os/hosts/pie/authelia.nix

{
  flake,
  lib,
  config,
  pkgs,
  ...
}:
with lib; let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
  age.secrets."authelia-storage-encryption-key" = {
    file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-session-secret" = {
    file = "${flake.self}/secrets/authelia-session-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-oidc-issuer-private-key" = {
    file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-oidc-hmac-secret" = {
    file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-jwt-secret" = {
    file = "${flake.self}/secrets/authelia-jwt-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-users-file" = {
    file = "${flake.self}/secrets/authelia-users-file.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  security.acme.certs = {
    "auth.b12f.io" = {};
  };

  services.nginx.virtualHosts = {
    "auth.b12f.io" = {
      forceSSL = true;
      useACMEHost = "auth.b12f.io";
      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.authelia.instances.b12f.settings.server.port}";
      listenAdresses = [
        "127.0.0.1"
        "::1"
        "10.13.12.2"
        "fd00:b12f:acab:1312:acab:2::"
      ];
    };
  };

  services.authelia.instances.b12f = {
    enable = true;

    secrets = {
      storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
      sessionSecretFile = config.age.secrets."authelia-session-secret".path;
      oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
      oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
      jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
    };

    settings = {
      theme = "light";
      default_2fa_method = "totp";
      log.level = "debug";
      server.disable_healthcheck = true;
      authentication_backend = {
        refresh_interval = "disable";
        password_reset = { disable = true; };
        file = {
          path = config.age.secrets."authelia-users-file".path;
          watch = false;
        };
      };
      duo_api.disable = true;
      webauthn.user_verification = "required";
      totp.issuer: "auth.b12f.io";
      storage.local.path = "/var/lib/authelia/db.sqlite3";
      identity_providers.oidc = {
        authorization_policies.policy_name = {
          default_policy = "two_factor";
          rules = [
            {
              policy = "deny";
              subject = "group:services";
            }
          ];
        };
      };
    };
  };

  services.restic.backups = {
    authelia = {
      paths = [ "/var/lib/authelia" ];
      initialize = true;
      passwordFile = config.age.secrets."restic-password".path;
      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
      repository = "rclone:cloud.pub.solar:/backups/Authelia";
      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
    };
  };
}
authelia: init 2024-03-25 20:06:08 +00:00			`{`
			`flake,`
			`lib,`
			`config,`
			`pkgs,`
			`...`
			`}:`
			`with lib; let`
			`psCfg = config.pub-solar;`
			`xdg = config.home-manager.users."${psCfg.user.name}".xdg;`
			`in {`
			`age.secrets."authelia-storage-encryption-key" = {`
			`file = "${flake.self}/secrets/authelia-storage-encryption-key.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`age.secrets."authelia-session-secret" = {`
			`file = "${flake.self}/secrets/authelia-session-secret.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`age.secrets."authelia-oidc-issuer-private-key" = {`
			`file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`age.secrets."authelia-oidc-hmac-secret" = {`
			`file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`age.secrets."authelia-jwt-secret" = {`
			`file = "${flake.self}/secrets/authelia-jwt-secret.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`age.secrets."authelia-users-file" = {`
			`file = "${flake.self}/secrets/authelia-users-file.age";`
			`mode = "400";`
			`owner = "authelia-b12f";`
			`};`

			`security.acme.certs = {`
			`"auth.b12f.io" = {};`
			`};`

			`services.nginx.virtualHosts = {`
			`"auth.b12f.io" = {`
			`forceSSL = true;`
			`useACMEHost = "auth.b12f.io";`
			`locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.authelia.instances.b12f.settings.server.port}";`
			`listenAdresses = [`
			`"127.0.0.1"`
			`"::1"`
			`"10.13.12.2"`
			`"fd00:b12f:acab:1312:acab:2::"`
			`];`
			`};`
			`};`

			`services.authelia.instances.b12f = {`
			`enable = true;`

			`secrets = {`
			`storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;`
			`sessionSecretFile = config.age.secrets."authelia-session-secret".path;`
			`oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;`
			`oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;`
			`jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;`
			`};`

			`settings = {`
			`theme = "light";`
			`default_2fa_method = "totp";`
			`log.level = "debug";`
			`server.disable_healthcheck = true;`
			`authentication_backend = {`
			`refresh_interval = "disable";`
			`password_reset = { disable = true; };`
			`file = {`
			`path = config.age.secrets."authelia-users-file".path;`
			`watch = false;`
			`};`
			`};`
			`duo_api.disable = true;`
			`webauthn.user_verification = "required";`
			`totp.issuer: "auth.b12f.io";`
			`storage.local.path = "/var/lib/authelia/db.sqlite3";`
			`identity_providers.oidc = {`
			`authorization_policies.policy_name = {`
			`default_policy = "two_factor";`
			`rules = [`
			`{`
			`policy = "deny";`
			`subject = "group:services";`
			`}`
			`];`
			`};`
			`};`
			`};`
			`};`

			`services.restic.backups = {`
			`authelia = {`
			`paths = [ "/var/lib/authelia" ];`
			`initialize = true;`
			`passwordFile = config.age.secrets."restic-password".path;`
			`# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/`
			`repository = "rclone:cloud.pub.solar:/backups/Authelia";`
			`rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;`
			`};`
			`};`
			`}`