{% set vault_addr = 'https://vault.trez.wtf' %}
{% set secrets_path = 'rinoa-docker/env' %}

# yaml-language-server: $schema=https://www.authelia.com/schemas/latest/json-schema/configuration.json
---
theme: auto
default_2fa_method: "totp"
server:
  address: '0.0.0.0:9091'
  endpoints:
    enable_pprof: false
    enable_expvars: false
  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
    client_certificates: []
  headers:
    csp_template: ""
log:
  level: debug
telemetry:
  metrics:
    enabled: true
    address: tcp://0.0.0.0:9959
totp:
  disable: false
  issuer: authelia.com
  algorithm: sha256
  digits: 6
  period: 30
  skew: 1
  secret_size: 32
webauthn:
  disable: false
  timeout: 60s
  display_name: Authelia
  attestation_conveyance_preference: indirect
  selection_criteria:
    user_verification: preferred
ntp:
  address: "time.cloudflare.com:123"
  version: 4
  max_desync: 3s
  disable_startup_check: false
  disable_failure: false
authentication_backend:
  password_reset:
    disable: false
    custom_url: ""
  ldap:
    implementation: custom
    address: ldap://lldap:3890
    timeout: 5s
    start_tls: false
    base_dn: dc=trez,dc=wtf
    additional_users_dn: ou=people
    users_filter: "(&({username_attribute}={input})(objectClass=person))"
    additional_groups_dn: ou=groups
    groups_filter: "(member={dn})"
    attributes:
      username: uid
      group_name: cn
      mail: mail
      display_name: displayName
    user: uid=authelia,ou=people,dc=trez,dc=wtf
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_AUTH_BIND_LDAP_PASSWORD'] }}'
  refresh_interval: 5m
identity_validation:
  reset_password:
    jwt_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_JWT_SECRET'] }}'
password_policy:
  standard:
    enabled: true
    min_length: 8
    max_length: 0
    require_uppercase: true
    require_lowercase: true
    require_number: true
    require_special: false
  zxcvbn:
    enabled: false
    min_score: 3
access_control:
  default_policy: deny
  networks:
    - name: 'internal'
      networks:
        - '172.17.0.0/16'
        - '172.18.0.0/16'
        - '192.168.1.0/24'
  rules:
    - domain_regex:
      - '^trez.wtf$'
      - ^www.trez.wtf$''
      policy: bypass
    - domain: '*.trez.wtf'
      policy: bypass
      networks:
        - 'internal'
    - domain: '*.trez.wtf'
      policy: one_factor
      subject:
      - ['user:the.trezured.one']
session:
  name: authelia_session
  secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_SESSION_SECRET'] }}'
  expiration: 1h
  inactivity: 5m
  remember_me: 1M
  cookies:
    - domain: 'trez.wtf'
      authelia_url: 'https://auth.trez.wtf'
  redis:
    host: redis
    port: 6379
storage:
  encryption_key: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_ENCRYPTION_KEY'] }}'
  postgres:
    address: 'tcp://authelia-pg:5432'
    database: authelia
    username: authelia
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_STORAGE_POSTGRES_PASSWORD'] }}'
    timeout: '5s'
regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 5m
notifier:
  disable_startup_check: true
  smtp:
    address: 'smtp://postal-smtp:25'
    timeout: '5s'
    username: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_USER'] }}'
    password: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['POSTAL_SMTP_AUTH_PASSWORD'] }}'
    sender: "Authelia <noreply@trez.wtf>"
    identifier: 'localhost'
    subject: "[Authelia] {title}"
    startup_check_address: 'test@authelia.com'
    disable_require_tls: true
    disable_starttls: true
    disable_html_emails: false
identity_providers:
  oidc:
    hmac_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_OIDC_HMAC_SECRET'] }}'
    jwks:
      - key: |
          {{ lookup("community.hashi_vault.vault_kv2_get", "env", engine_mount_point="rinoa-docker", url=vault_addr, token=vault_token_cleaned)["secret"]["AUTHELIA_OIDC_JWKS_KEY"] | replace("\\n", "\n") | indent(10) }}
    cors:
      allowed_origins_from_client_redirect_uris: true
      endpoints:
        - 'userinfo'
        - 'authorization'
        - 'token'
        - 'revocation'
        - 'introspection'
    clients:
      - client_id: 'netbird'
        client_name: 'NetBird'
        client_secret: '{{ lookup('community.hashi_vault.vault_kv2_get', 'env', engine_mount_point='rinoa-docker', url=vault_addr, token=vault_token_cleaned)['secret']['AUTHELIA_NETBIRD_CLIENT_SECRET'] }}'
        public: false
        authorization_policy: 'two_factor'
        redirect_uris:
          - 'https://vpn.trez.wtf/peers'
          - 'https://vpn.trez.wtf/add-peers'
          - 'http://localhost'
        scopes:
          - 'openid'
          - 'email'
          - 'profile'
        userinfo_signed_response_alg: 'none'
        token_endpoint_auth_method: 'client_secret_post'