os/hosts/chonk/authelia.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

115 lines
2.5 KiB
Nix
Raw Normal View History

2023-10-05 22:14:14 +00:00
{
pkgs,
config,
self,
...
}: let
containerStateDir = "/var/lib/authelia-gssws";
hostStateDir = "/opt/authelia";
domain = "auth.gssws.de";
2023-10-28 22:31:33 +00:00
redirectDomain = "home.gssws.de";
2023-10-05 22:14:14 +00:00
servicePort = 9091;
in {
age.secrets.authelia_users = {
file = "${self}/secrets/chonk_authelia_users.age";
owner = "999";
group = "999";
};
age.secrets.authelia_storage_encryption_key = {
file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
owner = "999";
group = "999";
};
age.secrets.authelia_jwt_secret = {
file = "${self}/secrets/chonk_authelia_jwt_secret.age";
owner = "999";
group = "999";
};
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://127.0.0.1:${toString servicePort}";
};
};
containers."authelia" = {
autoStart = true;
ephemeral = true;
bindMounts = {
"${containerStateDir}" = {
hostPath = hostStateDir;
isReadOnly = false;
};
"/run/agenix" = {
hostPath = "/run/agenix";
isReadOnly = false;
};
"/run/agenix.d" = {
hostPath = "/run/agenix.d";
isReadOnly = false;
};
};
config = {
config,
pkgs,
...
}: {
networking.firewall.enable = false;
services.authelia.instances."gssws" = {
enable = true;
secrets = {
jwtSecretFile = "/run/agenix/authelia_jwt_secret";
storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
};
settings = {
2023-10-28 22:31:33 +00:00
theme = "dark";
2023-10-05 22:14:14 +00:00
server.port = servicePort;
session.domain = domain;
2023-10-28 22:31:33 +00:00
default_redirection_url = "https://${redirectDomain}/";
2023-10-05 22:14:14 +00:00
access_control.default_policy = "two_factor";
authentication_backend = {
2023-10-28 22:31:33 +00:00
password_reset.disable = true;
2023-10-05 22:14:14 +00:00
file = {
path = "/run/agenix/authelia_users";
};
};
storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
totp = {
issuer = "auth.gssws.de";
algorithm = "SHA512";
digits = 8;
};
webauthn = {
display_name = "auth.gssws.de";
};
notifier.smtp = {
2023-10-28 22:31:33 +00:00
host = "mail.gssws.de";
port = 25;
2023-10-05 22:14:14 +00:00
sender = "Authelia <authelia@gssws.de>";
identifier = "auth.gssws.de";
};
};
};
system.stateVersion = "23.05";
};
};
}