113 lines
2.5 KiB
Nix
113 lines
2.5 KiB
Nix
|
{
|
||
|
pkgs,
|
||
|
config,
|
||
|
self,
|
||
|
...
|
||
|
}: let
|
||
|
containerStateDir = "/var/lib/authelia-gssws";
|
||
|
hostStateDir = "/opt/authelia";
|
||
|
domain = "auth.gssws.de";
|
||
|
servicePort = 9091;
|
||
|
in {
|
||
|
age.secrets.authelia_users = {
|
||
|
file = "${self}/secrets/chonk_authelia_users.age";
|
||
|
owner = "999";
|
||
|
group = "999";
|
||
|
};
|
||
|
|
||
|
age.secrets.authelia_storage_encryption_key = {
|
||
|
file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
|
||
|
owner = "999";
|
||
|
group = "999";
|
||
|
};
|
||
|
|
||
|
age.secrets.authelia_jwt_secret = {
|
||
|
file = "${self}/secrets/chonk_authelia_jwt_secret.age";
|
||
|
owner = "999";
|
||
|
group = "999";
|
||
|
};
|
||
|
|
||
|
services.nginx.virtualHosts."${domain}" = {
|
||
|
forceSSL = true;
|
||
|
enableACME = true;
|
||
|
locations."/" = {
|
||
|
proxyPass = "http://127.0.0.1:${toString servicePort}";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
containers."authelia" = {
|
||
|
autoStart = true;
|
||
|
ephemeral = true;
|
||
|
bindMounts = {
|
||
|
"${containerStateDir}" = {
|
||
|
hostPath = hostStateDir;
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
|
||
|
"/run/agenix" = {
|
||
|
hostPath = "/run/agenix";
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
|
||
|
"/run/agenix.d" = {
|
||
|
hostPath = "/run/agenix.d";
|
||
|
isReadOnly = false;
|
||
|
};
|
||
|
};
|
||
|
|
||
|
config = {
|
||
|
config,
|
||
|
pkgs,
|
||
|
...
|
||
|
}: {
|
||
|
networking.firewall.enable = false;
|
||
|
|
||
|
services.authelia.instances."gssws" = {
|
||
|
enable = true;
|
||
|
|
||
|
secrets = {
|
||
|
jwtSecretFile = "/run/agenix/authelia_jwt_secret";
|
||
|
storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
|
||
|
};
|
||
|
|
||
|
settings = {
|
||
|
theme = "auto";
|
||
|
server.port = servicePort;
|
||
|
|
||
|
session.domain = domain;
|
||
|
default_redirection_url = "https://home.gssws.de/";
|
||
|
|
||
|
access_control.default_policy = "two_factor";
|
||
|
|
||
|
authentication_backend = {
|
||
|
password_reset.disable = false;
|
||
|
file = {
|
||
|
path = "/run/agenix/authelia_users";
|
||
|
};
|
||
|
};
|
||
|
|
||
|
storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
|
||
|
|
||
|
totp = {
|
||
|
issuer = "auth.gssws.de";
|
||
|
algorithm = "SHA512";
|
||
|
digits = 8;
|
||
|
};
|
||
|
|
||
|
webauthn = {
|
||
|
display_name = "auth.gssws.de";
|
||
|
};
|
||
|
|
||
|
notifier.smtp = {
|
||
|
address = "smtp://mail.gssws.de:25";
|
||
|
sender = "Authelia <authelia@gssws.de>";
|
||
|
identifier = "auth.gssws.de";
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
system.stateVersion = "23.05";
|
||
|
};
|
||
|
};
|
||
|
}
|