os/hosts/pie/authelia.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

125 lines
3.6 KiB
Nix
Raw Normal View History

2024-03-25 20:06:08 +00:00
{
lib,
config,
pkgs,
flake,
2024-03-25 20:06:08 +00:00
...
}:
with lib; let
psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
disabledModules = [
"services/security/authelia.nix"
];
imports = [
"${flake.inputs.authelia-438}/nixos/modules/services/security/authelia.nix"
];
2024-03-25 20:06:08 +00:00
age.secrets."authelia-storage-encryption-key" = {
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-session-secret" = {
file = "${flake.self}/secrets/authelia-session-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-jwt-secret" = {
file = "${flake.self}/secrets/authelia-jwt-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-users-file" = {
file = "${flake.self}/secrets/authelia-users-file.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."mail@b12f.io-password" = {
file = "${flake.self}/secrets/mail@b12f.io-password.age";
mode = "400";
owner = "authelia-b12f";
};
2024-03-25 20:06:08 +00:00
security.acme.certs = {
"auth.b12f.io" = {};
};
services.nginx.virtualHosts = {
"auth.b12f.io" = {
forceSSL = true;
useACMEHost = "auth.b12f.io";
2024-06-03 10:30:14 +00:00
locations."/".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
locations."/".extraConfig = "include /etc/nginx/conf-available/proxy.conf;";
2024-06-03 10:30:14 +00:00
locations."/api/verify".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
locations."/api/authz".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
2024-03-25 20:06:08 +00:00
};
};
services.authelia.instances.b12f = {
enable = true;
secrets = {
storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
sessionSecretFile = config.age.secrets."authelia-session-secret".path;
jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
};
settings = {
theme = "light";
default_2fa_method = "webauthn";
2024-03-25 20:06:08 +00:00
log.level = "debug";
server = {
2024-06-03 10:30:14 +00:00
address = "127.0.0.1:9092";
endpoints.authz.auth-request.implementation = "AuthRequest";
};
2024-03-25 20:06:08 +00:00
authentication_backend = {
refresh_interval = "disable";
2024-08-18 22:22:59 +00:00
password_reset = {disable = true;};
2024-03-25 20:06:08 +00:00
file = {
path = config.age.secrets."authelia-users-file".path;
watch = false;
};
};
duo_api.disable = true;
webauthn.user_verification = "required";
totp.issuer = "auth.b12f.io";
storage.local.path = "/var/lib/authelia-b12f/db.sqlite3";
access_control.default_policy = "two_factor";
session.cookies = [
2024-08-18 22:22:59 +00:00
{
domain = "b12f.io";
authelia_url = "https://auth.b12f.io";
}
];
notifier.smtp = {
host = "mail.b12f.io";
port = 587;
username = "mail@b12f.io";
sender = "auth.b12f.io <mail@b12f.io>";
identifier = "auth@b12f.io";
subject = "[auth.b12f.io] {title}";
2024-03-25 20:06:08 +00:00
};
};
};
systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
2024-03-25 20:06:08 +00:00
services.restic.backups = {
authelia = {
2024-08-18 22:22:59 +00:00
paths = ["/var/lib/authelia-b12f"];
2024-03-25 20:06:08 +00:00
initialize = true;
passwordFile = config.age.secrets."restic-password".path;
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
repository = "rclone:cloud.pub.solar:/backups/Authelia";
rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
};
};
}