIxODAiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAvPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAge3tlbmR9fQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICA8L2Rpdj4KCgogICAgICAgICAgICAgICAgICAgICAgPCEtLVtpZiBtc28gfCBJRV0+PC90ZD48L3RyPjwvdGFibGU+PCFbZW5kaWZdLS0+CgoKICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PHRyPjx0ZCBjbGFzcz0iIiB3aWR0aD0iODAwcHgiID48IVtlbmRpZl0tLT4KCiAgICAgICAgICAgICAgICA8dGFibGUKICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9IndpZHRoOjEwMCU7IgogICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICA8dGQ+CgoKICAgICAgICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjx0YWJsZSBhbGlnbj0iY2VudGVyIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgY2xhc3M9IiIgc3R5bGU9IndpZHRoOjgwMHB4OyIgd2lkdGg9IjgwMCIgPjx0cj48dGQgc3R5bGU9ImxpbmUtaGVpZ2h0OjBweDtmb250LXNpemU6MHB4O21zby1saW5lLWhlaWdodC1ydWxlOmV4YWN0bHk7Ij48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgICAgPGRpdiAgc3R5bGU9Im1hcmdpbjowcHggYXV0bzttYXgtd2lkdGg6ODAwcHg7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgIDx0YWJsZQogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIGJvcmRlcj0iMCIgY2VsbHBhZGRpbmc9IjAiIGNlbGxzcGFjaW5nPSIwIiByb2xlPSJwcmVzZW50YXRpb24iIHN0eWxlPSJ3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgIDx0Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImRpcmVjdGlvbjpsdHI7Zm9udC1zaXplOjBweDtwYWRkaW5nOjA7dGV4dC1hbGlnbjpjZW50ZXI7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgcm9sZT0icHJlc2VudGF0aW9uIiBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCI+PHRyPjx0ZCBjbGFzcz0iIiBzdHlsZT0idmVydGljYWwtYWxpZ246dG9wO3dpZHRoOjQ4MHB4OyIgPjwhW2VuZGlmXS0tPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGNsYXNzPSJtai1jb2x1bW4tcGVyLTYwIG1qLW91dGxvb2stZ3JvdXAtZml4IiBzdHlsZT0iZm9udC1zaXplOjBweDt0ZXh0LWFsaWduOmxlZnQ7ZGlyZWN0aW9uOmx0cjtkaXNwbGF5OmlubGluZS1ibG9jazt2ZXJ0aWNhbC1hbGlnbjp0b3A7d2lkdGg6MTAwJTsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZCAgc3R5bGU9InZlcnRpY2FsLWFsaWduOnRvcDtwYWRkaW5nOjA7Ij4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iIiB3aWR0aD0iMTAwJSIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGJvZHk+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dGQKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBhbGlnbj0iY2VudGVyIiBzdHlsZT0iZm9udC1zaXplOjBweDtwYWRkaW5nOjEwcHggMjVweDt3b3JkLWJyZWFrOmJyZWFrLXdvcmQ7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxkaXYKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHN0eWxlPSJmb250LWZhbWlseTp7ey5Gb250RmFtaWx5fX07Zm9udC1zaXplOjI0cHg7Zm9udC13ZWlnaHQ6NTAwO2xpbmUtaGVpZ2h0OjE7dGV4dC1hbGlnbjpjZW50ZXI7Y29sb3I6e3suRm9udENvbG9yfX07IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID57ey5HcmVldGluZ319PC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIHN0eWxlPSJmb250LXNpemU6MHB4O3BhZGRpbmc6MTBweCAyNXB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5Ont7LkZvbnRGYW1pbHl9fTtmb250LXNpemU6MTZweDtmb250LXdlaWdodDpsaWdodDtsaW5lLWhlaWdodDoxLjU7dGV4dC1hbGlnbjpjZW50ZXI7Y29sb3I6e3suRm9udENvbG9yfX07IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID57ey5UZXh0fX08L2Rpdj4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8dHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0ZAogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGFsaWduPSJjZW50ZXIiIHZlcnRpY2FsLWFsaWduPSJtaWRkbGUiIGNsYXNzPSJzaGFkb3ciIHN0eWxlPSJmb250LXNpemU6MHB4O3BhZGRpbmc6MTBweCAyNXB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRhYmxlCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBib3JkZXI9IjAiIGNlbGxwYWRkaW5nPSIwIiBjZWxsc3BhY2luZz0iMCIgcm9sZT0icHJlc2VudGF0aW9uIiBzdHlsZT0iYm9yZGVyLWNvbGxhcHNlOnNlcGFyYXRlO2xpbmUtaGVpZ2h0OjEwMCU7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgYmdjb2xvcj0ie3suUHJpbWFyeUNvbG9yfX0iIHJvbGU9InByZXNlbnRhdGlvbiIgc3R5bGU9ImJvcmRlcjpub25lO2JvcmRlci1yYWRpdXM6NnB4O2N1cnNvcjphdXRvO21zby1wYWRkaW5nLWFsdDoxMHB4IDI1cHg7YmFja2dyb3VuZDp7ey5QcmltYXJ5Q29sb3J9fTsiIHZhbGlnbj0ibWlkZGxlIgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGEKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIGhyZWY9Int7LlVSTH19IiByZWw9Im5vb3BlbmVyIG5vcmVmZXJyZXIgbm90cmFjayIgc3R5bGU9ImRpc3BsYXk6aW5saW5lLWJsb2NrO2JhY2tncm91bmQ6e3suUHJpbWFyeUNvbG9yfX07Y29sb3I6I2ZmZmZmZjtmb250LWZhbWlseTp7ey5Gb250RmFtaWx5fX07Zm9udC1zaXplOjE0cHg7Zm9udC13ZWlnaHQ6NTAwO2xpbmUtaGVpZ2h0OjEyMCU7bWFyZ2luOjA7dGV4dC1kZWNvcmF0aW9uOm5vbmU7dGV4dC10cmFuc2Zvcm06bm9uZTtwYWRkaW5nOjEwcHggMjVweDttc28tcGFkZGluZy1hbHQ6MHB4O2JvcmRlci1yYWRpdXM6NnB4OyIgdGFyZ2V0PSJfYmxhbmsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAge3suQnV0dG9uVGV4dH19CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9hPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90ZD4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICB7e2lmIC5JbmNsdWRlRm9vdGVyfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzoxMHB4IDI1cHg7cGFkZGluZy10b3A6MjBweDtwYWRkaW5nLXJpZ2h0OjIwcHg7cGFkZGluZy1ib3R0b206MjBweDtwYWRkaW5nLWxlZnQ6MjBweDt3b3JkLWJyZWFrOmJyZWFrLXdvcmQ7IgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDxwCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICBzdHlsZT0iYm9yZGVyLXRvcDpzb2xpZCAycHggI2RiZGJkYjtmb250LXNpemU6MXB4O21hcmdpbjowcHggYXV0bzt3aWR0aDoxMDAlOyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9wPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48dGFibGUgYWxpZ249ImNlbnRlciIgYm9yZGVyPSIwIiBjZWxscGFkZGluZz0iMCIgY2VsbHNwYWNpbmc9IjAiIHN0eWxlPSJib3JkZXItdG9wOnNvbGlkIDJweCAjZGJkYmRiO2ZvbnQtc2l6ZToxcHg7bWFyZ2luOjBweCBhdXRvO3dpZHRoOjQ0MHB4OyIgcm9sZT0icHJlc2VudGF0aW9uIiB3aWR0aD0iNDQwcHgiID48dHI+PHRkIHN0eWxlPSJoZWlnaHQ6MDtsaW5lLWhlaWdodDowOyI+ICZuYnNwOwogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgoKCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDx0cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPHRkCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgYWxpZ249ImNlbnRlciIgc3R5bGU9ImZvbnQtc2l6ZTowcHg7cGFkZGluZzoxNnB4O3dvcmQtYnJlYWs6YnJlYWstd29yZDsiCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgID4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPGRpdgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgc3R5bGU9ImZvbnQtZmFtaWx5Ont7LkZvbnRGYW1pbHl9fTtmb250LXNpemU6MTNweDtsaW5lLWhlaWdodDoxO3RleHQtYWxpZ246Y2VudGVyO2NvbG9yOnt7LkZvbnRDb2xvcn19OyIKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA+e3suRm9vdGVyVGV4dH19PC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RkPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIHt7ZW5kfX0KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90YWJsZT4KCiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RyPgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC90Ym9keT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPC9kaXY+CgogICAgICAgICAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PC90YWJsZT48IVtlbmRpZl0tLT4KICAgICAgICAgICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgICAgICAgICAgPC90cj4KICAgICAgICAgICAgICAgICAgICAgICAgICA8L3Rib2R5PgogICAgICAgICAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgICAgICAgIDwvZGl2PgoKCiAgICAgICAgICAgICAgICAgICAgICA8IS0tW2lmIG1zbyB8IElFXT48L3RkPjwvdHI+PC90YWJsZT48IVtlbmRpZl0tLT4KCgogICAgICAgICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICAgICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgogICAgICAgICAgICAgIDwvdGQ+CiAgICAgICAgICAgIDwvdHI+CiAgICAgICAgICAgIDwvdGJvZHk+CiAgICAgICAgICA8L3RhYmxlPgoKICAgICAgICA8L2Rpdj4KCgogICAgICAgIDwhLS1baWYgbXNvIHwgSUVdPjwvdGQ+PC90cj48L3RhYmxlPjwhW2VuZGlmXS0tPgoKCiAgICAgIDwvdGQ+CiAgICA8L3RyPgogICAgPC90Ym9keT4KICA8L3RhYmxlPgoKPC9kaXY+Cgo8L2JvZHk+CjwvaHRtbD4K # ZITADEL_DEFAULTINSTANCE_EMAILTEMPLATE  # WebKeys configures the OIDC token signing keys that are generated when a new instance is created.  WebKeys:    Type: "rsa" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_TYPE    Config:     RSABits: "2048" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_BITS     RSAHasher: "sha256" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_HASHER  # WebKeys:  #  Type: "ecdsa"  #  Config:  #    EllipticCurve: "P256" # ZITADEL_DEFAULTINSTANCE_WEBKEYS_CONFIG_CURVE  # Sets the default values for lifetime and expiration for OIDC in each newly created instance  # This default can be overwritten for each instance during runtime  # Overwrites the system defaults  # If defined but not all durations are set it will result in an error  OIDCSettings:    AccessTokenLifetime: 12h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_ACCESSTOKENLIFETIME    IdTokenLifetime: 12h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_IDTOKENLIFETIME    # 720h are 30 days    RefreshTokenIdleExpiration: 720h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_REFRESHTOKENIDLEEXPIRATION    # 2160h are 90 days    RefreshTokenExpiration: 2160h # ZITADEL_DEFAULTINSTANCE_OIDCSETTINGS_REFRESHTOKENEXPIRATION  # this configuration sets the default email configuration  SMTPConfiguration:    # Configuration of the host    SMTP:      # must include the port, like smtp.mailtrap.io:2525. IPv6 is also supported, like [2001:db8::1]:2525      Host: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_HOST      User: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_USER      Password: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_SMTP_PASSWORD    TLS: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_TLS    # If the host of the sender is different from ExternalDomain set DefaultInstance.DomainPolicy.SMTPSenderAddressMatchesInstanceDomain to false    From: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_FROM    FromName: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_FROMNAME    ReplyToAddress: # ZITADEL_DEFAULTINSTANCE_SMTPCONFIGURATION_REPLYTOADDRESS  # Configure the MessageTexts by environment variable using JSON notation:  # ZITADEL_DEFAULTINSTANCE_MESSAGETEXTS='[{"messageTextType": "InitCode", "title": "My custom title"},{"messageTextType": "PasswordReset", "greeting": "Hi there!"}]'  # Beware that if you configure the MessageTexts by environment variable, all the default MessageTexts are lost.  MessageTexts:    - MessageTextType: InitCode      Language: de      Title: Zitadel - User initialisieren      PreHeader: User initialisieren      Subject: User initialisieren      Greeting: Hallo {{.DisplayName}},      Text: Dieser Benutzer wurde soeben im Zitadel erstellt. Mit dem Benutzernamen <br><strong>{{.PreferredLoginName}}</strong><br> kannst du dich anmelden. Nutze den untenstehenden Button, um die Initialisierung abzuschliessen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es einfach ignorieren.      ButtonText: Initialisierung abschliessen    - MessageTextType: PasswordReset      Language: de      Title: Zitadel - Passwort zurücksetzen      PreHeader: Passwort zurücksetzen      Subject: Passwort zurücksetzen      Greeting: Hallo {{.DisplayName}},      Text: Wir haben eine Anfrage für das Zurücksetzen deines Passwortes bekommen. Du kannst den untenstehenden Button verwenden, um dein Passwort zurückzusetzen <br>(Code <strong>{{.Code}}</strong>).<br> Falls du dieses Mail nicht angefordert hast, kannst du es ignorieren.      ButtonText: Passwort zurücksetzen    - MessageTextType: VerifyEmail      Language: de      Title: Zitadel - Email verifizieren      PreHeader: Email verifizieren      Subject: Email verifizieren      Greeting: Hallo {{.DisplayName}},      Text: Eine neue E-Mail Adresse wurde hinzugefügt. Bitte verwende den untenstehenden Button um diese zu verifizieren <br>(Code <strong>{{.Code}}</strong>).<br> Falls du deine E-Mail Adresse nicht selber hinzugefügt hast, kannst du dieses E-Mail ignorieren.      ButtonText: Email verifizieren    - MessageTextType: VerifyPhone      Language: de      Title: Zitadel - Telefonnummer verifizieren      PreHeader: Telefonnummer verifizieren      Subject: Telefonnummer verifizieren      Greeting: Hallo {{.DisplayName}},      Text: Eine Telefonnummer wurde hinzugefügt. Bitte verifiziere diese in dem du folgenden Code eingibst (Code {{.Code}})      ButtonText: Telefon verifizieren    - MessageTextType: DomainClaimed      Language: de      Title: Zitadel - Domain wurde beansprucht      PreHeader: Email / Username ändern      Subject: Domain wurde beansprucht      Greeting: Hallo {{.DisplayName}},      Text: Die Domain {{.Domain}} wurde von einer Organisation beansprucht. Dein derzeitiger User {{.Username}} ist nicht Teil dieser Organisation. Daher musst du beim nächsten Login eine neue Email hinterlegen. Für diesen Login haben wir dir einen temporären Usernamen ({{.TempUsername}}) erstellt.      ButtonText: Login    - MessageTextType: PasswordChange      Language: de      Title: ZITADEL - Passwort von Benutzer wurde geändert      PreHeader: Passwort Änderung      Subject: Passwort von Benutzer wurde geändert      Greeting: Hallo {{.DisplayName}},      Text: Das Password vom Benutzer wurde geändert. Wenn diese Änderung von jemand anderem gemacht wurde, empfehlen wir die sofortige Zurücksetzung ihres Passworts.      