# authelia/configuration.yml
# Authelia v4 configuration for: auth.gate.3launchpad.com
# Behind Traefik (forward-auth), Redis for sessions, SQLite storage.
# ⚠️ Replace all "changeme_*" values or (better) override via env vars:
#    AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY

#########################################################
# Server & Logging
#########################################################
server:
  address: "tcp://0.0.0.0:9091"   # Traefik talks to this
  buffers:
    read: 4096
    write: 4096
log:
  level: info
theme: auto

# Where to send users if they hit a protected resource without a Referer
default_redirection_url: "https://traefik.gate.3launchpad.com/"

#########################################################
# Secrets (use env vars in production)
#########################################################
# Prefer setting via Docker env:
#   AUTHELIA_JWT_SECRET, AUTHELIA_SESSION_SECRET, AUTHELIA_STORAGE_ENCRYPTION_KEY
jwt_secret: "changeme_jwt_secret"

#########################################################
# Authentication Backend (local file)
#########################################################
authentication_backend:
  file:
    path: /config/users_database.yml
    # New hashes should be argon2id. Use: `authelia crypto hash generate argon2`
    password:
      algorithm: argon2id
      iterations: 3
      memory: 64
      parallelism: 4
      salt_length: 16
      key_length: 32

#########################################################
# Access Control (who can access what)
#########################################################
access_control:
  default_policy: deny

  rules:
    # Public status page
    - domain: "status.gate.3launchpad.com"
      policy: bypass

    # Admin-only, require 2FA
    - domain: "traefik.gate.3launchpad.com"
      subject: ["group:admins"]
      policy: two_factor

    - domain: "portainer.gate.3launchpad.com"
      subject: ["group:admins"]
      policy: two_factor

    # Admin/Devs with 1FA for these tools
    - domain_regex: "(grafana|prometheus|umami)\\.gate\\.3launchpad\\.com"
      subject:
        - "group:admins"
        - "group:devs"
      policy: one_factor

    # Catch-all for any other subdomain under *.gate.3launchpad.com -> authenticated users
    - domain: "*.gate.3launchpad.com"
      subject:
        - "group:users"
        - "group:admins"
        - "group:devs"
      policy: one_factor

#########################################################
# Session (cookies + Redis)
#########################################################
session:
  name: authelia_session
  domain: "gate.3launchpad.com"   # cookie scope (covers *.gate.3launchpad.com)
  same_site: Lax
  expiration: 1h
  inactivity: 30m
  remember_me_duration: 1M
  # secret can be overridden by env AUTHELIA_SESSION_SECRET
  secret: "changeme_session_secret"
  redis:
    host: redis
    port: 6379
    # tls: false

#########################################################
# Regulation (anti-bruteforce)
#########################################################
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 10m

#########################################################
# Storage (SQLite on persistent volume)
#########################################################
storage:
  encryption_key: "changeme_storage_key"    # override via AUTHELIA_STORAGE_ENCRYPTION_KEY
  local:
    path: /config/db.sqlite3

#########################################################
# Notifier (choose one)
#########################################################
# For testing/dev: writes emails to a file
notifier:
  filesystem:
    filename: /config/notification.txt

# For production, comment the block above and use SMTP:
# notifier:
#   smtp:
#     address: "smtp.gmail.com:587"
#     username: "no-reply@3launchpad.com"
#     # password via env: AUTHELIA_NOTIFIER_SMTP_PASSWORD
#     sender: "3Launchpad Auth <no-reply@3launchpad.com>"
#     subject: "[3Launchpad] {title}"
#     startup_check_address: "you@3launchpad.com"
#     disable_require_tls: false
#     tls:
#       server_name: "smtp.gmail.com"
#       skip_verify: false

#########################################################
# TOTP / Duo / WebAuthn (2FA)
#########################################################
totp:
  issuer: "3launchpad.com"
  period: 30
  skew: 1

webauthn:
  disable: false
  timeout: 60s
  display_name: "3Launchpad Gateway"
  relying_party_id: "gate.3launchpad.com"

# If you plan to use Duo Push in the future:
# duo_api:
#   hostname: api-XXXXXXXX.duosecurity.com
#   integration_key: YOUR_IKEY
#   # secret_key via env: AUTHELIA_DUO_API_SECRET_KEY