---
theme: light

server:
  address: 'tcp://0.0.0.0:9091'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

log:
  level: info

totp:
  issuer: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}

authentication_backend:
  ldap:
    address: 'ldap://lldap:3890'
    implementation: lldap
    timeout: 5s
    start_tls: false
    base_dn: ${LDAP_BASE_DN}
    user: uid=admin,ou=people,${LDAP_BASE_DN}
    # Password read from AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE

access_control:
  default_policy: deny
  rules:
    - domain: ${WIKI_SUBDOMAIN}.${BASE_DOMAIN}
      policy: ${AUTH_POLICY}
    - domain: ${LLDAP_SUBDOMAIN}.${BASE_DOMAIN}
      policy: ${AUTH_POLICY}
      subject:
        - ['group:lldap_admin']
    - domain: ${REGISTRATION_SUBDOMAIN}.${BASE_DOMAIN}
      resources:
        - '^/admin(/.*)?$'
      policy: ${AUTH_POLICY}
      subject:
        - ['group:lldap_admin']
    - domain: ${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
      policy: bypass

session:
  # Secret read from AUTHELIA_SESSION_SECRET_FILE
  expiration: ${SESSION_EXPIRATION}
  inactivity: ${SESSION_INACTIVITY}
  remember_me: ${SESSION_REMEMBER_ME}
  cookies:
    - domain: ${BASE_DOMAIN}
      authelia_url: https://${AUTHELIA_SUBDOMAIN}.${BASE_DOMAIN}
      default_redirection_url: https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}

regulation:
  max_retries: ${MAX_RETRIES}
  find_time: ${FIND_TIME}
  ban_time: ${BAN_TIME}

storage:
  # Encryption key read from AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE
  local:
    path: /data/db.sqlite3

notifier:
  filesystem:
    filename: /data/notification.txt

identity_validation:
  reset_password:
    # JWT secret read from AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE

identity_providers:
  oidc:
    # HMAC secret read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE
    # Issuer private key read from AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE
    enable_client_debug_messages: false
    enforce_pkce: public_clients_only
    lifespans:
      access_token: ${ACCESS_TOKEN_LIFESPAN}
      authorize_code: ${AUTHORIZE_CODE_LIFESPAN}
      id_token: ${ID_TOKEN_LIFESPAN}
      refresh_token: ${REFRESH_TOKEN_LIFESPAN}
    cors:
      endpoints:
        - authorization
        - token
        - revocation
        - introspection
      allowed_origins_from_client_redirect_uris: true
    clients:
      - client_id: gitea
        client_name: Gitea
        client_secret: '${GITEA_OIDC_CLIENT_SECRET_HASH}'
        public: false
        authorization_policy: ${AUTH_POLICY}
        redirect_uris:
          - https://${GITEA_SUBDOMAIN}.${BASE_DOMAIN}/user/oauth2/authelia/callback
        scopes:
          - openid
          - profile
          - email
          - groups
        userinfo_signed_response_alg: none
        token_endpoint_auth_method: client_secret_basic