theme: auto

# jwt_secret: <file>

{{ with nomadVar "nomad/jobs" }}
default_redirection_url: https://authelia.{{ .base_hostname }}/
{{ end }}

## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
## disabled. This setting must be a method that is enabled.
## Options are totp, webauthn, mobile_push.
default_2fa_method: ""

server:
  host: 0.0.0.0
  port: {{ env "NOMAD_PORT_main" }}
  disable_healthcheck: false

log:
  ## Level of verbosity for logs: info, debug, trace.
  level: debug

  format: json

telemetry:
  metrics:
    enabled: false
    # address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}'

totp:
  disable: false
  issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
  digits: 6

  ## The TOTP algorithm to use.
  ## It is CRITICAL you read the documentation before changing this option:
  ## https://www.authelia.com/c/totp#algorithm
  algorithm: sha1

webauthn:
  disable: false
  timeout: 60s
  display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
  user_verification: preferred

duo_api:
  disable: true
  # hostname:
  # integration_key:
  # secret_key:
  # enable_self_enrollment: false

authentication_backend:
  disable_reset_password: false

  ## Password Reset Options.
  password_reset:

    ## External reset password url that redirects the user to an external reset portal. This disables the internal reset
    ## functionality.
    # TODO: not sure if this is needed, probably not?
    custom_url: ""

  refresh_interval: 5m

  ldap:
    implementation: custom

    # stunnel url
    url: ldap://127.0.0.1:389
    timeout: 5s

    # TODO: Maybe use stunnel for this
    start_tls: false

    base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
    additional_users_dn: ou=people
    additional_groups_dn: ou=groups

    username_attribute: uid
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName

    # To allow sign in both with username and email, one can use a filter like
    # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    # Only supported filter by lldap right now
    groups_filter: (member={dn})

    ## The username and password of the admin user.
    {{ with nomadVar "secrets/ldap" }}
    user: uid={{ .admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
    {{ end }}
    # password set using secrets file
    # password: <secret>

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true

  zxcvbn:
    enabled: false
    min_score: 3

##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
##    provided. If provided, the parameter represents either a user or a group. It should be of the form
##    'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
##   is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
  default_policy: deny

  networks:
    - name: internal
      networks:
        - 192.168.1.0/24
        - 192.168.2.0/24
        - 192.168.10.0/24
    - name: VPN
      networks: 192.168.5.0/24

  rules:
    {{ range nomadVarList "authelia/access_control/service_rules" }}{{ with nomadVar .Path }}
    - domain: '{{ .name }}.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
{{ .rule.Value | indent 6 }}
    {{ end }}{{ end }}
    ## Rules applied to everyone
    - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      networks:
        - internal
      policy: one_factor

    - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      policy: two_factor

    - domain:
        # TODO: Drive these from Nomad variables
        - 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      policy: two_factor

session:
  ## The name of the session cookie.
  name: authelia_session
  domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}

  # Stored in a secrets file
  # secret: <in file>

  expiration: 1h
  inactivity: 5m
  remember_me_duration: 1M

  redis:
    host: 127.0.0.1
    port: 6379

    # username: authelia
    # password: authelia
    # database_index: 0
    maximum_active_connections: 8
    minimum_idle_connections: 0

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
  # encryption_key: <in file>

  ##
  ## MySQL / MariaDB (Storage Provider)
  ##
  mysql:
    host: 127.0.0.1
    port: 3306
    {{ with nomadVar "nomad/jobs/authelia" }}
    database: {{ .db_name }}
    username: {{ .db_user }}
    # password: <in_file>
    {{- end }}
    timeout: 5s

##
## Notification Provider
##
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
  ## You can disable the notifier startup check by setting this to true.
  disable_startup_check: false

{{ with nomadVar "secrets/smtp" }}
  smtp:
    host: {{ .server }}
    port: {{ .port }}
    username: {{ .user }}
    # password: <in file>

{{- end }}
{{ with nomadVar "nomad/jobs/authelia" }}
    sender: "{{ .email_sender }}"

    ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
    subject: "[Authelia] {title}"

    ## This address is used during the startup check to verify the email configuration is correct.
    ## It's not important what it is except if your email server only allows local delivery.
    startup_check_address: test@iamthefij.com
{{- end }}

identity_providers:
  oidc:
    # hmac_secret: <file>
    # issuer_private_key: <file>

    clients: {{ with nomadVar "nomad/jobs/authelia" }}{{ .oidc_clients.Value }}{{ end }}