ButtonText: Login    - MessageTextType: InitCode      Language: en      Title: Zitadel - Initialize User      PreHeader: Initialize User      Subject: Initialize User      Greeting: Hello {{.DisplayName}},      Text: This user was created in Zitadel. Use the username {{.PreferredLoginName}} to login. Please click the button below to finish the initialization process. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.      ButtonText: Finish initialization    - MessageTextType: PasswordReset      Language: en      Title: Zitadel - Reset password      PreHeader: Reset password      Subject: Reset password      Greeting: Hello {{.DisplayName}},      Text: We received a password reset request. Please use the button below to reset your password. (Code {{.Code}}) If you didn't ask for this mail, please ignore it.      ButtonText: Reset password    - MessageTextType: VerifyEmail      Language: en      Title: Zitadel - Verify email      PreHeader: Verify email      Subject: Verify email      Greeting: Hello {{.DisplayName}},      Text: A new email has been added. Please use the button below to verify your email. (Code {{.Code}}) If you didn't add a new email, please ignore this email.      ButtonText: Verify email    - MessageTextType: VerifyPhone      Language: en      Title: Zitadel - Verify phone      PreHeader: Verify phone      Subject: Verify phone      Greeting: Hello {{.DisplayName}},      Text: A new phone number has been added. Please use the following code to verify it {{.Code}}.      ButtonText: Verify phone    - MessageTextType: DomainClaimed      Language: en      Title: Zitadel - Domain has been claimed      PreHeader: Change email/username      Subject: Domain has been claimed      Greeting: Hello {{.DisplayName}},      Text: The domain {{.Domain}} has been claimed by an organization. Your current user {{.UserName}} is not part of this organization. Therefore you'll have to change your email when you login. We have created a temporary username ({{.TempUsername}}) for this login.      ButtonText: Login    - MessageTextType: PasswordChange      Language: en      Title: ZITADEL - Password of user has changed      PreHeader: Change password      Subject: Password of user has changed      Greeting: Hello {{.DisplayName}},      Text: The password of your user has changed. If this change was not done by you, please be advised to immediately reset your password.      ButtonText: Login  # Once a feature is set on the instance (true or false), system level feature settings  # will be ignored until instance level features are reset.  Features:    LoginDefaultOrg: true # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINDEFAULTORG    UserSchema: # ZITADEL_DEFAULTINSTANCE_FEATURES_USERSCHEMA    ImprovedPerformance: # ZITADEL_DEFAULTINSTANCE_FEATURES_IMPROVEDPERFORMANCE    # https://github.com/zitadel/zitadel/blob/main/internal/feature/feature.go#L64-L68    #   - 1 # OrgByID    #   - 2 # ProjectGrant    #   - 3 # Project    #   - 4 # UserGrant    #   - 5 # OrgDomainVerified    DebugOIDCParentError: # ZITADEL_DEFAULTINSTANCE_FEATURES_DEBUGOIDCPARENTERROR    OIDCSingleV1SessionTermination: # ZITADEL_DEFAULTINSTANCE_FEATURES_OIDCSINGLEV1SESSIONTERMINATION    LoginV2:      Required: true # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_REQUIRED      BaseURI: # ZITADEL_DEFAULTINSTANCE_FEATURES_LOGINV2_BASEURI    PermissionCheckV2: # ZITADEL_DEFAULTINSTANCE_FEATURES_PERMISSIONCHECKV2    ConsoleUseV2UserApi: true # ZITADEL_DEFAULTINSTANCE_FEATURES_CONSOLEUSEV2USERAPI    EnableRelationalTables: # ZITADEL_DEFAULTINSTANCE_FEATURES_ENABLERELATIONALTABLES  Limits:    # AuditLogRetention limits the number of events that can be queried via the events API by their age.    # A value of "0s" means that all events are available.    # If this value is set, it overwrites the system default unless it is not reset via the admin API.    AuditLogRetention: # ZITADEL_DEFAULTINSTANCE_LIMITS_AUDITLOGRETENTION    # If Block is true, all requests except to /ui/console or the system API are blocked and /ui/login is redirected to /ui/console.    # /ui/console shows a message that the instance is blocked with a link to Console.InstanceManagementURL    Block: # ZITADEL_DEFAULTINSTANCE_LIMITS_BLOCK  Restrictions:    # DisallowPublicOrgRegistration defines if ZITADEL should expose the endpoint /ui/login/register/org    # If it is true, the endpoint returns the HTTP status 404 on GET requests, and 409 on POST requests.    DisallowPublicOrgRegistration: # ZITADEL_DEFAULTINSTANCE_RESTRICTIONS_DISALLOWPUBLICORGREGISTRATION    # AllowedLanguages restricts the languages that can be used.    # If the list is empty, all supported languages are allowed.    AllowedLanguages: # ZITADEL_DEFAULTINSTANCE_RESTRICTIONS_ALLOWEDLANGUAGES    # - en    # - de  Quotas:    # Items take a slice of quota settings, whereas, for each unit type and instance, one or zero quotas may exist.    # The following unit types are supported    # "requests.all.authenticated"    # The sum of all requests to the ZITADEL API with an authorization header,    # excluding the following exceptions    # - Calls to the System API    # - Calls that cause internal server errors    # - Failed authorizations    # - Requests after the quota already exceeded    # "actions.all.runs.seconds"    # The sum of all actions run durations in seconds    # Configure the Items by environment variable using JSON notation:    # ZITADEL_DEFAULTINSTANCE_QUOTAS_ITEMS='[{"unit": "requests.all.authenticated", "notifications": [{"percent": 100}]}]'    Items: # ZITADEL_DEFAULTINSTANCE_QUOTAS_ITEMS#      - Unit: "requests.all.authenticated"#        # From defines the starting time from which the current quota period is calculated.#        # This is relevant for querying the current usage.#        From: "2023-01-01T00:00:00Z"#        # ResetInterval defines the quota periods duration#        ResetInterval: 720h # 30 days#        # Amount defines the number of units for this quota#        Amount: 25000#        # Limit defines whether ZITADEL should block further authenticated requests when the configured amount is used.#        # If you not only want to block authenticated requests but also authentication itself, consider using the system APIs SetLimits method.