---
default_redirection_url: 'https://home.example.com:8080/'

server:
  address: 'tcp://127.0.0.1:9091'

log:
  level: 'debug'

totp:
  issuer: 'authelia.com'

duo_api:
  hostname: 'api-123456789.example.com'
  integration_key: 'ABCDEF'

authentication_backend:
  ldap:
    address: 'ldap://127.0.0.1'
    base_dn: 'dc=example,dc=com'
    username_attribute: 'uid'
    additional_users_dn: 'ou=users'
    users_filter: '(&({username_attribute}={input})(objectCategory=person)(objectClass=user))'
    additional_groups_dn: 'ou=groups'
    groups_filter: '(&(member={dn})(objectClass=groupOfNames))'
    group_name_attribute: 'cn'
    mail_attribute: 'mail'
    user: 'cn=admin,dc=example,dc=com'

access_control:
  default_policy: 'deny'

  rules:
    # Rules applied to everyone
    - domain: 'public.example.com'
      policy: 'bypass'

    - domain: 'secure.example.com'
      policy: 'one_factor'
      # Network based rule, if not provided any network matches.
      networks:
        - '192.168.1.0/24'
    - domain: 'secure.example.com'
      policy: 'two_factor'

    - domain: ['singlefactor.example.com', 'onefactor.example.com']
      policy: 'one_factor'

    # Rules applied to 'admins' group
    - domain: 'mx2.mail.example.com'
      subject: 'group:admins'
      policy: 'deny'
    - domain: '*.example.com'
      subject: 'group:admins'
      policy: 'two_factor'

    # Rules applied to 'dev' group
    - domain: 'dev.example.com'
      resources:
        - '^/groups/dev/.*$'
      subject: 'group:dev'
      policy: 'two_factor'

    # Rules applied to user 'john'
    - domain: 'dev.example.com'
      resources:
        - '^/users/john/.*$'
      subject: 'user:john'
      policy: 'two_factor'

    # Rules applied to 'dev' group and user 'john'
    - domain: 'dev.example.com'
      resources:
        - '^/deny-all.*$'
      subject: ['group:dev', 'user:john']
      policy: 'deny'

    # Rules applied to user 'harry'
    - domain: 'dev.example.com'
      resources:
        - '^/users/harry/.*$'
      subject: 'user:harry'
      policy: 'two_factor'

    # Rules applied to user 'bob'
    - domain: '*.mail.example.com'
      subject: 'user:bob'
      policy: 'two_factor'
    - domain: 'dev.example.com'
      resources:
        - '^/users/bob/.*$'
      subject: 'user:bob'
      policy: 'two_factor'

session:
  name: 'authelia_session'
  expiration: '1h'  # 1 hour
  inactivity: '5m'  # 5 minutes
  domain: 'example.com'
  redis:
    host: '127.0.0.1'
    port: 6379
    high_availability:
      sentinel_name: 'test'

regulation:
  max_retries: 3
  find_time: '2m'
  ban_time: '5m'

storage:
  mysql:
    address: 'tcp://127.0.0.1:3306'
    database: 'authelia'
    username: 'authelia'

notifier:
  smtp:
    address: 'smtp://127.0.0.1:1025'
    username: 'test'
    sender: 'admin@example.com'
    disable_require_tls: true

identity_providers:
  oidc:
    cors:
      allowed_origins:
        - 'https://google.com'
        - 'https://example.com'
    clients:
      - id: 'abc'
        secret: '123'
        consent_mode: 'explicit'
...