{
  email dead@cxap.space
  acme_dns cloudflare {$CF_API_TOKEN}

  order authenticate before respond
	order authorize before basicauth
  
  servers {
    trusted_proxies static private_ranges
  }

  security {
    local identity store localdb {
      realm local
      path /data/users.json
    }

    authentication portal authportal {
      crypto default token lifetime {$AUTH_TOKEN_LIFETIME:43200}
      crypto key sign-verify {$JWT}
      enable identity store localdb

      cookie domain realy.nothing.help
      cookie lifetime {$AUTH_COOKIE_LIFETIME:43200}
      cookie samesite lax

      ui {
        links {
          "Portainer"   "https://port.realy.nothing.help" icon "las la-tachometer-alt"
          "My Identity" "/auth/whoami" icon "las la-id-badge"
          "My Profile"  "/auth/profile/" icon "las la-user"
        }
      }

      transform user {
        match origin local
        action add role authp/admin
        # require mfa
      }
    }

    authorization policy apikey_or_admin {
      set auth url https://auth.realy.nothing.help
      allow roles authp/admin authp/user
      crypto key verify {$JWT}

      with basic auth portal authportal realm local
      with api key auth portal authportal realm local

      acl rule {
			comment allow users
			match role authp/user
			allow stop log info
      }
      acl rule {
        comment default deny
        match any
        deny log warn
      }
    }
  }
}

(auth_forward) {
  authorize with apikey_or_admin {
    set auth url https://auth.realy.nothing.help
    inject headers with claims
  }
}

auth.realy.nothing.help {
  route {
    authenticate with authportal
  }

  header {
    Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
    X-Content-Type-Options "nosniff"
    X-Frame-Options "DENY"
    Referrer-Policy "no-referrer"
  }
}

*.realy.nothing.help {
    respond / "ok"
}