# ============================================================================
# Authelia config — non-secret structure only. Secrets + infra hosts (Postgres
# address, Redis host, SMTP) are injected via AUTHELIA_* env from the compose
# file, so this stays commit-safe.
# ============================================================================
# STRAWMAN. Authelia's schema moves between releases (this targets 4.38+: note
# session.cookies[], identity_validation, storage.postgres.address). Verify
# against the pinned image tag before trusting it, then pin the tag.

theme: dark

server:
  address: tcp://0.0.0.0:9091

log:
  level: info

totp:
  issuer: infinidim.net

# File-based user database (simple, good for play). Swap to LDAP later if needed.
authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2

access_control:
  default_policy: deny
  rules:
    # The portal itself must always be reachable.
    - domain: auth.infinidim.net
      policy: bypass
    # Everything else under the domain needs at least one factor.
    - domain: "*.infinidim.net"
      policy: one_factor

session:
  # secret + redis host/port/db come from env (AUTHELIA_SESSION_*).
  cookies:
    - domain: infinidim.net
      authelia_url: https://auth.infinidim.net
      default_redirection_url: https://infinidim.net

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

# storage (postgres), notifier (smtp), session.secret/redis, and
# identity_validation.reset_password.jwt_secret all arrive via env — see
# docker-compose.yml. Kept out of this file to avoid duplicating infra
# hostnames and to keep secrets off disk in the repo.

# ----------------------------------------------------------------------------
# OIDC provider (optional) — uncomment to let apps log in via OpenID Connect.
# Needs AUTHELIA_OIDC_HMAC_SECRET and a JWKS signing key:
#   docker run --rm authelia/authelia:latest \
#     authelia crypto certificate rsa generate --directory /tmp && cat /tmp/...
# ----------------------------------------------------------------------------
# identity_providers:
#   oidc:
#     hmac_secret: <env AUTHELIA_OIDC_HMAC_SECRET>
#     jwks:
#       - key: |
#           -----BEGIN PRIVATE KEY----- ...
#     clients:
#       - client_id: stalwart
#         client_name: Stalwart Mail
#         client_secret: '<hashed>'
#         redirect_uris:
#           - https://mail.infinidim.net/...
#         scopes: [openid, profile, email]