---
# Authelia configuration â Template
# Deploy to: /mnt/user/appdata/authelia/config/configuration.yml
# Docs: https://www.authelia.com/configuration/
# WICHTIG: Diese Datei NICHT in Git committen wenn user-spezifische Daten enthalten!

theme: dark

server:
  address: tcp://0.0.0.0:9091

log:
  level: info

authentication_backend:
  file:
    path: /config/users_database.yml
    password:
      algorithm: argon2id
      iterations: 1
      key_length: 32
      salt_length: 16
      memory: 1024
      parallelism: 8

access_control:
  default_policy: deny
  rules:
    # Authelia selbst ist immer erreichbar (bypass)
    - domain: auth.kaleschke.info
      policy: bypass

    # Oeffentliche Apps â kein Login noetig
    - domain:
        - immich.kaleschke.info
        - paperless.kaleschke.info
        - mealie.kaleschke.info
        - vault.kaleschke.info
        - ntfy.kaleschke.info
        - git.kaleschke.info
        - homepage.kaleschke.info
      policy: bypass

    # Admin-Dienste â 2FA erforderlich
    - domain:
        - komodo.kaleschke.info
        - uptime.kaleschke.info
        - files.kaleschke.info
        - scrutiny.kaleschke.info
      policy: two_factor

    # Beszel → OIDC-Login (kein ForwardAuth)
    - domain: beszel.kaleschke.info
      policy: bypass

    # Alles andere â 1FA
    - domain: "*.kaleschke.info"
      policy: one_factor

session:
  name: authelia_session
  same_site: lax
  expiration: 12h
  inactivity: 45m
  remember_me: 1M
  cookies:
    - domain: kaleschke.info
      authelia_url: https://auth.kaleschke.info
      default_redirection_url: https://homepage.kaleschke.info

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m

storage:
  postgres:
    address: tcp://postgresql17:5432
    database: authelia
    username: authelia

notifier:
  disable_startup_check: false
  filesystem:
    filename: /config/notifications.log
  # SMTP (fuer 2FA-Codes per Mail â optional, empfohlen fuer Produktion):
  # smtp:
  #   address: smtp://smtp.example.com:587
  #   username: user@example.com
  #   password: your_password
  #   sender: Authelia <authelia@kaleschke.info>
  #   subject: "[Authelia] {title}"

totp:
  issuer: kaleschke.info
  period: 30
  skew: 1

identity_providers:
  oidc:
    clients:
      - client_id: 'beszel'
        client_name: 'Beszel'
        client_secret: '$argon2id$v=19$m=65536,t=3,p=4$bXTt49iW61s0c8/ZiBlguw$VquorRqL134mjQ6Qa13JY6AI/QCwdk7g1jpc/UtRZPQ'
        public: false
        authorization_policy: 'two_factor'
        require_pkce: true
        pkce_challenge_method: 'S256'
        redirect_uris:
          - 'https://beszel.kaleschke.info/api/oauth2-redirect'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        response_types:
          - 'code'
        grant_types:
          - 'authorization_code'
        token_endpoint_auth_method: 'client_secret_basic'