2024-03-25 20:06:08 +00:00
|
|
|
{
|
|
|
|
lib,
|
|
|
|
config,
|
|
|
|
pkgs,
|
2024-04-06 00:36:58 +00:00
|
|
|
flake,
|
2024-03-25 20:06:08 +00:00
|
|
|
...
|
|
|
|
}:
|
|
|
|
with lib; let
|
|
|
|
psCfg = config.pub-solar;
|
|
|
|
xdg = config.home-manager.users."${psCfg.user.name}".xdg;
|
|
|
|
in {
|
2024-09-12 11:58:32 +00:00
|
|
|
disabledModules = [
|
|
|
|
"services/security/authelia.nix"
|
|
|
|
];
|
|
|
|
|
|
|
|
imports = [
|
|
|
|
"${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
|
|
|
|
];
|
|
|
|
|
2024-03-25 20:06:08 +00:00
|
|
|
age.secrets."authelia-storage-encryption-key" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets."authelia-session-secret" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-session-secret.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets."authelia-jwt-secret" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-jwt-secret.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
2024-09-06 17:29:08 +00:00
|
|
|
age.secrets."authelia-oidc-issuer-private-key" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets."authelia-oidc-hmac-secret" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets."authelia-jwks-private-key" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-jwks-private-key.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
2024-03-25 20:06:08 +00:00
|
|
|
age.secrets."authelia-users-file" = {
|
|
|
|
file = "${flake.self}/secrets/authelia-users-file.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
2024-04-03 19:02:21 +00:00
|
|
|
age.secrets."mail@b12f.io-password" = {
|
|
|
|
file = "${flake.self}/secrets/mail@b12f.io-password.age";
|
|
|
|
mode = "400";
|
|
|
|
owner = "authelia-b12f";
|
|
|
|
};
|
|
|
|
|
2024-03-25 20:06:08 +00:00
|
|
|
security.acme.certs = {
|
|
|
|
"auth.b12f.io" = {};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts = {
|
|
|
|
"auth.b12f.io" = {
|
|
|
|
forceSSL = true;
|
|
|
|
useACMEHost = "auth.b12f.io";
|
2024-06-03 10:30:14 +00:00
|
|
|
locations."/".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
|
2024-04-03 19:02:21 +00:00
|
|
|
locations."/".extraConfig = "include /etc/nginx/conf-available/proxy.conf;";
|
2024-06-03 10:30:14 +00:00
|
|
|
locations."/api/verify".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
|
|
|
|
locations."/api/authz".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
|
2024-03-25 20:06:08 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
services.authelia.instances.b12f = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
secrets = {
|
|
|
|
storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
|
|
|
|
sessionSecretFile = config.age.secrets."authelia-session-secret".path;
|
|
|
|
jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
|
2024-09-06 17:29:08 +00:00
|
|
|
oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
|
|
|
|
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
|
2024-03-25 20:06:08 +00:00
|
|
|
};
|
|
|
|
|
2024-09-12 11:58:32 +00:00
|
|
|
environmentVariables = {
|
|
|
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
|
|
|
|
};
|
|
|
|
|
2024-03-25 20:06:08 +00:00
|
|
|
settings = {
|
|
|
|
theme = "light";
|
2024-04-03 19:02:21 +00:00
|
|
|
default_2fa_method = "webauthn";
|
2024-03-25 20:06:08 +00:00
|
|
|
log.level = "debug";
|
2024-04-03 19:02:21 +00:00
|
|
|
server = {
|
2024-06-03 10:30:14 +00:00
|
|
|
address = "127.0.0.1:9092";
|
2024-04-06 00:36:58 +00:00
|
|
|
endpoints.authz.auth-request.implementation = "AuthRequest";
|
2024-04-03 19:02:21 +00:00
|
|
|
};
|
2024-03-25 20:06:08 +00:00
|
|
|
authentication_backend = {
|
|
|
|
refresh_interval = "disable";
|
2024-09-06 17:29:08 +00:00
|
|
|
password_reset.disable = true;
|
2024-03-25 20:06:08 +00:00
|
|
|
file = {
|
|
|
|
path = config.age.secrets."authelia-users-file".path;
|
|
|
|
watch = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
duo_api.disable = true;
|
|
|
|
webauthn.user_verification = "required";
|
2024-04-03 19:02:21 +00:00
|
|
|
totp.issuer = "auth.b12f.io";
|
|
|
|
storage.local.path = "/var/lib/authelia-b12f/db.sqlite3";
|
|
|
|
access_control.default_policy = "two_factor";
|
2024-04-06 00:36:58 +00:00
|
|
|
session.cookies = [
|
2024-08-18 22:22:59 +00:00
|
|
|
{
|
|
|
|
domain = "b12f.io";
|
|
|
|
authelia_url = "https://auth.b12f.io";
|
|
|
|
}
|
2024-04-06 00:36:58 +00:00
|
|
|
];
|
2024-04-03 19:02:21 +00:00
|
|
|
notifier.smtp = {
|
2024-09-12 11:58:32 +00:00
|
|
|
address = "submission://mail.b12f.io:587";
|
2024-04-03 19:02:21 +00:00
|
|
|
username = "mail@b12f.io";
|
|
|
|
sender = "auth.b12f.io <mail@b12f.io>";
|
|
|
|
identifier = "auth@b12f.io";
|
|
|
|
subject = "[auth.b12f.io] {title}";
|
2024-03-25 20:06:08 +00:00
|
|
|
};
|
2024-09-06 17:29:08 +00:00
|
|
|
identity_providers.oidc = {
|
|
|
|
authorization_policies = {
|
|
|
|
admins = {
|
|
|
|
default_policy = "deny";
|
|
|
|
rules = [{
|
|
|
|
policy = "two_factor";
|
|
|
|
subject = "group:admins";
|
|
|
|
}];
|
|
|
|
};
|
|
|
|
};
|
|
|
|
clients = [
|
|
|
|
{
|
|
|
|
client_id = "jellyfin";
|
|
|
|
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
|
|
|
|
public = false;
|
2024-09-12 11:58:32 +00:00
|
|
|
authorization_policy = "admins";
|
2024-09-06 17:29:08 +00:00
|
|
|
require_pkce = true;
|
|
|
|
pkce_challenge_method = "S256";
|
|
|
|
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
|
|
|
|
scopes = [
|
|
|
|
"openid"
|
|
|
|
"profile"
|
|
|
|
"groups"
|
|
|
|
];
|
|
|
|
userinfo_signed_response_alg = "none";
|
|
|
|
token_endpoint_auth_method = "client_secret_post";
|
|
|
|
}
|
|
|
|
];
|
|
|
|
};
|
2024-03-25 20:06:08 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
|
2024-09-12 11:58:32 +00:00
|
|
|
systemd.services.authelia-b12f.preStart = "env";
|
2024-04-03 19:02:21 +00:00
|
|
|
|
2024-03-25 20:06:08 +00:00
|
|
|
services.restic.backups = {
|
|
|
|
authelia = {
|
2024-08-18 22:22:59 +00:00
|
|
|
paths = ["/var/lib/authelia-b12f"];
|
2024-03-25 20:06:08 +00:00
|
|
|
initialize = true;
|
|
|
|
passwordFile = config.age.secrets."restic-password".path;
|
|
|
|
# See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
|
|
|
|
repository = "rclone:cloud.pub.solar:/backups/Authelia";
|
2024-09-12 11:58:32 +00:00
|
|
|
rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
|
2024-03-25 20:06:08 +00:00
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|