##############################################################################
#                   Authelia configuration                                   #
##############################################################################

server:
  host: 0.0.0.0
  port: 8080 # if you need this changed make sure it reflects also in the docker-compose.yml
log:
  level: info
jwt_secret: # insert secret
default_redirection_url: https://auth.jaredtsmith.com
totp:
  issuer: jaredtsmith.com
  period: 30
  skew: 1

authentication_backend:
  password_reset: 
    disable: false
  file:
    path: /config/users_database.yml # Make sure this file exists
    password:
      algorithm: argon2id
      iterations: 1
      salt_length: 16
      parallelism: 8
      memory: 64

access_control:
  default_policy: deny
  rules:
    # Rules applied to everyone
    - domain:
        - "auth.jaredtsmith.com"
        - "wikidata.jaredtsmith.com"
      policy: bypass
    - domain: # Proxies only requiring username and password
        - "wiki.jaredtsmith.com"
        - "wikidata-admin.jaredtsmith.com"
      policy: one_factor
    - domain: # Proxies needing 2 factor below
        - "budget.jaredtsmith.com"
        - "budget1.jaredtsmith.com"
      policy: two_factor

         
session:
  name: authelia_session
  secret: # insert secret
  expiration: 3600 # 1 hour
  inactivity: 7200 # 2 hours
  domain: jaredtsmith.com # Needs to be your root domain

  redis:
    host: authelia-redis-1
    port: 6379
    password: # insert secret

regulation:
  max_retries: 5
  find_time: 2m
  ban_time: 10m

theme: dark   # options: dark, light

storage:
  encryption_key: # insert secret
  local:
    path: /config/db.sqlite3
    
notifier:
 smtp:
   username: admin@jaredtsmith.com
   password: # insert password
   host: mail.jaredtsmith.com
   port: 465  # 25 non-ssl, 443 ssl, 587 tls
   sender: authelia@auth.jaredtsmith.com
   subject: "[Authelia] {title}"
   disable_require_tls: true # set to true if your domain uses no tls or ssl only
   disable_html_emails: false # set to true if you don't want html in your emails

identity_providers:
  oidc:
    hmac_secret: 
    issuer_private_key: |
      --- KEY START
      --- KEY END
    access_token_lifespan: 1h
    authorize_code_lifespan: 1m
    id_token_lifespan: 1h
    refresh_token_lifespan: 90m
    enable_client_debug_messages: false
    clients:
      - id: outline
        description: Outline Wiki
        secret: 
        public: false
        authorization_policy: one_factor
        audience: []
        scopes:
          - openid
          - groups
          - email
          - profile
        redirect_uris:
          - https://wiki.jaredtsmith.com/auth/oidc.callback
        grant_types:
          - refresh_token
          - authorization_code
        response_types:
          - code
        response_modes:
          - form_post
          - query
          - fragment
        userinfo_signing_algorithm: none