#        Limit: false#        # Notifications are emitted by ZITADEL when certain quota percentages are reached#        Notifications:#            # Percent defines the relative amount of used units, after which a notification should be emitted.#          - Percent: 100#            # Repeat defines, whether a notification should be emitted each time when a multitude of the configured Percent is used.#            Repeat: true#            # CallURL is called when a relative amount of the quota is used.#            CallURL: "https://httpbin.org/post"# AuditLogRetention limits the number of events that can be queried via the events API by their age.# A value of "0s" means that all events are available.# If an audit log retention is set using an instance limit, it will overwrite the system default.AuditLogRetention: 0s # ZITADEL_AUDITLOGRETENTION# The ServicePing are periodic reports of analytics data and the usage of ZITADEL.# It is sent to a central endpoint to help us improve ZITADEL.# It's enabled by default, but you can opt out either completely or by disabling specific telemetry data.ServicePing:  # By setting Enabled to false, the service ping is disabled completely.  Enabled: true # ZITADEL_SERVICEPING_ENABLED  # The endpoint to which the reports are sent. The endpoint is used as a base path. Individual reports are sent to the endpoint with a specific path.  Endpoint: "https://zitadel.com/api/ping" # ZITADEL_SERVICEPING_ENDPOINT  # Interval at which the service ping is sent to the endpoint.  # The interval is in the format of a cron expression.  # By default, it is set to every daily.  # Note that if the interval is set to `@daily`, we randomize the time to prevent all systems from sending their reports at the same time.  # If you want to send the service ping at a specific time, you can set the interval to a cron expression like "@midnight" or "15 4 * * *".  Interval: "@daily" # ZITADEL_SERVICEPING_INTERVAL  # Maximum number of attempts for each individual report to be sent.  # If one report fails, it will be retried up to this number of times.  # Other reports will still be handled in parallel and have their own retry count.  # This means if the base information only succeeded after 3 attempts,  # the resource count still has 5 attempts to be sent.  MaxAttempts: 5 # ZITADEL_SERVICEPING_MAXATTEMPTS  # The following features can be enabled or disabled individually.  # By default, all features are enabled.  # Note that if the service ping is enabled, base information about the system is always sent.  # This includes the version and the id, creation date and domains of all instances.  # If you disable a feature, it will not be sent in the service ping.  # Some features provide additional configuration options, if enabled.  Telemetry:    # ResourceCount is a periodic report of the number of resources in ZITADEL.    # This includes the number of users, organizations, projects, and other resources.    ResourceCount:      Enabled: true # ZITADEL_SERVICEPING_TELEMETRY_RESOURCECOUNT_ENABLED      # The number of counts that are sent in one batch.      # The bulk size is used to prevent large requests that might fail due to their size.      # Each report will log its size before sending it to the endpoint,      # so you can adjust the bulk size if you see that the requests are too large.      BulkSize: 10000 # ZITADEL_SERVICEPING_TELEMETRY_RESOURCECOUNT_BULKSIZEInternalAuthZ:  # Configure the RolePermissionMappings by environment variable using JSON notation:  # ZITADEL_INTERNALAUTHZ_ROLEPERMISSIONMAPPINGS='[{"role": "IAM_OWNER", "permissions": ["iam.write"]}, {"role": "ORG_OWNER", "permissions": ["org.write"]}]'  # Beware that if you configure the RolePermissionMappings by environment variable, all the default RolePermissionMappings are lost.  #  # Warning: RolePermissionMappings are synhronized to the database.  # Changes here will only be applied after running `zitadel setup` or `zitadel start-from-setup`.  RolePermissionMappings:    - Role: "SYSTEM_OWNER"      Permissions:        - "system.instance.read"        - "system.instance.write"        - "system.instance.delete"        - "system.domain.read"        - "system.domain.write"        - "system.domain.delete"        - "system.debug.read"        - "system.debug.write"        - "system.debug.delete"        - "system.feature.read"        - "system.feature.write"        - "system.feature.delete"        - "system.limits.write"        - "system.limits.delete"        - "system.quota.write"        - "system.quota.delete"        - "system.iam.member.read"    - Role: "SYSTEM_OWNER_VIEWER"      Permissions:        - "system.instance.read"        - "system.domain.read"        - "system.debug.read"        - "system.feature.read"        - "system.iam.member.read"    - Role: "IAM_OWNER"      Permissions:        - "iam.read"        - "iam.write"        - "iam.policy.read"        - "iam.policy.write"        - "iam.policy.delete"        - "iam.member.read"        - "iam.member.write"        - "iam.member.delete"        - "iam.idp.read"        - "iam.idp.write"        - "iam.idp.delete"        - "iam.action.read"        - "iam.action.write"        - "iam.action.delete"        - "iam.flow.read"        - "iam.flow.write"        - "iam.flow.delete"        - "iam.feature.read"        - "iam.feature.write"        - "iam.feature.delete"        - "iam.restrictions.read"        - "iam.restrictions.write"        - "iam.web_key.write"        - "iam.web_key.delete"        - "iam.web_key.read"        - "iam.debug.write"        - "iam.debug.read"        - "org.read"        - "org.global.read"        - "org.create"        - "org.write"        - "org.delete"        - "org.member.read"        - "org.member.write"        - "org.member.delete"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.action.read"        - "org.action.write"        - "org.action.delete"        - "org.flow.read"        - "org.flow.write"        - "org.flow.