access_control:
  default_policy: one_factor
  networks:
  - name: internal
    networks:
    - 172.30.0.0/26
    - 172.31.1.0/24
  - name: cluster
    networks:
    - 10.149.0.0/16
  rules:
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
    subject:
    - 'group:Paperless-ngx Users'
  - domain: paperless.pyrocufflink.blue
    policy: deny
  - domain: firefly.pyrocufflink.blue
    resources:
    - '^/api/'
    policy: bypass
  - domain: firefly.pyrocufflink.blue
    policy: two_factor
    subject:
    - 'group:Firefly III Users'
  - domain: firefly-importer.pyrocufflink.blue
    policy: two_factor
    subject:
    - 'group:Firefly III Users'
  - domain: firefly-importer.pyrocufflink.blue
    policy: one_factor
    subject:
      - 'user:svc.xactfetch'
  - domain: firefly.pyrocufflink.blue
    policy: deny
  - domain: firefly-importer.pyrocufflink.blue
    policy: deny
  - domain: scan.pyrocufflink.blue
    networks:
    - internal
    policy: bypass
  - domain: metrics.pyrocufflink.blue
    resources:
    - '^/insert/.*'
    policy: bypass
  - domain: metrics.pyrocufflink.blue
    networks:
    - internal
    resources:
    - '^/alertmanager([/?].*)?$'
    methods:
    - GET
    - HEAD
    - OPTIONS
    policy: bypass
  - domain: hlcforms.pyrocufflink.blue
    resources:
    - '^/submit/.*'
    policy: bypass
  - domain: ara.ansible.pyrocufflink.blue
    networks:
    - internal
    - cluster
    resources:
    - '^/api/.*'
    methods:
    - POST
    - PATCH
    policy: bypass

authentication_backend:
  ldap:
    base_dn: DC=pyrocufflink,DC=blue
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
    address: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue

certificates_directory: /run/authelia/certs

identity_providers:
  oidc:
    claims_policies:
      default:
        id_token:
        - groups
        - email
        - email_verified
        - preferred_username
        - name
    clients:
    - client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
      client_name: Jenkins
      client_secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - offline_access
      - address
      - phone
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
      token_endpoint_auth_method: client_secret_post
    - client_id: kubernetes
      client_name: Kubernetes
      public: true
      claims_policy: default
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 8h
    - client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
      client_name: MinIO
      client_secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
      - https://minio.backups.pyrocufflink.blue/oauth_callback
      claims_policy: default
    - client_id: step-ca
      client_name: step-ca
      public: true
      claims_policy: default
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 8h
    - client_id: argocd
      client_name: Argo CD
      claims_policy: default
      pre_configured_consent_duration: 8h
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
      client_secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
    - client_id: argocd-cli
      client_name: argocd CLI
      public: true
      claims_policy: default
      pre_configured_consent_duration: 8h
      audience:
      - argocd-cli
      redirect_uris:
      - http://localhost:8085/auth/callback
      response_types:
      - code
      scopes:
      - openid
      - groups
      - profile
      - email
      - offline_access
    - client_id: sshca
      client_name: SSHCA
      public: true
      claims_policy: default
      pre_configured_consent_duration: 4h
      redirect_uris:
      - http://127.0.0.1
      scopes:
      - openid
      - profile
      - email
      - groups

log:
  level: info

notifier:
  smtp:
    disable_require_tls: true
    address: 'mail.pyrocufflink.blue:25'
    sender: auth@pyrocufflink.net

session:
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379
  cookies:
  - domain: pyrocufflink.blue
    authelia_url: 'https://auth.pyrocufflink.blue'
  - domain: pyrocufflink.net
    authelia_url: 'https://auth.pyrocufflink.net'

server:
  buffers:
    read: 16384

storage:
  postgres:
    address: postgresql.pyrocufflink.blue
    database: authelia
    username: authelia
    password: unused
    tls:
      skip_verify: false

telemetry:
  metrics:
    enabled: true

theme: auto