---
port: 9091
tls_cert: /config/ssl/cert.pem
tls_key: /config/ssl/key.pem

logging:
  level: debug

jwt_secret: unsecure_secret

authentication_backend:
  file:
    path: /config/users.yml

session:
  secret: unsecure_session_secret
  domain: example.com
  expiration: 3600  # 1 hour
  inactivity: 300  # 5 minutes
  remember_me_duration: 1y
  # We use redis here to keep the users authenticated when Authelia restarts
  # It eases development.
  redis:
    host: redis
    port: 6379

storage:
  local:
    path: /config/db.sqlite

access_control:
  default_policy: deny
  rules:
    - domain: "home.example.com"
      policy: bypass
    - domain: "public.example.com"
      policy: bypass
    - domain: "admin.example.com"
      policy: two_factor
    - domain: "secure.example.com"
      policy: two_factor
    - domain: "singlefactor.example.com"
      policy: one_factor
    - domain: "oidc.example.com"
      policy: two_factor
    - domain: "oidc-public.example.com"
      policy: bypass

notifier:
  smtp:
    host: smtp
    port: 1025
    sender: admin@example.com
    disable_require_tls: true

identity_providers:
  oidc:
    hmac_secret: IVPWBkAdJHje3uz7LtFTDU2pFUfh39Xm
    issuer_private_key: |
      -----BEGIN RSA PRIVATE KEY-----
      MIIEogIBAAKCAQEAvOFmoEJFt1JkfdlwM3vJFg5rrY9d6LyyqezjZkBZDQ4qdEEU
      dCrbW8ISFTtg9sfbrS3qingUzVP9VOfYPMC3r0ugjJXjhvJdBSaoLlzL3saeyrXk
      frOOvkcWKzeOynqUNPhKy9dchmuLALFfd/Jy7Wzq0y7XxGeNidEmFjMAf9dwf6/+
      PjQjbG7zBFu/XSajITPHlDXPVDd0j2qw2wu5Z9iqn4LRXnAFnC438hZZKZU/+JxU
      2ezr6Sefiy8XTC2kDiq3cgLeEjSywlJOs+4TLjVS/3h75sh2Wk0xVaSwjPEjCOgm
      a+2E3GJrGdQBiAjMSu101VBVwHUHaLDCn1T4NwIDAQABAoIBADWkupXnXI99Ogc4
      GxK0JF88Rz6qyhwQg5mZKthejCwWCt6roRiBF33O933KOHa+OljMAqHDCv1pzjgw
      BIz0mvaRPw7OfylTajHNUdShDFHADVc7I6MMcgz+eYBarhY5jCAjKHMOPjv7DSZs
      OdYCKLvfxC2oTyV714n9uZhyccDcvQpkgZuBDL0oxPom1GOI8TGhPjxvFOovEHWA
      Q8q9XY4cUVNDikZmvpgeUkJHWYHYb+11vKeSupnYD03yJ3sDy+F6+m+3/XmzFbXb
      1p43ermHQsMfDlxPyulUUI0viSo2UhlMC/moAb9FusOv+dTl2lt0gGqzDJ9gg1z1
      XpHRnwkCgYEA5x48dyxd4lydtVYef9sBmbLJEYozsYyOwLcnrLSNaZxeCza1exyR
      QIRogswoLDacxrYvO8FY6LtAEMkisv732M29zthBPm5wyoSZiM1X2YfQXKsmyh2h
      x1/yCWv/BQjj68A8IAxToaXxSG4WAr/X00RGUkXgkgw122FxcmGuFyUCgYEA0TcR
      dnt/oRMK4aCZHcBgTknzDfxKlJh4S0C9WjxKgr8IlW4LTeVSBuuqOObOQYImEhtw
      TRTKZIViL0roDF79cioQSp1Tk5h6uy8wr6VyhWRnWfTz2/azoTHnmQ780rtAuEI/
      NvE6FiqwikJLjma1YJoRfr/bfmgMdxcYbJI1MSsCgYAEZ5Yda1IKu1siFpcUNrdM
      F5UvaWPc0WHzGEqARxye06UTL6K7yuqVwTBAteVaGlxYiSZTTDcGkHMDHuIzaRqO
      HjWs2IA90VsC8Q4ABnHTKnx1F6nwlin8I774IP/GN8ooNwyuS63YWdJEYBy5RrC1
      TQrODJjgD62DFdNUq7nmpQKBgFMJEzI+Q+KPJ0NztTG8t7x61y/W0Vb2yM+9Syn0
      QfJwlZyRR4VMHelHQZFB8dzIJgoLv9+n/8gztEtm5IB8dwUHst2aYaBz5UpDqYQd
      Gz3cIrTuZpcH7DVvFCeIbknJLh+zk1lgFpjTqqvFMi27kANeQtFWnmwmKcRec0As
      K1ZvAoGAV/3YB44/zIoB590+yhpx2HTmDPVHH+J+5O71Pi1D9W13ClBFLrE69wo+
      IQLIstBI5tGOGeuQNjXhDKJ1U30xppZXcnebrkA+oOo+6dy20zghFR2maAGXfWFU
      pM4GsSnSTm0bXPebVouQFqhj7LqcQQzCqRDThmw/Lp1tJUmu40g=
      -----END RSA PRIVATE KEY-----
    clients:
      - id: oidc-tester-app
        secret: foobar
        policy: two_factor
        redirect_uris:
          - https://oidc.example.com:8080/oauth2/callback
      # This client is used for testing purpose. As of now, the app must be protected by ACLs
      # otherwise it won't work properly.
      - id: oidc-tester-app-public
        secret: foobar
        authorization_policy: one_factor
        redirect_uris:
          - https://oidc-public.example.com:8080/oauth2/callback
...