############
# Authelia #
############

# ---------------------
# General Configuration
# ---------------------
container_authelia_version: latest  # Authelia container image tag/version
container_authelia_domain: authelia.example.com  # Fully Qualified Domain Name (FQDN) for Authelia
container_authelia_theme: "dark" # dark, light or grey theme

# ---------------------
# Server Settings
# ---------------------
container_authelia_server_port: 9091  # Port on which Authelia will listen

# ---------------------
# Logging
# ---------------------
container_authelia_log_level: debug  # Log level: trace, debug, info, warn, error
container_authelia_log_file_path: /var/log/authelia/authelia.log  # Path to log file
container_authelia_log_keep_stdout: true  # Also log to STDOUT (recommended for containers)

# ---------------------
# Identity Validation / Password Reset
# ---------------------
container_authelia_elevated_session_2fa: true  # Require 2FA for elevated sessions
container_authelia_jwt_lifespan: "5 minutes"  # Expiration time for password reset links
container_authelia_jwt_secret: "nyt4JDvuhU6SGp7H0vaEs0rfGETjI26fRQPJZzwdWPuXsmHdAun2hryiJDyDPRuC" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric

# ---------------------
# TOTP (Two-Factor Authentication)
# ---------------------
container_authelia_totp_disable: false  # Disable TOTP (false = enabled)
container_authelia_totp_issuer: example.com  # Issuer name shown in authenticator apps
container_authelia_totp_period: 30  # Time interval in seconds
container_authelia_totp_skew: 1  # Allowed time drift (in periods)

# ---------------------
# Password Policy (Zxcvbn)
# ---------------------
container_authelia_zxcvbn_enabled: true  # Enable password strength validation
container_authelia_zxcvbn_min_score: 4  # Minimum strength score (0–4)

# ---------------------
# Authentication Backend (File-based)
# ---------------------
container_authelia_auth_file_path: /config/users.yml  # Path to user configuration file
container_authelia_auth_algorithm: argon2  # Password hashing algorithm
container_authelia_auth_argon2_variant: argon2id
container_authelia_auth_argon2_iterations: 3
container_authelia_auth_argon2_memory: 65535
container_authelia_auth_argon2_parallelism: 4
container_authelia_auth_argon2_key_length: 32
container_authelia_auth_argon2_salt_length: 16

# ---------------------
# Access Control
# ---------------------
container_authelia_access_default_policy: deny  # Default access policy (deny/one_factor/two_factor)
container_authelia_access_rules:
  - domain: "traefik.example.com"
    policy: "one_factor"
  - domain: "whoami-secure.example.com"
    policy: "two_factor"

# ---------------------
# Session Configuration
# ---------------------
container_authelia_session_name: authelia_session  # Name of the session cookie
container_authelia_session_key: "zB3d7gTWVbhB5jFQVkjtxfhVZ4aEaFwKHWNa81jjqSL7JgV5HmqOAULDhlJA0muI" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
container_authelia_session_cookies:
  - domain: "example.com"
    authelia_url: "https://auth.example.com"

# ---------------------
# Security Regulation (Brute Force Protection)
# ---------------------
container_authelia_regulation_max_retries: 4  # Max failed login attempts before ban
container_authelia_regulation_find_time: 120  # Time window to count failed attempts (in seconds)
container_authelia_regulation_ban_time: 300  # Ban duration after reaching retry limit (in seconds)

# ---------------------
# Storage
# ---------------------

container_authelia_storage_encryption_key: "B4g3XlMfiBJPUXqrZmxfE1CccUASi1r2Cxpr8q9QbmQ3Rvx1RDJvZ1J3DTqkR2a5" # docker run --rm authelia/authelia:latest authelia crypto rand --length 64 --charset alphanumeric
container_authelia_storage_path: /config/db.sqlite3  # Path to SQLite storage file

# ---------------------
# Notifications
# ---------------------
container_authelia_notifier_disable_startup_check: false  # Disable notifier startup check (recommended: false)
container_authelia_notifier_file: /config/notification.txt  # File path used for file-based notifications

# ---------------------
# User Configuration (for file-based backend)
# ---------------------
# !! SECURITY WARNING !!: 
# Passwords must always be hashed (argon2, bcrypt, sha512, etc.).
# Never store plain-text passwords in production.
# Use this guide to generate secure hashes:
# https://www.authelia.com/reference/guides/passwords/#passwords

container_authelia_users:
  - username: authelia
    displayname: 'Authelia User'
    # docker run --rm -it authelia/authelia:latest authelia crypto hash generate argon2
    # !! Replace the password with a secure hashed password
    password: '$6$rounds=50000$BpLnfgDsc2WD8F2q$Zis.ixdg9s/UOJYrs56b5QEZFiZECu0qZVNsIYxBaNJ7ucIL.nlxVCT5tqh8KHG8X4tlwCFm5r6NTOZZ5qRFN/'
    email: 'authelia@authelia.com'
    groups:
      - 'admin'
      - 'dev'