theme: auto
jwt_secret: {{ authelia.jwt_secret }}
default_redirection_url: https://auth.{{ domain }}/

log:
  level: debug
  format: json

telemetry:
  metrics:
    enabled: true

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    - domain: "*.{{ domain }}"
      policy: two_factor

session:
  secret: {{ authelia.session_secret }}
  domain: {{ domain }}

storage:
  encryption_key: {{ authelia.storage_encryption_key }}
  local:
    path: /config/db.sqlite3

notifier:
  smtp:
    username: apikey
    password: {{ authelia.smtp_password }}
    host: smtp.sendgrid.net
    port: 25
    sender: authelia@kejadlen.dev

identity_providers:
  oidc:
    issuer_private_key: |
      {{ authelia.oidc_private_key | indent(6) }}
    clients:
    - id: grafana
      description: Grafana
      secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
      public: false
      # authorization_policy: two_factor
      redirect_uris:
        - https://grafana.{{ domain }}/login/generic_oauth
      scopes:
        - openid
        - profile
        - groups
        - email
      userinfo_signing_algorithm: none
    - id: tailscale
      description: Tailscale
      secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
      redirect_uris:
        - https://login.tailscale.com/a/oauth_response
      scopes:
        - openid
        - email
        - profile
    - id: gitea
      description: Gitea
      secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0
      public: false
      # authorization_policy: two_factor
      redirect_uris:
        - https://git.{{ domain }}/user/oauth2/authelia/callback
      scopes:
        - openid
        - email
        - profile
      userinfo_signing_algorithm: none