---
session:
  # redis:
  #   high_availability:
  #     sentinel_name: redis-master
  #     nodes:
  #       - host: redis-node-0.redis-headless.default.svc.cluster.local.
  #         port: 26379
  #       - host: redis-node-1.redis-headless.default.svc.cluster.local.
  #         port: 26379
  #       - host: redis-node-2.redis-headless.default.svc.cluster.local.
  #         port: 26379

access_control:
  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
  ## resource if there is no policy to be applied to the user.
  default_policy: two_factor
  networks:
    - name: private
      networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
    - name: vpn
      networks: ["10.10.0.0/16"]
  rules:
    # bypass Authelia WAN + LAN
    - domain:
        - auth.${SECRET_CLUSTER_DOMAIN}
      policy: bypass
    # One factor auth for LAN
    - domain:
        - "*.${SECRET_CLUSTER_DOMAIN}"
      policy: one_factor
      subject: ["group:homelab_admins", "group:homelab_users"]
      networks:
        - private
    # Deny public resources
    - domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
      resources: ["^/metrics.*$"]
      policy: deny
identity_providers:
  oidc:
    cors:
      endpoints: ["authorization", "token", "revocation", "introspection"]
      allowed_origins_from_client_redirect_uris: true
    clients:
      - id: gitea
        secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        scopes: ["openid", "profile", "groups", "email"]
        redirect_uris:
          [
            "https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
          ]
        userinfo_signing_algorithm: none
      - id: grafana
        description: Grafana
        secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "groups", "email"]
        redirect_uris:
          ["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
        userinfo_signing_algorithm: none
      - id: outline
        description: Outline
        secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "email", "offline_access"]
        redirect_uris:
          ["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
        userinfo_signing_algorithm: none
      - id: immich
        description: Immich
        secret: "${SECRET_IMMICH_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "email"]
        redirect_uris: ["https://photos.${SECRET_CLUSTER_DOMAIN}/auth/login", "app.immich:/"]
        userinfo_signing_algorithm: none
      - id: headlamp
        description: Immich
        secret: "${SECRET_HEADLAMP_OAUTH_CLIENT_SECRET}"
        public: false
        authorization_policy: two_factor
        pre_configured_consent_duration: 1y
        scopes: ["openid", "profile", "email"]
        redirect_uris: ["https://headlamp.${SECRET_CLUSTER_DOMAIN}/oidc-callback"]
        userinfo_signing_algorithm: none