theme: 'auto'

totp:
  issuer: '{{ domain }}'

identity_validation:
  reset_password:
    jwt_secret: '{{ authelia_secrets["jwt_secret"] }}'

authentication_backend:
  refresh_interval: '1m'
  ldap:
    implementation: 'custom'
    address: 'ldap://lldap:3890'
    base_dn: '{{ ldap_base_dn }}'
    users_filter: '(&({username_attribute}={input})(objectClass=person))'
    groups_filter: '(member={dn})'
    user: '{{ authelia_secrets["ldap_user"] }}'
    password: '{{ authelia_secrets["ldap_password"] }}'
    attributes:
      distinguished_name: 'distinguishedName'
      username: 'uid'
      mail: 'mail'
      member_of: 'memberOf'
      group_name: 'cn'

password_policy:
  standard:
    enabled: true
    min_length: 12
    max_length: 128
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: true

access_control:
  default_policy: 'deny'
  rules: 
    - domain: 'auth.{{ domain }}'
      policy: 'bypass'

    - domain: 'ldap.{{ domain }}'
      policy: 'two_factor'
      subject: 'group:lldap_admin'

    - domain: 'syncthing.{{ domain }}'
      policy: 'two_factor'
      subject: 'user:viyurz'

session:
  cookies:
    - name: 'authelia_session'
      domain: '{{ domain }}'
      authelia_url: 'https://auth.{{ domain }}'

storage:
  encryption_key: '{{ authelia_secrets["encryption_key"] }}'
  postgres:
    address: postgres.{{ domain }}
    database: authelia
    username: '{{ authelia_secrets["postgres_user"] }}'
    password: '{{ authelia_secrets["postgres_password"] }}'

notifier:
  smtp:
    address: 'submissions://mail.{{ domain }}:{{ ports["mailserver_smtps"] }}'
    username: '{{ authelia_secrets["smtp_user"] }}'
    password: '{{ authelia_secrets["smtp_password"] }}'
    sender: 'Authelia <authelia@{{ domain }}>'

identity_providers:
  oidc:
    hmac_secret: '{{ authelia_secrets["hmac_secret"] }}'
    jwks:
      - key: |
          {{ authelia_secrets["jwks_key"] | indent(width=10) }}
    clients:
      - client_id: '{{ authelia_secrets["hedgedoc_client_id"] }}'
        client_name: HedgeDoc
        client_secret: '{{ authelia_secrets["hedgedoc_client_secret_hash"] }}'
        redirect_uris: 'https://hedgedoc.{{ domain }}/auth/oauth2/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'
        token_endpoint_auth_method: client_secret_post

      - client_id: '{{ authelia_secrets["synapse_client_id"] }}'
        client_name: Synapse
        client_secret: '{{ authelia_secrets["synapse_client_secret_hash"] }}'
        redirect_uris: 'https://matrix.{{ domain }}/_synapse/client/oidc/callback'
        scopes:
          - 'openid'
          - 'profile'
          - 'email'