---
###############################################################
#                   Authelia Configuration                    #
###############################################################

theme: auto

server:
  address: "tcp://:9091"

log:
  level: info
  format: text

# identity_validation jwt_secret set via environment variable:
# AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET

totp:
  issuer: pivoine.art
  period: 30
  skew: 1

webauthn:
  disable: false
  display_name: Pivoine Auth
  attestation_conveyance_preference: indirect
  user_verification: preferred
  timeout: 60s

ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false

authentication_backend:
  password_reset:
    disable: false
  refresh_interval: 5m
  file:
    path: /etc/authelia/users_database.yml
    watch: true
    password:
      algorithm: argon2
      argon2:
        variant: argon2id
        iterations: 3
        memory: 65536
        parallelism: 4
        key_length: 32
        salt_length: 16

access_control:
  default_policy: deny
  rules:
    # Authelia portal itself
    - domain: auth.pivoine.art
      policy: bypass

    # Services that should be publicly accessible
    - domain:
        - "pivoine.art"
        - "www.pivoine.art"
      policy: bypass

    # Protected services - require authentication
    - domain:
        - "netdata.pivoine.art"
        - "mailpit.pivoine.art"
        - "scrapy.pivoine.art"
        - "restic.pivoine.art"
        - "proxy.pivoine.art"
        - "admin.asciinema.dev.pivoine.art"
        - "facefusion.ai.pivoine.art"
        - "pinchflat.media.pivoine.art"
        - "comfy.ai.pivoine.art"
        - "supervisor.ai.pivoine.art"
        - "audiocraft.ai.pivoine.art"
        - "upscale.ai.pivoine.art"
      policy: one_factor

# session secret set via environment variable: AUTHELIA_SESSION_SECRET
session:
  name: "authelia_session"
  same_site: "lax"
  expiration: "1h"
  inactivity: "15m"
  remember_me: "1M"
  cookies:
    - domain: "pivoine.art"
      authelia_url: "https://auth.pivoine.art"
      same_site: "lax"
      expiration: "1h"
      inactivity: "5m"
      remember_me: "1M"

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# storage encryption_key and postgres password set via environment variables:
# AUTHELIA_STORAGE_ENCRYPTION_KEY, AUTHELIA_STORAGE_POSTGRES_PASSWORD
storage:
  postgres:
    host: postgres
    port: 5432
    database: authelia
    username: valknar
    schema: public

notifier:
  disable_startup_check: false
  smtp:
    host: net_mailpit
    port: 1025
    sender: auth@pivoine.art
    identifier: auth.pivoine.art
    disable_require_tls: true
    disable_html_emails: false