theme: auto

# jwt_secret: < in file >

{{ with nomadVar "nomad/jobs" }}
default_redirection_url: https://authelia.{{ .base_hostname }}/
{{ end }}

## Set the default 2FA method for new users and for when a user has a preferred method configured that has been
## disabled. This setting must be a method that is enabled.
## Options are totp, webauthn, mobile_push.
default_2fa_method: ""

server:
  host: 0.0.0.0
  port: 9091
  disable_healthcheck: false

log:
  ## Level of verbosity for logs: info, debug, trace.
  level: debug

  ## Format the logs are written as: json, text.
  format: json

telemetry:
  metrics:
    enabled: false
    # address: '0.0.0.0:{{ env "NOMAD_PORT_metrics" }}'

totp:
  disable: false
  issuer: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
  digits: 6

  ## The TOTP algorithm to use.
  ## It is CRITICAL you read the documentation before changing this option:
  ## https://www.authelia.com/c/totp#algorithm
  algorithm: sha1

webauthn:
  disable: false
  timeout: 60s
  display_name: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}
  user_verification: preferred

duo_api:
  disable: true
  # hostname:
  # integration_key:
  # secret_key:
  # enable_self_enrollment: false

authentication_backend:
  disable_reset_password: false

  ## Password Reset Options.
  password_reset:

    ## External reset password url that redirects the user to an external reset portal. This disables the internal reset
    ## functionality.
    # TODO: not sure if this is needed, probably not?
    custom_url: ""

  refresh_interval: 5m

  ldap:
    implementation: custom

    # stunnel url
    url: ldap://127.0.0.1:389
    timeout: 5s

    # TODO: Maybe use stunnel for this
    start_tls: false

    base_dn: {{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
    additional_users_dn: ou=people
    additional_groups_dn: ou=groups

    username_attribute: uid
    group_name_attribute: cn
    mail_attribute: mail
    display_name_attribute: displayName

    # To allow sign in both with username and email, one can use a filter like
    # (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    # Only supported filter by lldap right now
    groups_filter: (member={dn})

    ## The username and password of the admin user.
    {{ with nomadVar "nomad/jobs/authelia" }}
    user: uid={{ .lldap_admin_user }},ou=people,{{ with nomadVar "nomad/jobs" }}{{ .ldap_base_dn }}{{ end }}
    {{ end }}
    # password set using secrets file
    # password: <secret>

password_policy:
  standard:
    enabled: false
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true

  zxcvbn:
    enabled: false
    min_score: 3

##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
##    provided. If provided, the parameter represents either a user or a group. It should be of the form
##    'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
##   is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
  default_policy: deny

  networks:
    - name: internal
      networks:
        - 192.168.1.0/24
        - 192.168.2.0/24
        - 192.168.10.0/24
    - name: VPN
      networks: 192.168.5.0/24

  rules:
    ## Rules applied to everyone
    - domain: '*.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      policy: one_factor

    - domain:
        # TODO: Drive these from Nomad variables
        - 'secure.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}'
      policy: two_factor

session:
  ## The name of the session cookie.
  name: authelia_session
  domain: {{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}

  # Stored in a secrets file
  # secret: <in file>

  expiration: 1h
  inactivity: 5m
  remember_me_duration: 1M

  # TODO: use redis when I figure out authentication and database indexes
  # redis:
  #   host:
  #   port:
  #
  #   # username: authelia
  #   # password: authelia
  #   database_index: 0
  #   maximum_active_connections: 8
  #   minimum_idle_connections: 0

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
  # encryption_key: <in file>

  ##
  ## MySQL / MariaDB (Storage Provider)
  ##
  mysql:
    host: 127.0.0.1
    port: 3306
    {{ with nomadVar "nomad/jobs/authelia" }}
    database: {{ .db_name }}
    username: {{ .db_user }}
    # password: <in_file>
    {{- end }}
    timeout: 5s

##
## Notification Provider
##
## Notifications are sent to users when they require a password reset, a Webauthn registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
  ## You can disable the notifier startup check by setting this to true.
  disable_startup_check: false

{{ with nomadVar "nomad/jobs" }}
  smtp:
    host: {{ .smtp_server }}
    port: {{ .smtp_port }}
    username: {{ .smtp_user }}
    # password: <in file>

{{- end }}
{{ with nomadVar "nomad/jobs/authelia" }}
    sender: "{{ .email_sender }}"

    ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
    subject: "[Authelia] {title}"

    ## This address is used during the startup check to verify the email configuration is correct.
    ## It's not important what it is except if your email server only allows local delivery.
    startup_check_address: test@iamthefij.com
{{- end }}

# identity_providers:
  ##
  ## OpenID Connect (Identity Provider)
  ##
  ## It's recommended you read the documentation before configuration of this section:
  ## https://www.authelia.com/c/oidc
  # oidc:
    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
    ## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
    # hmac_secret: this_is_a_secret_abc123abc123abc

    ## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
    ## Issuer Private Key can also be set using a secret: https://www.authelia.com/c/secrets
    # issuer_private_key: |
    #   --- KEY START
    #   --- KEY END

    ## The lifespans configure the expiration for these token types.
    # access_token_lifespan: 1h
    # authorize_code_lifespan: 1m
    # id_token_lifespan: 1h
    # refresh_token_lifespan: 90m

    ## Enables additional debug messages.
    # enable_client_debug_messages: false

    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
    ## security reasons.
    # minimum_parameter_entropy: 8

    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
    ## for security reasons.
    # enforce_pkce: public_clients_only

    ## Cross-Origin Resource Sharing (CORS) settings.
    # cors:
      ## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
      # endpoints:
      #    - authorization
      #    - token
      #    - revocation
      #    - introspection
      #    - userinfo

      ## List of allowed origins.
      ## Any origin with https is permitted unless this option is configured or the
      ## allowed_origins_from_client_redirect_uris option is enabled.
      # allowed_origins:
      #   - https://example.com

      ## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
      ## provided they have the scheme http or https and do not have the hostname of localhost.
      # allowed_origins_from_client_redirect_uris: false

    ## Clients is a list of known clients and their configuration.
    # clients:
      # -
        ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
        # id: myapp

        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
        # description: My Application

        ## The client secret is a shared secret between Authelia and the consumer of this client.
        # secret: this_is_a_secret

        ## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
        ## necessary. Read the documentation for more information.
        ## The subject identifier must be the host component of a URL, which is a domain name with an optional port.
        # sector_identifier: example.com

        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
        # public: false

        ## The policy to require for this client; one_factor or two_factor.
        # authorization_policy: two_factor

        ## By default users cannot remember pre-configured consents. Setting this value to a period of time using a
        ## duration notation will enable users to remember consent for this client. The time configured is the amount
        ## of time the pre-configured consent is valid for granting new authorizations to the user.
        # pre_configured_consent_duration:

        ## Audience this client is allowed to request.
        # audience: []

        ## Scopes this client is allowed to request.
        # scopes:
          # - openid
          # - groups
          # - email
          # - profile

        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
        # redirect_uris:
        # - https://oidc.example.com:8080/oauth2/callback

        ## Grant Types configures which grants this client can obtain.
        ## It's not recommended to define this unless you know what you're doing.
        # grant_types:
          # - refresh_token
          # - authorization_code

        ## Response Types configures which responses this client can be sent.
        ## It's not recommended to define this unless you know what you're doing.
        # response_types:
          # - code

        ## Response Modes configures which response modes this client supports.
        # response_modes:
          # - form_post
          # - query
          # - fragment

        ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
        # userinfo_signing_algorithm: none