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"        - "project.read"        - "project.create"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "events.read"        - "milestones.read"        - "session.read"        - "session.write"        - "session.delete"        - "action.target.read"        - "action.target.write"        - "action.target.delete"        - "action.execution.read"        - "action.execution.write"        - "userschema.read"        - "userschema.write"        - "userschema.delete"        - "group.create"        - "group.write"        - "group.read"        - "group.delete"        - "group.user.write"        - "group.user.read"        - "group.user.delete"    - Role: "IAM_OWNER_VIEWER"      Permissions:        - "iam.read"        - "iam.policy.read"        - "iam.member.read"        - "iam.idp.read"        - "iam.action.read"        - "iam.flow.read"        - "iam.restrictions.read"        - "iam.feature.read"        - "iam.web_key.read"        - "iam.debug.read"        - "org.read"        - "org.member.read"        - "org.idp.read"        - "org.action.read"        - "org.flow.read"        - "org.feature.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"        - "user.feature.read"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "events.read"        - "milestones.read"        - "action.target.read"        - "action.execution.read"        - "userschema.read"        - "session.read"        - "group.read"        - "group.user.read"    - Role: "IAM_ORG_MANAGER"      Permissions:        - "org.read"        - "org.global.read"        - "org.create"        - "org.write"        - "org.delete"        - "org.member.read"        - "org.member.write"        - "org.member.delete"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.action.read"        - "org.action.write"        - "org.action.delete"        - "org.flow.read"        - "org.flow.write"        - "org.flow.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"        - "project.read"        - "project.create"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "session.read"        - "session.delete"        - "group.create"        - "group.write"        - "group.read"        - "group.delete"        - "group.user.write"        - "group.user.read"        - "group.user.delete"    - Role: "IAM_USER_MANAGER"      Permissions:        - "org.read"        - "org.global.read"        - "org.member.read"        - "org.member.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "session.read"        - "session.delete"        - "group.read"        - "group.user.read"    - Role: "IAM_ADMIN_IMPERSONATOR"      Permissions:        - "admin.impersonation"        - "impersonation"    - Role: "IAM_END_USER_IMPERSONATOR"      Permissions:        - "impersonation"    - Role: "ORG_OWNER"      Permissions:        - "org.read"        - "org.global.read"        - "org.write"        - "org.delete"        - "org.member.read"        - "org.member.write"        - "org.member.delete"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.action.read"        - "org.action.write"        - "org.action.delete"        - "org.flow.read"        - "org.flow.write"        - "org.flow.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"        - "project.read"        - "project.create"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "session.read"        - "session.delete"        - "group.create"        - "group.write"        - "group.read"        - "group.delete"        - "group.user.write"        - "group.user.read"        - "group.user.delete"    - Role: "IAM_LOGIN_CLIENT"      Permissions:        - "iam.read"        - "iam.policy.read"        - "iam.member.read"        - "iam.member.write"        - "iam.idp.read"        - "iam.feature.read"        - "iam.restrictions.read"        - "org.read"        - "org.member.read"        - "org.member.write"        - "org.idp.read"        - "org.feature.read"        - "user.read"        - "user.write"        - "user.grant.read"        - "user.grant.write"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.member.write"        - "project.role.read"        - "project.app.read"        - "project.member.read"        - "project.member.write"        - "project.grant.read"        - "project.grant.member.read"        - "project.grant.member.write"        - "session.read"        - "session.write"        - "session.link"        - "session.delete"        - "userschema.read"        - "group.read"        - "group.user.read"    - Role: "ORG_USER_MANAGER"      Permissions:        - "org.read"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "project.read"        - "project.role.read"        - "session.read"        - "session.delete"        - "group.read"        - "group.user.read"    - Role: "ORG_OWNER_VIEWER"      Permissions:        - "org.read"        - "org.member.read"        - "org.idp.read"        - "org.action.read"        - "org.flow.read"        - "org.feature.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"        - "user.feature.read"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "project.grant.user.grant.read"        - "group.read"        - "group.user.read"    - Role: "ORG_SETTINGS_MANAGER"      Permissions:        - "org.read"        - "org.write"        - "org.member.read"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"    - Role: "ORG_USER_PERMISSION_EDITOR"      Permissions:        - "org.read"        - "org.member.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "group.read"        - "group.user.read"    - Role: "ORG_PROJECT_PERMISSION_EDITOR"      Permissions:        - "org.read"        - "org.member.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"    - Role: "ORG_PROJECT_CREATOR"      Permissions:        - "user.global.read"        - "policy.read"        - "project.read:self"        - "project.create"    - Role: "ORG_ADMIN_IMPERSONATOR"      Permissions:        - "admin.impersonation"        - "impersonation"    - Role: "ORG_END_USER_IMPERSONATOR"      Permissions:        - "impersonation"    - Role: "PROJECT_OWNER"      Permissions:        - "org.global.read"        - "policy.read"        - "project.read"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"    - Role: "PROJECT_OWNER_VIEWER"      Permissions:        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"    - Role: "SELF_MANAGEMENT_GLOBAL"      Permissions:        - "org.create"        - "policy.read"        - "user.self.delete"    - Role: "ORG_USER_SELF_MANAGER"      Permissions:        - "policy.read"        - "user.self.delete"    - Role: "PROJECT_OWNER_GLOBAL"      Permissions:        - "org.global.read"        - "policy.read"        - "project.read"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "user.global.read"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"    - Role: "PROJECT_OWNER_VIEWER_GLOBAL"      Permissions:        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"    - Role: "PROJECT_GRANT_OWNER"      Permissions:        - "policy.read"        - "org.global.read"        - "project.read"        - "project.grant.read"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"    - Role: "PROJECT_GRANT_OWNER_VIEWER"      Permissions:        - "policy.read"        - "project.read"        - "project.grant.read"        - "project.grant.member.