###############################################################
#                Authelia minimal configuration               #
###############################################################
theme: "light"
log:
  level: "debug"
jwt_secret: {{ .homey_authelia_jwt | quote }}
authentication_backend:
  ldap:
    implementation: "custom"
    url: "ldap://openldap:389"
    timeout: "5s"
    start_tls: false
    base_dn: "{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}"
    users_filter: "({username_attribute}={input})"
    username_attribute: "uid"
    additional_users_dn: "ou=users"
    groups_filter: "(&(uniquemember=uid={input},ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}})(objectclass=groupOfUniqueNames))"
    group_name_attribute: "cn"
    additional_groups_dn: "ou=groups"
    mail_attribute: "mail"
    display_name_attribute: "uid"
    permit_referrals: false
    permit_unauthenticated_bind: false
    user: "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"
    password: {{ .homey_openldap_ro | quote }}
totp:
  issuer: "{{ .Values.homey.url }}"
  disable: false
session:
  name: authelia_session
  secret: {{ .homey_authelia_session | quote }}
  expiration: 3600 # 1 hour
  inactivity: 7200 # 2 hours
  domain: "{{ .Values.homey.url}}" # needs to be your root domain
storage:
  local:
    path: "/config/db.sqlite3"
  encryption_key: {{ .homey_authelia_encryption_key | quote }}
access_control:
  default_policy: "deny"
  rules:
  - domain:
    - "auth.zakobar.com"
    policy: "bypass"
  - domain:
    - "dav.{{ .Values.homey.url }}"
    policy: "one_factor"
  - domain:
    - "ldapadmin.{{ .Values.homey.url }}"
    subject:
    - 'group:admins'
    policy: "two_factor"
  - domain:
    - "*.admin.{{ .Values.homey.url }}"
    subject:
    - 'group:admins'
    policy: "two_factor"
  - domain:
    - "*.admin.{{ .Values.homey.url }}"
    policy: "deny"
  - domain:
    - "torrent.{{ .Values.homey.url }}"
    subject:
    - 'group:admins'
    policy: "two_factor"
  - domain:
    - "torrent.{{ .Values.homey.url }}"
    policy: "deny"
  - domain:
    - "stash-dl.{{ .Values.homey.url }}"
    policy: "one_factor"
  - domain:
    - "stash.{{ .Values.homey.url }}"
    policy: "one_factor"
  - domain:
    - "paperless.{{ .Values.homey.url }}"
    policy: "one_factor"
notifier:
  filesystem:
    filename: "/var/lib/authelia/emails.txt"
ntp:
  address: 'udp://time.cloudflare.com:123'
  version: 3
  max_desync: '3s'
  disable_startup_check: false
  disable_failure: true