# Authelia Configuration File v4.38+
# Documentation: https://www.authelia.com/configuration/

# Server settings using the new 'address' format
server:
  # host: 0.0.0.0 # Deprecated
  # port: 9091 # Deprecated
  address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091

# Logging configuration
log:
  level: info
  format: text # or json

# Session configuration using the new 'domains' list format
session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 1h # Adjust as needed
  inactivity: 5m # Adjust as needed
  # domain: ${AUTHELIA_SESSION_DOMAIN} # Deprecated top-level domain
  redis:
    host: redis
    port: 6379
    # Set password directly here instead of relying on potentially problematic env var
    password: ${AUTHELIA_REDIS_PASSWORD}
    database_index: 0
  # Define session domains explicitly
  domains:
    - domain: ${APP_HOSTNAME} # Use the renamed variable from .env
      default_redirection_url: https://${APP_HOSTNAME}/home # Default redirect after login
      # Optional: Define specific Authelia portal URL if different from domain root
      # authelia_url: https://${APP_HOSTNAME}/

# Regulation (brute force protection)
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# Storage (for user preferences, etc. - encrypted using storage key)
# Using SQLite as defined. Ensure Redis above is only for session state.
storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/db.sqlite3

# Authentication backend (using file-based user database)
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id # Recommended hashing algorithm
      iterations: 1
      memory: 1024 # MiB
      parallelism: 8
      salt_length: 16
      key_length: 32

# Access control rules
access_control:
  default_policy: deny # Deny access by default
  rules:
    # Rule to allow authenticated users access to the domain
    # Use the renamed variable APP_HOSTNAME here as well
    - domain: ${APP_HOSTNAME}
      policy: one_factor # Requires username/password

# Notifier configuration (Required since v4.38+)
# Added basic filesystem notifier to satisfy the requirement.
# Configure SMTP if you need email notifications (e.g., password reset).
notifier:
  filesystem:
    filename: /config/notification.txt
  # smtp:
  #   address: smtp.example.com:587
  #   username: user@example.com
  #   password: password # Consider using secrets
  #   sender: Authelia <authelia@example.com>
  #   subject: "[Authelia] {title}"
  #   startup_check_address: test@authelia.com

# Identity Validation (includes JWT secret for password reset, moved from top level)
identity_validation:
  reset_password:
    jwt_secret: ${AUTHELIA_JWT_SECRET} # Moved from top level

# Identity Providers (None configured for this setup)
identity_providers:
  oidc: null # Explicitly disable OIDC

# Enable registration (requires manual approval by editing users_database.yml)
# Set 'enable: true' to allow users to register.
# They will be added to users_database.yml commented out or with disabled: true.
# registration:
#   enable: false # Set to true to enable registration form