# Authelia Configuration File v4.38+
# Documentation: https://www.authelia.com/configuration/

# Server settings
server:
  address: 'tcp://0.0.0.0:9091'
  trusted_proxies:
    - '172.16.0.0/12'  # Docker networks

# Logging configuration
log:
  level: info
  format: text

# Session configuration for v4.38+
session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 1h
  inactivity: 5m
  redis:
    host: redis
    port: 6379
    password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
    database_index: 0
  cookies:
    # Using your specific Tailscale domain (e.g. example.ts.net) not just ts.net
    - domain: 'your-tailnet.ts.net'
      authelia_url: 'https://tailscale-nas.your-tailnet.ts.net'
      default_redirection_url: 'https://tailscale-nas.your-tailnet.ts.net/home'
      same_site: lax

# Regulation (brute force protection)
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# Storage (for user preferences, etc. - encrypted using storage key)
storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/db.sqlite3

# Authentication backend (using file-based user database)
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      memory: 1024
      parallelism: 8
      salt_length: 16
      key_length: 32

# Access control rules
access_control:
  default_policy: deny
  rules:
    # This will match any subdomain of your specific Tailscale domain
    - domain: '*.your-tailnet.ts.net'
      policy: one_factor
    # Also match the main domain without subdomain
    - domain: 'your-tailnet.ts.net'
      policy: one_factor

# Notifier configuration
notifier:
  filesystem:
    filename: /config/notification.txt

# Identity Validation (includes JWT secret for password reset)
identity_validation:
  reset_password:
    jwt_secret: ${AUTHELIA_JWT_SECRET}

# Identity Providers
identity_providers:
  oidc: null