# Authelia Configuration File
# Documentation: https://www.authelia.com/configuration/

# Default configuration options affecting multiple sections.
default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECT_URL}

# Server settings (listening address, paths, etc.)
server:
  host: 0.0.0.0
  port: 9091

# Logging configuration
log:
  level: info
  format: text # or json

# Session configuration
session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 1h # Adjust as needed
  inactivity: 5m # Adjust as needed
  domain: ${AUTHELIA_SESSION_DOMAIN} # Set from .env
  redis:
    host: redis
    port: 6379
    password: ${AUTHELIA_REDIS_PASSWORD}
    database_index: 0

# Regulation (brute force protection)
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# Storage (for user preferences, etc. - encrypted using storage key)
storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/db.sqlite3 # Example using SQLite for simple storage needs

# Authentication backend (using file-based user database)
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id # Recommended hashing algorithm
      iterations: 1
      memory: 1024 # MiB
      parallelism: 8
      salt_length: 16
      key_length: 32

# Access control rules
access_control:
  default_policy: deny # Deny access by default
  rules:
    # Rule to allow authenticated users access to the domain
    - domain: ${AUTHELIA_SESSION_DOMAIN}
      policy: one_factor # Requires username/password

# Notifier (Optional, for password resets, etc. - configure if needed)
# notifier:
#   smtp:
#     address: smtp.example.com:587
#     username: user@example.com
#     password: password
#     sender: Authelia <authelia@example.com>
#     subject: "[Authelia] {title}"
#     startup_check_address: test@authelia.com

# JWT configuration (used for forwardAuth)
jwt_secret: ${AUTHELIA_JWT_SECRET}

# Identity Providers (None configured for this setup)
identity_providers:
  oidc: null # Explicitly disable OIDC

# Enable registration (requires manual approval by editing users_database.yml)
# Set 'enable: true' to allow users to register.
# They will be added to users_database.yml commented out or with disabled: true.
# registration:
#   enable: false # Set to true to enable registration form