---
###############################################################
#                   Authelia configuration                    #
###############################################################

theme: dark

server:
  address: 'tcp://:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

log:
  level: 'info'

totp:
  issuer: 'authelia.com'

identity_providers:
  oidc:
    clients:
      - client_id: 'pangolin'
        client_name: 'Pangolin'
        client_secret: '$pbkdf2-sha512$310000$LJzmdVn/YkSK7t0WxNXs2A$v7nxRYBRJdqmJ/k4Q2SWlp/7m5rsyEtNw9ez9rf7tEYi48ezYChXqCK.VHC/v7tu3Liro.ipy4Uv.euLUfLc7w'  # The digest of 'insecure_secret'.
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - '<provided by pangolin>'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_basic'

identity_validation:
  reset_password:
    jwt_secret: '2b8a78f3ac1784ef6aab3899c663e1010c60d3a9de694550879da349fe222923'

authentication_backend:
  file:
    path: '/config/users_database.yml'

# access_control:
#   default_policy: 'deny'
#   rules:
#     # Rules applied to everyone
#     - domain: 'public.example.com'
#       policy: 'bypass'
#     - domain: 'traefik.example.com'
#       policy: 'one_factor'
#     - domain: 'secure.example.com'
#       policy: 'two_factor'

access_control:
  default_policy: deny
  networks:
    - name: internal
      networks:
      - '10.0.0.0/8'
      - '172.16.0.0/12'
      - '192.168.0.0/16'
  rules:
    ## bypass all domains and subdomains from local ips
    - domain:
      - aknlw.com
      - akanealw.com
      - "*.akanealw.com"
      networks:
      - 'internal'
      policy: bypass
    # bypass api for subdomains
    - domain: 
      - "*.akanealw.com"
      resources:
      - "^/api([/?].*)?$"
      - "^/add([/?].*)?$"  
      - "^/public([/?].*)?$"        
      policy: bypass
    # bypass specific subdomains
    - domain:
      - aknlw.com
      - bitwarden.akanealw.com
      - gitea.akanealw.com
      - nextcloud.akanealw.com
      policy: bypass
    # bypass filebrowser shares
    - domain:
        - "filebrowser.akanealw.com"
      resources:
        - "^/api([/?].*)?$"
        - "^/share([/?].*)?$"
        - "^/static([/?].*)?$"
      policy: bypass
    # two_factor subdomains
    - domain: 
      - akanealw.com
      - "*.akanealw.com"
      policy: two_factor

session:
  secret: 'ffc343d98b87910edcddb1f0dac4b492b62e29b5eafa92f1c213f37c4669f243'

  cookies:
    - name: 'authelia_session'
      domain: 'akanealw.com'
      authelia_url: 'https://auth.akanealw.com'
      default_redirection_url: 'https://akanealw.com'
      expiration: '1 hour'
      inactivity: '5 minutes'

  redis:
    host: 'redis'
    port: 6379
    password: 'bc4eb8df73776ba7716aeb60c0023ef6136b80680bb8ea1cf6c51a326dea2c43'

regulation:
  max_retries: 3
  find_time: '2 minutes'
  ban_time: '5 minutes'

storage:
  encryption_key: 'cbd7570c1795cba61f05baf419b7cee23fa144d512bda2ea57ba300afa6b33bf'
  local:
    path: '/config/db.sqlite3'

notifier:
  smtp:
    username: 'akanealw@gmail.com'
    password: 'qlvmffuzpscltdgz'
    address: 'smtp://smtp.gmail.com:587'
    sender: 'akanealw@gmail.com'

ntp:
  address: 'udp://time.windows.com:123'
  version: 3
  max_desync: '3s'
  disable_startup_check: false
  disable_failure: false