access_control:
  default_policy: one_factor
  networks:
  - name: internal
    networks:
    - 172.30.0.0/26
    - 172.31.1.0/24
  rules:
  - domain: paperless.pyrocufflink.blue
    policy: two_factor
  - domain: firefly.pyrocufflink.blue
    resources:
    - '^/api/'
    policy: bypass
  - domain: firefly.pyrocufflink.blue
    policy: two_factor
  - domain: scan.pyrocufflink.blue
    networks:
    - internal
    policy: bypass

authentication_backend:
  ldap:
    base_dn: DC=pyrocufflink,DC=blue
    implementation: activedirectory
    tls:
      minimum_version: TLS1.2
    url: ldaps://pyrocufflink.blue
    user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue

certificates_directory: /run/authelia/certs

identity_providers:
  oidc:
    clients:
    - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
      description: Jenkins
      secret: >-
        $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
      redirect_uris:
      - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
      scopes:
      - openid
      - groups
      - profile
      - email
      - offline_access
      authorization_policy: one_factor
      pre_configured_consent_duration: 7d
    - id: kubernetes
      description: Kubernetes
      public: true
      redirect_uris:
      - http://localhost:8000
      - http://localhost:18000
      authorization_policy: one_factor
      pre_configured_consent_duration: 7d
    - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
      description: MinIO
      secret: >-
        $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
      redirect_uris:
      - https://burp.pyrocufflink.blue:9090/oauth_callback
    - id: step-ca
      description: step-ca
      public: true
      redirect_uris:
      - http://127.0.0.1
      pre_configured_consent_duration: 7d
    - id: argocd
      description: Argo CD
      pre_configured_consent_duration: 7d
      redirect_uris:
      - https://argocd.pyrocufflink.blue/auth/callback
      secret: >-
        $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
    - id: argocd-cli
      description: argocd CLI
      public: true
      pre_configured_consent_duration: 7d
      redirect_uris:
      - http://localhost:8085/auth/callback
      scopes:
      - openid
      - profile
      - email
      - groups
      - offline_access

log:
  level: trace

notifier:
  smtp:
    disable_require_tls: true
    host: mail.pyrocufflink.blue
    port: 25
    sender: auth@pyrocufflink.net

session:
  domain: pyrocufflink.blue
  expiration: 1d
  inactivity: 4h
  redis:
    host: redis
    port: 6379

server:
  buffers:
    read: 16384

storage:
  postgres:
    host: default.postgresql
    database: authelia
    username: authelia.authelia
    tls:
      skip_verify: false