os/hosts/pie/authelia.nix

{
  lib,
  config,
  pkgs,
  flake,
  ...
}:
with lib; let
  psCfg = config.pub-solar;
  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in {
  disabledModules = [
    "services/security/authelia.nix"
  ];

  imports = [
    "${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix"
  ];

  age.secrets."authelia-storage-encryption-key" = {
    file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-session-secret" = {
    file = "${flake.self}/secrets/authelia-session-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-jwt-secret" = {
    file = "${flake.self}/secrets/authelia-jwt-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-oidc-issuer-private-key" = {
    file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-oidc-hmac-secret" = {
    file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-jwks-private-key" = {
    file = "${flake.self}/secrets/authelia-jwks-private-key.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."authelia-users-file" = {
    file = "${flake.self}/secrets/authelia-users-file.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  age.secrets."mail@b12f.io-password" = {
    file = "${flake.self}/secrets/mail@b12f.io-password.age";
    mode = "400";
    owner = "authelia-b12f";
  };

  security.acme.certs = {
    "auth.b12f.io" = {};
  };

  services.nginx.virtualHosts = {
    "auth.b12f.io" = {
      forceSSL = true;
      useACMEHost = "auth.b12f.io";
      locations."/".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
      locations."/".extraConfig = "include /etc/nginx/conf-available/proxy.conf;";
      locations."/api/verify".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
      locations."/api/authz".proxyPass = "http://${config.services.authelia.instances.b12f.settings.server.address}";
    };
  };

  services.authelia.instances.b12f = {
    enable = true;

    secrets = {
      storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
      sessionSecretFile = config.age.secrets."authelia-session-secret".path;
      jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
      oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
      oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
    };

    environmentVariables = {
      AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path;
    };

    settings = {
      theme = "light";
      default_2fa_method = "webauthn";
      log.level = "debug";
      server = {
        address = "127.0.0.1:9092";
        endpoints.authz.auth-request.implementation = "AuthRequest";
      };
      authentication_backend = {
        refresh_interval = "disable";
        password_reset.disable = true;
        file = {
          path = config.age.secrets."authelia-users-file".path;
          watch = false;
        };
      };
      duo_api.disable = true;
      webauthn.user_verification = "required";
      totp.issuer = "auth.b12f.io";
      storage.local.path = "/var/lib/authelia-b12f/db.sqlite3";
      access_control.default_policy = "two_factor";
      session.cookies = [
        {
          domain = "b12f.io";
          authelia_url = "https://auth.b12f.io";
        }
      ];
      notifier.smtp = {
        address = "submission://mail.b12f.io:587";
        username = "mail@b12f.io";
        sender = "auth.b12f.io <mail@b12f.io>";
        identifier = "auth@b12f.io";
        subject = "[auth.b12f.io] {title}";
      };
      identity_providers.oidc = {
        authorization_policies = {
          admins = {
            default_policy = "deny";
            rules = [{
              policy = "two_factor";
              subject = "group:admins";
            }];
          };
        };
        clients = [
          {
            client_id = "jellyfin";
            client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
            public = false;
            authorization_policy = "admins";
            require_pkce = true;
            pkce_challenge_method = "S256";
            redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
            scopes = [
              "openid"
              "profile"
              "groups"
            ];
            userinfo_signed_response_alg = "none";
            token_endpoint_auth_method = "client_secret_post";
          }
        ];
      };
    };
  };

  systemd.services.authelia-b12f.preStart = "env";

  services.restic.backups = {
    authelia = {
      paths = ["/var/lib/authelia-b12f"];
      initialize = true;
      passwordFile = config.age.secrets."restic-password".path;
      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
      repository = "rclone:cloud.pub.solar:/backups/Authelia";
      rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path;
    };
  };
}