theme: 'auto'

access_control:
  default_policy: deny
  rules:
    - domain: '*.gasdev.fr'
      policy: one_factor

server:
  address: 'tcp://:9091/'
  endpoints:
    authz:
      forward-auth:
        implementation: 'ForwardAuth'

session:
  cookies:
    - domain: 'gasdev.fr'
      authelia_url: 'https://auth.gasdev.fr'
      default_redirection_url: 'https://auth.gasdev.fr/authenticated'

identity_providers:
  oidc:
    jwks:
      - key: {{ secret "/secrets/OIDC_JWKS_PRIVATE_KEY" | mindent 10 "|" | msquote }}
    clients:
      - client_id: 'penpot'
        client_name: 'Penpot'
        client_secret: $pbkdf2-sha512$310000$WuYHbHrVI3wMn/tZXwDTMA$WnS0VoR4jLNQnXjJUN46EfnC4QMdpdnNcYsGvSCpkbzguO4of.tCgAeLsfzLgWn9CSGMt20TZOQfc/7IbfwBHg
        redirect_uris: 'https://penpot.gasdev.fr/api/auth/oauth/oidc/callback'
        token_endpoint_auth_method: 'client_secret_post'
        authorization_policy: 'one_factor'
        scopes:
          - 'email'
          - 'openid'
          - 'profile'
      

authentication_backend:
  password_reset:
    disable: false

  file:
    path: '/data/users_database.yml'
    password:
      algorithm: 'argon2'

password_policy:
  standard:
    enabled: true
    min_length: 10
    max_length: 128
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true

storage:
  local:
    path: /data/db.sqlite3

notifier:
  smtp:
    address: 'smtp.mail.ovh.net'
    username: 'postmaster@gasdev.fr'
    sender: 'Authelia <authelia@gasdev.fr>'

log:
  level: 'info'
  format: 'json'

totp:
  issuer: 'gasdev.fr'
  ## https://www.authelia.com/c/totp#algorithm
  algorithm: 'SHA1'

  ## https://www.authelia.com/c/totp#digits
  digits: 6
  period: 30
  ## See: https://www.authelia.com/c/totp#input-validation to read
  skew: 1

webauthn:
  disable: true

duo_api:
  disable: true
  
ntp:
  address: 'udp://time.cloudflare.com:123'