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"SystemAuthZ:  RolePermissionMappings:    - Role: "SYSTEM_OWNER"      Permissions:        - "system.instance.read"        - "system.instance.write"        - "system.instance.delete"        - "system.domain.read"        - "system.domain.write"        - "system.domain.delete"        - "system.debug.read"        - "system.debug.write"        - "system.debug.delete"        - "system.feature.read"        - "system.feature.write"        - "system.feature.delete"        - "system.limits.write"        - "system.limits.delete"        - "system.quota.write"        - "system.quota.delete"        - "system.iam.member.read"    - Role: "SYSTEM_OWNER_VIEWER"      Permissions:        - "system.instance.read"        - "system.domain.read"        - "system.debug.read"        - "system.feature.read"        - "system.iam.member.read"    - Role: "IAM_OWNER"      Permissions:        - "iam.read"        - "iam.write"        - "iam.policy.read"        - "iam.policy.write"        - "iam.policy.delete"        - "iam.member.read"        - "iam.member.write"        - "iam.member.delete"        - "iam.idp.read"        - "iam.idp.write"        - "iam.idp.delete"        - "iam.action.read"        - "iam.action.write"        - "iam.action.delete"        - "iam.flow.read"        - "iam.flow.write"        - "iam.flow.delete"        - "iam.feature.read"        - "iam.feature.write"        - "iam.feature.delete"        - "iam.restrictions.read"        - "iam.restrictions.write"        - "iam.web_key.write"        - "iam.web_key.delete"        - "iam.web_key.read"        - "iam.debug.write"        - "iam.debug.read"        - "org.read"        - "org.global.read"        - "org.create"        - "org.write"        - "org.delete"        - "org.member.read"        - "org.member.write"        - "org.member.delete"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.action.read"        - "org.action.write"        - "org.action.delete"        - "org.flow.read"        - "org.flow.write"        - "org.flow.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"        - "project.read"        - "project.create"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "events.read"        - "milestones.read"        - "session.read"        - "session.write"        - "session.delete"        - "action.target.read"        - "action.target.write"        - "action.target.delete"        - "action.execution.read"        - "action.execution.write"        - "userschema.read"        - "userschema.write"        - "userschema.delete"        - "group.create"        - "group.write"        - "group.read"        - "group.delete"        - "group.user.write"        - "group.user.read"        - "group.user.delete"    - Role: "IAM_OWNER_VIEWER"      Permissions:        - "iam.read"        - "iam.policy.read"        - "iam.member.read"        - "iam.idp.read"        - "iam.action.read"        - "iam.flow.read"        - "iam.restrictions.read"        - "iam.feature.read"        - "iam.web_key.read"        - "iam.debug.read"        - "org.read"        - "org.member.read"        - "org.idp.read"        - "org.action.read"        - "org.flow.read"        - "org.feature.read"        - "user.read"        - "user.global.read"        - "user.grant.read"        - "user.membership.read"        - "user.feature.read"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.member.read"        - "events.read"        - "milestones.read"        - "action.target.read"        - "action.execution.read"        - "userschema.read"        - "session.read"        - "group.read"        - "group.user.read"    - Role: "IAM_ORG_MANAGER"      Permissions:        - "org.read"        - "org.global.read"        - "org.create"        - "org.write"        - "org.delete"        - "org.member.read"        - "org.member.write"        - "org.member.delete"        - "org.idp.read"        - "org.idp.write"        - "org.idp.delete"        - "org.action.read"        - "org.action.write"        - "org.action.delete"        - "org.flow.read"        - "org.flow.write"        - "org.flow.delete"        - "org.feature.read"        - "org.feature.write"        - "org.feature.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "policy.read"        - "policy.write"        - "policy.delete"        - "project.read"        - "project.create"        - "project.write"        - "project.delete"        - "project.member.read"        - "project.member.write"        - "project.member.delete"        - "project.role.read"        - "project.role.write"        - "project.role.delete"        - "project.app.read"        - "project.app.write"        - "project.app.delete"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "project.grant.member.write"        - "project.grant.member.delete"        - "session.read"        - "session.delete"        - "group.create"        - "group.write"        - "group.read"        - "group.delete"        - "group.user.write"        - "group.user.read"        - "group.user.delete"    - Role: "IAM_USER_MANAGER"      Permissions:        - "org.read"        - "org.global.read"        - "org.member.read"        - "org.member.delete"        - "user.read"        - "user.global.read"        - "user.write"        - "user.delete"        - "user.grant.read"        - "user.grant.write"        - "user.grant.delete"        - "user.membership.read"        - "user.passkey.write"        - "user.feature.read"        - "user.feature.write"        - "user.feature.delete"        - "project.read"        - "project.member.read"        - "project.role.read"        - "project.app.read"        - "project.grant.read"        - "project.grant.write"        - "project.grant.delete"        - "project.grant.member.read"        - "session.read"        - "session.delete"        - "group.read"        - "group.user.read"    - Role: "IAM_ADMIN_IMPERSONATOR"      Permissions:        - "admin.impersonation"        - "impersonation"    - Role: "IAM_END_USER_IMPERSONATOR"      Permissions:        - "impersonation"    - Role: "IAM_LOGIN_CLIENT"      Permissions:        - "iam.read"        - "iam.policy.read"        - "iam.member.read"        - "iam.member.write"        - "iam.idp.read"        - "iam.feature.read"        - "iam.restrictions.read"        - "org.read"        - "org.member.read"        - "org.member.write"        - "org.idp.read"        - "org.feature.read"        - "user.read"        - "user.write"        - "user.grant.read"        - "user.grant.write"        - "user.membership.read"        - "user.credential.write"        - "user.passkey.write"        - "user.feature.read"        - "policy.read"        - "project.read"        - "project.member.read"        - "project.member.write"        - "project.role.read"        - "project.app.read"        - "project.member.read"        - "project.member.write"        - "project.grant.read"        - "project.grant.member.read"        - "project.grant.member.write"        - "session.read"        - "session.write"        - "session.link"        - "session.delete"        - "userschema.read"        - "group.read"        - "group.user.read"# If a new projection is introduced it will be prefilled during the setup process (if enabled)# This can prevent serving outdated data after a version upgrade, but might require a longer setup / upgrade process:# https://zitadel.com/docs/self-hosting/manage/updating_scalingInitProjections:  Enabled: true # ZITADEL_INITPROJECTIONS_ENABLED  RetryFailedAfter: 100ms # ZITADEL_INITPROJECTIONS_RETRYFAILEDAFTER  MaxFailureCount: 2 # ZITADEL_INITPROJECTIONS_MAXFAILURECOUNT  BulkLimit: 1000 # ZITADEL_INITPROJECTIONS_BULKLIMIT

Instrumentation:  ServiceName: "zitadel-setup" # ZITADEL_INSTRUMENTATION_SERVICENAME  Trace:    Fraction: 1.0 # ZITADEL_INSTRUMENTATION_TRACE_FRACTION    # Trust incoming trace context from remote services for distributed tracing.    # Enable only in controlled environments; defaults to false for security.    TrustRemoteSpans: false # ZITADEL_INSTRUMENTATION_TRACE_TRUSTREMOTESPANS    Exporter:      # The following exporter types are supported:      # "none": Disables trace exporting      # "stdOut": Exports traces to standard output      # "stdErr": Exports traces to standard error      # "grpc": Exports traces using the OTEL gRPC exporter (recommended)      # "http": Exports traces using the OTEL HTTP exporter      # "google": Exports traces to Google Cloud. Need to configure GoogleProjectID below!      Type: "none" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_INSECURE      # Interval for batching traces before export      BatchDuration: 1s # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_BATCHDURATION      # Project ID for Google Cloud Trace exporter      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_TRACE_EXPORTER_GOOGLEPROJECTID  Metric:    Exporter:      # The following exporter types are supported:      # "none": Disables metric exporting      # "stdOut": Exports metrics to standard output      # "stdErr": Exports metrics to standard error      # "grpc": Exports metrics using the OTEL gRPC exporter (recommended)      # "http": Exports metrics using the OTEL HTTP exporter      # "google": Exports metrics to Google Cloud. Need to configure GoogleProjectID below!      # "prometheus": Exposes metrics via an HTTP endpoint for Prometheus to scrape      Type: "none" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_INSECURE      # Interval at which metrics are exported      BatchDuration: 1m # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_BATCHDURATION      # Project ID for Google Cloud Trace exporter      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_METRIC_EXPORTER_GOOGLEPROJECTID    # Structured logging can print logs on standard error and/or export them using OTEL.  Log:    # Log lines lower than this level are not emitted.    Level: "INFO" # ZITADEL_INSTRUMENTATION_LOG_LEVEL    # Streams enable logging for specific parts of the application.    Streams: # ZITADEL_INSTRUMENTATION_LOG_STREAMS (comma separated list)      - runtime # General runtime logs, such as startup and shutdown messages.      - ready # Logs related to readiness and health checks. (zitadel ready command)      - request # Logs for incoming API and HTTP requests.      - event_handler # Logs for event handling in projections.      - queue # Logs for the job queue processing.      # - event_pusher # Logs for event pushing to the database. Warning: contains sensitive information.    # Mask replaces sensitive information with Value in logs matched by Key    Mask:      # Keys are the attribute keys to be masked in logs.      # Keys are unqualified attribute names and apply to all attributes with the specified name,      # regardless of their position in the attribute hierarchy.      # Eg. "some_key" matches "some_key" and "parent.some_key" etc.      # When the key matches a group of attributes (e.g. slog.Group), all attribute values in the      # group are masked and the structure of the group is preserved.      # When the key matches a non-group attribute whose value is a nested object/array      # (e.g. added via slog.Any), the entire value is replaced with Value and its structure is not preserved.      Keys: # ZITADEL_INSTRUMENTATION_LOG_MASK_KEYS (comma separated list)        # - "first_name"        # - "last_name"      # Value is the string that replaces the original value of masked attributes.      Value: "****" # ZITADEL_INSTRUMENTATION_LOG_MASK_VALUE    # Enable printing structured logs to standard error in the specified format.    # When disabled, the legacy Log configuration is used.    # Important: when legacy Log is customized, please add a format and customize before upgrading to v5    # The following formats are supported:    #   - "disabled": Disables logging (or fallback to legacy Log config)    #   - "text": Logs are printed on StdErr as human-readable text    #   - "json": Logs are printed on StdErr as JSON objects    #   - "gcp": JSON formatted logs compatible with Google Cloud Platform logging.    #   - "gcp_error_reporting": JSON formatted logs compatible with Google Cloud Platform Error Reporting.    