2023-10-05 22:14:14 +00:00
|
|
|
{
|
|
|
|
pkgs,
|
|
|
|
config,
|
|
|
|
self,
|
|
|
|
...
|
|
|
|
}: let
|
|
|
|
containerStateDir = "/var/lib/authelia-gssws";
|
|
|
|
hostStateDir = "/opt/authelia";
|
|
|
|
domain = "auth.gssws.de";
|
2023-10-28 22:31:33 +00:00
|
|
|
redirectDomain = "home.gssws.de";
|
2023-10-05 22:14:14 +00:00
|
|
|
servicePort = 9091;
|
|
|
|
in {
|
|
|
|
age.secrets.authelia_users = {
|
|
|
|
file = "${self}/secrets/chonk_authelia_users.age";
|
|
|
|
owner = "999";
|
|
|
|
group = "999";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets.authelia_storage_encryption_key = {
|
|
|
|
file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
|
|
|
|
owner = "999";
|
|
|
|
group = "999";
|
|
|
|
};
|
|
|
|
|
|
|
|
age.secrets.authelia_jwt_secret = {
|
|
|
|
file = "${self}/secrets/chonk_authelia_jwt_secret.age";
|
|
|
|
owner = "999";
|
|
|
|
group = "999";
|
|
|
|
};
|
|
|
|
|
|
|
|
services.nginx.virtualHosts."${domain}" = {
|
|
|
|
forceSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
locations."/" = {
|
|
|
|
proxyPass = "http://127.0.0.1:${toString servicePort}";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
containers."authelia" = {
|
|
|
|
autoStart = true;
|
|
|
|
ephemeral = true;
|
|
|
|
bindMounts = {
|
|
|
|
"${containerStateDir}" = {
|
|
|
|
hostPath = hostStateDir;
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
"/run/agenix" = {
|
|
|
|
hostPath = "/run/agenix";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
|
|
|
|
"/run/agenix.d" = {
|
|
|
|
hostPath = "/run/agenix.d";
|
|
|
|
isReadOnly = false;
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
config = {
|
|
|
|
config,
|
|
|
|
pkgs,
|
|
|
|
...
|
|
|
|
}: {
|
|
|
|
networking.firewall.enable = false;
|
|
|
|
|
|
|
|
services.authelia.instances."gssws" = {
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
secrets = {
|
|
|
|
jwtSecretFile = "/run/agenix/authelia_jwt_secret";
|
|
|
|
storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
|
|
|
|
};
|
|
|
|
|
|
|
|
settings = {
|
2023-10-28 22:31:33 +00:00
|
|
|
theme = "dark";
|
2023-10-05 22:14:14 +00:00
|
|
|
server.port = servicePort;
|
|
|
|
|
|
|
|
session.domain = domain;
|
2023-10-28 22:31:33 +00:00
|
|
|
default_redirection_url = "https://${redirectDomain}/";
|
2023-10-05 22:14:14 +00:00
|
|
|
|
|
|
|
access_control.default_policy = "two_factor";
|
|
|
|
|
|
|
|
authentication_backend = {
|
2023-10-28 22:31:33 +00:00
|
|
|
password_reset.disable = true;
|
2023-10-05 22:14:14 +00:00
|
|
|
file = {
|
|
|
|
path = "/run/agenix/authelia_users";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
|
|
|
|
|
|
|
|
totp = {
|
|
|
|
issuer = "auth.gssws.de";
|
|
|
|
algorithm = "SHA512";
|
|
|
|
digits = 8;
|
|
|
|
};
|
|
|
|
|
|
|
|
webauthn = {
|
|
|
|
display_name = "auth.gssws.de";
|
|
|
|
};
|
|
|
|
|
|
|
|
notifier.smtp = {
|
2023-10-28 22:31:33 +00:00
|
|
|
host = "mail.gssws.de";
|
|
|
|
port = 25;
|
2023-10-05 22:14:14 +00:00
|
|
|
sender = "Authelia <authelia@gssws.de>";
|
|
|
|
identifier = "auth.gssws.de";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
};
|
|
|
|
|
|
|
|
system.stateVersion = "23.05";
|
|
|
|
};
|
|
|
|
};
|
|
|
|
}
|