---
# Minimal validated Authelia configuration

server:
  address: 'tcp://:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

log:
  level: 'info'
  format: 'text'

theme: 'light'

identity_validation:
  reset_password:
    jwt_secret: '${AUTHELIA_JWT_SECRET}'

totp:
  disable_reuse_security_policy: false
  issuer: 'Authelia'
  algorithm: 'sha1'
  digits: 6
  period: 30
  skew: 1
  secret_size: 32

webauthn:
  disable: false
  display_name: 'Authelia'
  attestation_conveyance_preference: 'indirect'
  selection_criteria:
    user_verification: 'preferred'
  timeout: '60s'

authentication_backend:
  password_reset:
    disable: false
    custom_url: ''
  refresh_interval: '5m'
  file:
    path: '/config/users_database.yml'
    watch: false
    search:
      email: false
      case_insensitive: false
    password:
      algorithm: 'argon2'
      argon2:
        variant: 'argon2id'
        iterations: 3
        memory: 65536
        parallelism: 4
        key_length: 32
        salt_length: 16

access_control:
  default_policy: 'two_factor'
  networks:
    - name: 'internal'
      networks:
        - '10.0.0.0/8'
        - '172.16.0.0/12'
        - '192.168.0.0/16'
  rules:
    - domain: 'auth.gate.${DOMAIN}'
      policy: 'bypass'
    - domain:
        - 'traefik.gate.${DOMAIN}'
        - 'portainer.gate.${DOMAIN}'
      policy: 'two_factor'
      subject:
        - 'group:admins'
    - domain: '*.gate.${DOMAIN}'
      policy: 'one_factor'

session:
  name: 'authelia_session'
  secret: '${AUTHELIA_SESSION_SECRET}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
    - domain: 'gate.${DOMAIN}'
      authelia_url: 'https://auth.gate.${DOMAIN}'
      default_redirection_url: 'https://gate.${DOMAIN}'

regulation:
  max_retries: 3
  find_time: '2m'
  ban_time: '5m'

storage:
  encryption_key: '${AUTHELIA_STORAGE_ENCRYPTION_KEY}'
  local:
    path: '/config/db.sqlite3'

notifier:
  disable_startup_check: false
  filesystem:
    filename: '/config/notification.txt'