Format: "disabled" # ZITADEL_INSTRUMENTATION_LOG_STDERR    # Adds the source file and line number where the log line was emitted.    # Not to be confused with the source of an error.    AddSource: true # ZITADEL_INSTRUMENTATION_LOG_ADDSOURCE    # Configure how errors are logged.    Errors:      # Adds the source file, line number and function where the error was created.      ReportLocation: true # ZITADEL_INSTRUMENTATION_LOG_ERRORS_REPORTLOCATION      # Adds stack traces to logged errors.      StackTrace: false # ZITADEL_INSTRUMENTATION_LOG_ERRORS_STACKTRACE    Exporter:      # The following exporter types are supported:      #   - "none": Disables OTEL log exporter      #   - "stdOut": Exports OTEL logs to standard output      #   - "stdErr": Exports OTEL logs to standard error      #   - "grpc": Exports OTEL logs using the OTEL gRPC exporter (recommended)      #   - "http": Exports OTEL logs using the OTEL HTTP exporter      Type: "none" # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_TYPE      # Endpoint of the OTEL collector for grpc and http exporters      Endpoint: "" # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_ENDPOINT      # Disable TLS for grpc and http exporters      Insecure: false # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_INSECURE      # Interval at which metrics are exported      BatchDuration: 1s # ZITADEL_INSTRUMENTATION_LOG_EXPORTER_BATCHDURATION  Profile:    Exporter:      # The following profiler types are supported:      # "none": Disables profiling      # "google": Exports profiling data to Google Cloud Profiler      Type: "none" # ZITADEL_INSTRUMENTATION_PROFILE_TYPE      # Project ID for Google Cloud Profiler      GoogleProjectID: "" # ZITADEL_INSTRUMENTATION_PROFILE_GOOGLEPROJECTID# By using the FirstInstance section, you can overwrite the DefaultInstance configuration for the first instance created by zitadel setup.FirstInstance:  # If set to true zitadel is setup without initial data  Skip: false  # The machine key from the section FirstInstance.Org.Machine.MachineKey is written to the MachineKeyPath.  MachineKeyPath: # ZITADEL_FIRSTINSTANCE_MACHINEKEYPATH  # The personal access token from the section FirstInstance.Org.Machine.Pat is written to the PatPath.  PatPath: # ZITADEL_FIRSTINSTANCE_PATPATH  LoginClientPatPath: # ZITADEL_FIRSTINSTANCE_LOGINCLIENTPATPATH  InstanceName: ZITADEL # ZITADEL_FIRSTINSTANCE_INSTANCENAME  # A list of trusted domains, which are allowed to be used for public responses like email links or when running  # ZITADEL or the login UI behind a reverse proxy. If no trusted domain is set, the instance domain is used.  TrustedDomains: # ZITADEL_FIRSTINSTANCE_TRUSTEDDOMAINS  #  - login.example.com  #  - api.example.com  DefaultLanguage: en # ZITADEL_FIRSTINSTANCE_DEFAULTLANGUAGE  Org:    Name: ZITADEL # ZITADEL_FIRSTINSTANCE_ORG_NAME    # In the FirstInstance.Org.Human section, the initial organization's admin user with the role IAM_OWNER is defined.    # If FirstInstance.Org.Machine.Machine is defined, a service account is created with the IAM_OWNER role.    Human:      # In case UserLoginMustBeDomain is false (default) and you don't overwrite the username with an email,      # it will be suffixed by the Organization Domain (org-name + domain from config).      # for example zitadel-admin in org ZITADEL on domain.tld -> zitadel-admin@zitadel.domain.tld      UserName: zitadel-admin # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_USERNAME      FirstName: ZITADEL # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_FIRSTNAME      LastName: Admin # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_LASTNAME      NickName: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_NICKNAME      DisplayName: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_DISPLAYNAME      Email:        # uses the username if empty        Address: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_ADDRESS        Verified: true # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_EMAIL_VERIFIED      PreferredLanguage: en # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PREFERREDLANGUAGE      Gender: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_GENDER      Phone:        Number: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PHONE_NUMBER        Verified: # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PHONE_VERIFIED      Password: Password1! # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORD      PasswordChangeRequired: true # ZITADEL_FIRSTINSTANCE_ORG_HUMAN_PASSWORDCHANGEREQUIRED    # In the FirstInstance.Org.Machine section, the initial organization's admin user with the role IAM_OWNER is defined.    # If FirstInstance.Org.Machine.Machine is defined, a service account is created with the IAM_OWNER role.    Machine:      Machine:        Username: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_USERNAME        Name: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINE_NAME      MachineKey:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_EXPIRATIONDATE        # Currently, the only supported value is 1 for JSON        Type: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_MACHINEKEY_TYPE      Pat:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_MACHINE_PAT_EXPIRATIONDATE    LoginClient:      Machine:        Username: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_USERNAME        Name: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_MACHINE_NAME      Pat:        # date format: 2023-01-01T00:00:00Z        ExpirationDate: # ZITADEL_FIRSTINSTANCE_ORG_LOGINCLIENT_PAT_EXPIRATIONDATECorrectCreationDate:  FailAfter: 5m # ZITADEL_CORRECTCREATIONDATE_FAILAFTERAddEventCreatedAt:  BulkAmount: 100 # ZITADEL_ADDEVENTCREATEDAT_BULKAMOUNTFillFields:  BatchSize: 1000 # ZITADEL_EVENTSTORE_FILLFIELDS_BULKLIMITRelationalTables:  # This is used for development DO NOT USE IN PRODUCTION  ShouldRecreateSchema: false # ZITADEL_RELATIONALTABLES_SHOULDRECREATESCHEMA

Database:  postgres:    Database: existing_database    # Admin credentials should be the same as the application user credentials    Admin:      Username: zitadel-user      ExistingDatabase: existing_database # this is used to connect the admin to the previously created database    # Application user credentials    User:      Username: zitadel-user