infra/roles/services/templates/authelia/configuration.yml.j2

# Generated by Ansible — do not edit manually
# Authelia v4 configuration

theme: dark

server:
  host: 0.0.0.0
  port: 9091

log:
  level: warn

jwt_secret: "{{ authelia_jwt_secret }}"

default_redirection_url: "https://{{ domain_auth }}"

session:
  name: authelia_session
  secret: "{{ authelia_session_secret }}"
  expiration: 12h
  inactivity: 30m
  domain: "{{ domain_base }}"
  redis:
    host: authelia-redis
    port: 6379

regulation:
  max_retries: 3
  find_time: 2m
  ban_time: 10m

storage:
  encryption_key: "{{ authelia_storage_key }}"
  local:
    path: /config/db.sqlite3

notifier:
  disable_startup_check: true
  filesystem:
    filename: /config/notifications.txt

authentication_backend:
  password_reset:
    disable: false
  file:
    path: /config/users.yml
    password:
      algorithm: argon2id
      iterations: 3
      memory: 65536
      parallelism: 4
      key_length: 32
      salt_length: 16

access_control:
  default_policy: deny
  rules:
    # Authelia portal itself — всегда доступен
    - domain: "{{ domain_auth }}"
      policy: bypass

    # Traefik dashboard — только admin, требует 2FA
    - domain: "{{ domain_traefik }}"
      policy: two_factor
      subject: "group:admins"

    # Syncthing — только admin, требует 2FA
    - domain: "{{ domain_sync }}"
      policy: two_factor
      subject: "group:admins"

    # Plane god-mode — только admin, требует 2FA
    - domain: "{{ domain_plane }}"
      resources:
        - "^/god-mode/.*$"
      policy: two_factor
      subject: "group:admins"