server.host: 0.0.0.0
server.port: 9091
server:
  read_buffer_size: 4096
  write_buffer_size: 4096
  path: "authelia"
log.level: debug
jwt_secret: M22162530
totp:
  issuer: authelia.com
  period: 30
  skew: 1
default_redirection_url: https://pukeko.xyz/
authentication_backend:
  disable_reset_password: false
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 512
      parallelism: 8
access_control:
  default_policy: deny
  rules:
#   Dumb redirect to dash.pukeko.xyz - do not auth
    - domain: "pukeko.xyz"
      policy: bypass
#   Allow access from internal network
    - domain:
      - "*.pukeko.xyz"
      networks:
        #Docker main subnet
        - 150.200.0.1/24
        #Docker subnet A
        - 150.201.0.1/24
        #Docker subnet B
        - 150.202.0.1/24
        # Home
        - 192.168.0.0/24
        # Wireguard
        - 10.8.0.0/16 
      policy: bypass
#   Allow access to container's /api address
    - domain:
      - "*.pukeko.xyz"
      resources:
      - "^/api.*"
      policy: bypass
#   Allow access to specific subdomains with family group
    - domain: "dash.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "cloud.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "photos.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "tv.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "movies.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "subtitles.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "torrent.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "news.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
    - domain: "tasks.pukeko.xyz"
      policy: one_factor
      subject: "group:family"
#   Allow access to shares within Filebrowser
    - domain: "cloud.pukeko.xyz"
      policy: bypass
      resources:
#     Match only /share/ url's - Filebrowser's shares
      - "^*/share/.*"
    - domain:
      - "git.pukeko.xyz"
      policy: bypass
      resources:
      - "^/public([/?].*)?$"
    - domain:
      - "*.pukeko.xyz"
      policy: two_factor 
#     Allow access to public Git repository
session:
  name: authelia_session
  secret: M22162530
  expiration: 1h
  inactivity: 5m
  remember_me_duration: 1M
  domain: "pukeko.xyz"
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
storage:
  encryption_key: "D3$RQ2N%S*t@q*hA@i53yb7aG5eSRgpFYqXU@Na3E^j&UB*JGEG#eRoT$vs8#h#mNM3BDA549JNabVaM7vM6pZ89YxE*a68zZ%^RCx@GV362V6$jo*mA!X5%y7M9Ru*F"
  local:
    path: /config/db.sqlite3
notifier:
  disable_startup_check: false
  smtp:
    host: smtp.zoho.com
    port: 587
    timeout: 5s
    username: "matan@pukeko.xyz"
    password: "DjazsDaEzrU9"
    sender: matan@pukeko.xyz
    identifier: localhost
    subject: "[Authelia] {authelia}"
    startup_check_address: test@authelia.com
    disable_require_tls: false
    disable_html_emails: false
identity_providers:
  oidc:
    clients:
      - id: portainer
        description: Portainer CE
        secret: '8zDD%J3Z66A4uL%!N*G@@Uo5b6z2JbgQ3fxCr39o%LXE%Yb@6SAegGGU#!v*o3Z5u$2WJ#YC6TwEb723rZ$bbtmNJ#35Nsq7E!i9v$jU223$C@!Z&Nkwa&^Yg#DmDxk5'
        pre_configured_consent_duration: 100y
        redirect_uris:
          - https://portain.pukeko.xyz/
      - id: gitea
        description: Gitea
        secret: '3s4as%cU$cKH2&MiXwzC#h8GJCY2eoS%#7&*9qC&H$ujv%qD8P6rWvrtbM8$f2#zM^phWUAz%2Bk7gCGJf#nA&i3BKvwG79&5hdp&mgddhdSFt&3BpX%a2Sv*Z#mK^J3'
        pre_configured_consent_duration: 100y
        redirect_uris:
          - https://git.pukeko.xyz/user/oauth2/Authelia/callback
      - id: wekan
        description: Wekan
        secret: '6BekdjG2Rs25MGg!NU#VEbScrQDriT2z6#wDgRK2KS4fsq5bB8hA@z8RSqs5y&pm%f94*xTw2@4&3Qv2Vg2%hv6Vq9&GNLcJfGdUxb&KM!Y@@My&ujqG3%j^Xdqs8bF^'
        pre_configured_consent_duration: 100y
        redirect_uris:
          - https://tasks.pukeko.xyz/_oauth/oidc
      - id: wikijs
        description: WikiJS
        secret: 'mT#!fwRZ3$pE5g2rG4CCNKLkg4zg7&3L92e9LGemfYMbr92gPos&Js*4DU#&^*EUJ#PrP*y#W$W7^i2#zqJPhiK$3$z9uDNXYA$h9Urcuo8!Ggcq^#C6dow^s*VxV&WU'
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 100y
        redirect_uris:
          - https://wiki.pukeko.xyz/login/a8755bfb-8a4e-49b7-b31b-43ac5638367a/callback
        userinfo_signing_algorithm: none
        scopes:
          - openid
          - email
          - profile
          - groups
        response_modes:
          - form_post
      - id: grafana
        description: Grafana
        secret: '8Jx#U^%NXEvD#jc@A35wH!6PT8^DYo7pXftCKe3P%C%*xN9FQn26ec^kTxkuhA*9fZx@7*P65Y*L2Ty#Z*7n*f3#^$R!8TSuQ3THW*t#seL#iE7MatYEowb$GvU!8Y!5'
        pre_configured_consent_duration: 100y
        redirect_uris:
          - https://flight.pukeko.xyz/
      - id: vikunja
        description: Vikunja
        secret: 'ryKVwXhfHeAQKJJHwejEpK66pAuTGvY2saZArKTFZPjWVs2fKNHDAwah8TbPP44LGKYPBYJxU5Ua5H4Su87DAY4ktpAz6UfmpB9XnXCPoACtBrwBgykjoC6cUzXJRc7t'
        pre_configured_consent_duration: 100y
        authorization_policy: one_factor
        redirect_uris:
          - https://tasks.pukeko.xyz/auth/openid/
          - https://tasks.pukeko.xyz/auth/openid/authelia
          - https://tasks.pukeko.xyz/api/oidc/authorization
        scopes:
          - openid
          - email
          - profile
          - groups