---
# Authelia configuration
# This is a minimal configuration for getting started with Authelia

server:
  address: 'tcp://:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

authentication_backend:
  file:
    path: '/config/users_database.yml'

access_control:
  default_policy: 'one_factor'
  rules:
    - domain: 'pgadmin.${DOMAIN_PREFIX}.${DOMAIN}'
      policy: 'two_factor'
    - domain: 'beszel.${DOMAIN_PREFIX}.${DOMAIN}'
      policy: 'two_factor'
    - domain: 'traefik.${DOMAIN_PREFIX}.${DOMAIN}'
      policy: 'two_factor'
    - domain: '*.${DOMAIN_PREFIX}.${DOMAIN}'
      policy: 'one_factor'

session:
  name: 'authelia_session'
  cookies:
    - domain: '${DOMAIN}'
      authelia_url: 'https://auth.${DOMAIN_PREFIX}.${DOMAIN}'
      default_redirection_url: 'https://portainer.${DOMAIN_PREFIX}.${DOMAIN}'

storage:
  postgres:
    address: 'tcp://authelia-db:5432'
    database: '${AUTHELIA_DB_NAME}'
    username: '${AUTHELIA_DB_USER}'
    password: '${AUTHELIA_DB_PASSWORD}'

notifier:
  disable_startup_check: true
  # Configure SMTP for production email notifications
  # For testing, you can use filesystem notifier instead:
  # filesystem:
  #   filename: /config/notification.txt
  smtp:
    address: 'submissions://smtp.gmail.com:465'
    username: 'your-email@gmail.com'
    sender: 'Authelia <noreply@${DOMAIN}>'
    # For Gmail, use an App Password (not your regular password)
    # Generate at: https://myaccount.google.com/apppasswords

identity_validation:
  reset_password: {}

regulation:
  max_retries: 3
  find_time: 120
  ban_time: 300