diff --git a/security/authelia/configuration.yml b/security/authelia/configuration.yml
new file mode 100644
index 0000000..4df11d9
--- /dev/null
+++ b/security/authelia/configuration.yml
@@ -0,0 +1,95 @@
+---
+# Authelia configuration — Template
+# Deploy to: /mnt/user/appdata/authelia/config/configuration.yml
+# Docs: https://www.authelia.com/configuration/
+# WICHTIG: Diese Datei NICHT in Git committen wenn user-spezifische Daten enthalten!
+
+theme: dark
+
+server:
+  address: tcp://0.0.0.0:9091
+
+log:
+  level: info
+
+authentication_backend:
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      key_length: 32
+      salt_length: 16
+      memory: 1024
+      parallelism: 8
+
+access_control:
+  default_policy: deny
+  rules:
+    # Authelia selbst ist immer erreichbar (bypass)
+    - domain: auth.kaleschke.info
+      policy: bypass
+
+    # Oeffentliche Apps — kein Login noetig
+    - domain:
+        - immich.kaleschke.info
+        - paperless.kaleschke.info
+        - mealie.kaleschke.info
+        - vault.kaleschke.info
+        - ntfy.kaleschke.info
+        - git.kaleschke.info
+        - homepage.kaleschke.info
+      policy: bypass
+
+    # Admin-Dienste — 2FA erforderlich
+    - domain:
+        - komodo.kaleschke.info
+        - uptime.kaleschke.info
+        - files.kaleschke.info
+        - scrutiny.kaleschke.info
+        - beszel.kaleschke.info
+      policy: two_factor
+
+    # Alles andere — 1FA
+    - domain: "*.kaleschke.info"
+      policy: one_factor
+
+session:
+  name: authelia_session
+  same_site: lax
+  expiration: 12h
+  inactivity: 45m
+  remember_me: 1M
+  cookies:
+    - domain: kaleschke.info
+      authelia_url: https://auth.kaleschke.info
+      default_redirection_url: https://homepage.kaleschke.info
+
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+
+storage:
+  postgres:
+    address: tcp://postgresql17:5432
+    database: authelia
+    username: authelia
+    password_file: /secrets/postgres_password.txt
+
+notifier:
+  disable_startup_check: false
+  filesystem:
+    filename: /config/notifications.log
+  # SMTP (fuer 2FA-Codes per Mail — optional, empfohlen fuer Produktion):
+  # smtp:
+  #   address: smtp://smtp.example.com:587
+  #   username: user@example.com
+  #   password: your_password
+  #   sender: Authelia <authelia@kaleschke.info>
+  #   subject: "[Authelia] {title}"
+
+totp:
+  issuer: kaleschke.info
+  period: 30
+  skew: 1
\ No newline at end of file