diff --git a/authelia/configuration.yml b/authelia/configuration.yml
new file mode 100644
index 0000000..b67a666
--- /dev/null
+++ b/authelia/configuration.yml
@@ -0,0 +1,57 @@
+server:
+  address: 'tcp://:9091/'
+
+log:
+  level: 'debug'
+
+identity_validation:
+  reset_password:
+    jwt_secret: '0fff6f12d0d727a74ca813e107ee873d82bef7b8450d55a03158006a6fbbe78f58e8db90c9f41dfc38d53debddba132f53185d6'
+
+authentication_backend:
+  file:
+    path: '/config/users_database.yml'
+
+session:
+  name: 'authelia_session'
+  same_site: 'lax'
+  secret: 'd2577b2d4b5f7b6320c1ca5a77dfa53a78b870c1b8bb6f3929216c527b0a8f59033499c3ac0fcdfc6f4547c96fe731b8f954441f5'
+  expiration: '1h'
+  inactivity: '5m'
+  cookies:
+    - domain: 'goattw.net'
+      authelia_url: 'https://auth.goattw.net'
+      default_redirection_url: 'https://traefik.goattw.net'
+
+storage:
+  encryption_key: '683456fac1b8a8c71f075b0211307f010e24dece4f2c180ed940ef38d6ac32e866e26f72fb9e9f77e34a5bb7647f40b13'
+  local:
+    path: '/config/db.sqlite3'
+
+totp:
+  issuer: 'Authelia'
+  period: 30
+  skew: 1
+
+notifier:
+  filesystem:
+    filename: '/config/notification.txt'
+
+access_control:
+  default_policy: deny
+  rules:
+    # Rule 1: Allow Immich API (Bypass)
+    - domain: "immich.goattw.net"
+      policy: bypass
+      resources:
+        - "^/api/.*"
+
+    # --- HOME BYPASS (ENABLED) ---
+    - domain: "*.goattw.net"
+      policy: bypass
+      networks:
+        - 192.168.99.0/24
+
+    # Rule 2: Require Login for Everyone Else
+    - domain: "*.goattw.net"
+      policy: two_factor