# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-client-secrets

theme: auto

log:
  level: debug
  format: json

telemetry:
  metrics:
    enabled: true

authentication_backend:
  file:
    path: /config/users_database.yml

access_control:
  default_policy: deny
  rules:
    - domain: docs.kejadlen.dev
      policy: two_factor
      subject:
        - group:family
    - domain: "*.chislan.family"
      policy: two_factor
      subject:
        - group:family
    - domain: "*.kejadlen.dev"
      policy: two_factor
      subject:
        - user:alpha

identity_validation:
  reset_password:
    jwt_secret: {{ authelia.jwt_secret }}

session:
  secret: {{ authelia.session_secret }}
  cookies:
    - domain: {{ domain }}
      authelia_url: https://auth.{{ domain }}
      # default_redirection_url: https://www.{{ domain }}
    - domain: chislan.family
      authelia_url: https://auth.chislan.family

storage:
  encryption_key: {{ authelia.storage_encryption_key }}
  local:
    path: /config/db.sqlite3

notifier:
  smtp:
    username: apikey
    password: {{ authelia.smtp_password }}
    address: smtp://smtp.sendgrid.net:25
    sender: authelia@kejadlen.dev

identity_providers:
  oidc:
    jwks:
      - key: |
          {{ authelia.oidc_private_key | indent(10) }}

    clients:
      - client_id: grafana
        client_name: Grafana
        client_secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
        public: false
        redirect_uris:
          - https://grafana.{{ domain }}/login/generic_oauth
        scopes:
          - openid
          - profile
          - groups
          - email

      - client_id: tailscale
        client_name: Tailscale
        client_secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
        redirect_uris:
          - https://login.tailscale.com/a/oauth_response
        scopes:
          - openid
          - email
          - profile

      - client_id: gitea
        client_name: Gitea
        client_secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0
        public: false
        redirect_uris:
          - https://git.{{ domain }}/user/oauth2/authelia/callback
        scopes:
          - openid
          - email
          - profile

      - client_id: miniflux
        client_name: Miniflux
        client_secret: $argon2id$v=19$m=65536,t=3,p=4$tK5aBDAHOmNsEZzSYS88eg$z6tkZVIzB0x6RQjCM0v34lguS454lcQd/Sm0+xRfg7w
        public: false
        redirect_uris:
          - https://rss.{{ domain }}/oauth2/oidc/callback
        scopes:
          - openid
          - email
          - profile