# Authelia Configuration File v4.38+
# Documentation: https://www.authelia.com/configuration/

# Server settings using the new 'address' format
server:
  address: 'tcp://0.0.0.0:9091' # Listen on all interfaces, port 9091

# Logging configuration
log:
  level: info
  format: text # or json

# Session configuration for v4.38+
session:
  name: authelia_session
  secret: ${AUTHELIA_SESSION_SECRET}
  expiration: 1h
  inactivity: 5m
  redis:
    host: redis
    port: 6379
    password: ${AUTHELIA_SESSION_REDIS_PASSWORD}
    database_index: 0
  cookies:
    # Use the wildcard domain pattern to match all subdomains
    - domain: ${AUTHELIA_SESSION_DOMAIN}
      authelia_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}
      default_redirection_url: ${AUTHELIA_DEFAULT_REDIRECTION_URL}

# Regulation (brute force protection)
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# Storage (for user preferences, etc. - encrypted using storage key)
storage:
  encryption_key: ${AUTHELIA_STORAGE_ENCRYPTION_KEY}
  local:
    path: /config/db.sqlite3

# Authentication backend (using file-based user database)
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id # Recommended hashing algorithm
      iterations: 1
      memory: 1024 # MiB
      parallelism: 8
      salt_length: 16
      key_length: 32

# Access control rules
access_control:
  default_policy: deny # Deny access by default
  rules:
    - domain: ${AUTHELIA_SESSION_DOMAIN}
      policy: one_factor # Requires username/password

# Notifier configuration
notifier:
  filesystem:
    filename: /config/notification.txt

# Identity Validation (includes JWT secret for password reset)
identity_validation:
  reset_password:
    jwt_secret: ${AUTHELIA_JWT_SECRET}

# Identity Providers
identity_providers:
  oidc: null # Explicitly disable OIDC