{ lib, config, pkgs, flake, ... }: with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { disabledModules = [ "services/security/authelia.nix" ]; imports = [ "${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix" ]; age.secrets."authelia-storage-encryption-key" = { file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-session-secret" = { file = "${flake.self}/secrets/authelia-session-secret.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-jwt-secret" = { file = "${flake.self}/secrets/authelia-jwt-secret.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-oidc-issuer-private-key" = { file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-oidc-hmac-secret" = { file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-jwks-private-key" = { file = "${flake.self}/secrets/authelia-jwks-private-key.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."authelia-users-file" = { file = "${flake.self}/secrets/authelia-users-file.age"; mode = "400"; owner = "authelia-b12f"; }; age.secrets."mail@b12f.io-password" = { file = "${flake.self}/secrets/mail@b12f.io-password.age"; mode = "400"; owner = "authelia-b12f"; }; security.acme.certs = { "auth.b12f.io" = {}; }; services.nginx.virtualHosts = { "auth.b12f.io" = { forceSSL = true; useACMEHost = "auth.b12f.io"; locations."/".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}"; locations."/".extraConfig = "include /etc/nginx/conf-available/proxy.conf;"; locations."/api/verify".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}"; locations."/api/authz".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}"; }; }; services.authelia.instances.b12f = { enable = true; secrets = { storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path; sessionSecretFile = config.age.secrets."authelia-session-secret".path; jwtSecretFile = config.age.secrets."authelia-jwt-secret".path; oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path; oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path; }; environmentVariables = { AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path; }; settings = { theme = "light"; default_2fa_method = "webauthn"; log.level = "debug"; server = { address = "127.0.0.1:9092"; endpoints.authz.auth-request.implementation = "AuthRequest"; }; authentication_backend = { refresh_interval = "disable"; password_reset.disable = true; file = { path = config.age.secrets."authelia-users-file".path; watch = false; }; }; duo_api.disable = true; webauthn.user_verification = "required"; totp.issuer = "auth.b12f.io"; storage.local.path = "/var/lib/authelia-b12f/db.sqlite3"; access_control.default_policy = "two_factor"; session.cookies = [ { domain = "b12f.io"; authelia_url = "https://auth.b12f.io"; } ]; notifier.smtp = { address = "submission://mail.b12f.io:587"; username = "mail@b12f.io"; sender = "auth.b12f.io "; identifier = "auth@b12f.io"; subject = "[auth.b12f.io] {title}"; }; identity_providers.oidc = { authorization_policies = { admins = { default_policy = "deny"; rules = [{ policy = "two_factor"; subject = "group:admins"; }]; }; }; clients = [ { client_id = "jellyfin"; client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ"; public = false; authorization_policy = "admins"; require_pkce = true; pkce_challenge_method = "S256"; redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ]; scopes = [ "openid" "profile" "groups" ]; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_post"; } ]; }; }; }; systemd.services.authelia-b12f.preStart = "env"; services.restic.backups = { authelia = { paths = ["/var/lib/authelia-b12f"]; initialize = true; passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/Authelia"; rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; }