server:
  address: 'tcp://:9091/'

log:
  level: 'debug'

identity_validation:
  reset_password:
    jwt_secret: '0fff6f12d0d727a74ca813e107ee873d82bef7b8450d55a03158006a6fbbe78f58e8db90c9f41dfc38d53debddba132f53185d6'

authentication_backend:
  file:
    path: '/config/users_database.yml'

session:
  name: 'authelia_session'
  same_site: 'lax'
  secret: 'd2577b2d4b5f7b6320c1ca5a77dfa53a78b870c1b8bb6f3929216c527b0a8f59033499c3ac0fcdfc6f4547c96fe731b8f954441f5'
  expiration: '1h'
  inactivity: '5m'
  cookies:
    - domain: 'goattw.net'
      authelia_url: 'https://auth.goattw.net'
      default_redirection_url: 'https://traefik.goattw.net'

storage:
  encryption_key: '683456fac1b8a8c71f075b0211307f010e24dece4f2c180ed940ef38d6ac32e866e26f72fb9e9f77e34a5bb7647f40b13'
  local:
    path: '/config/db.sqlite3'

totp:
  issuer: 'Authelia'
  period: 30
  skew: 1

notifier:
  filesystem:
    filename: '/config/notification.txt'

access_control:
  default_policy: deny
  rules:
    # Rule 1: Allow Immich API (Bypass)
    - domain: "immich.goattw.net"
      policy: bypass
      resources:
        - "^/api/.*"

    # --- HOME BYPASS (ENABLED) ---
    - domain: "*.goattw.net"
      policy: bypass
      networks:
        - 192.168.99.0/24

    # Rule 2: Require Login for Everyone Else
    - domain: "*.goattw.net"
      policy: two_factor