{ pkgs, config, self, ... }: let containerStateDir = "/var/lib/authelia-gssws"; hostStateDir = "/opt/authelia"; domain = "auth.gssws.de"; servicePort = 9091; in { age.secrets.authelia_users = { file = "${self}/secrets/chonk_authelia_users.age"; owner = "999"; group = "999"; }; age.secrets.authelia_storage_encryption_key = { file = "${self}/secrets/chonk_authelia_storage_encryption_key.age"; owner = "999"; group = "999"; }; age.secrets.authelia_jwt_secret = { file = "${self}/secrets/chonk_authelia_jwt_secret.age"; owner = "999"; group = "999"; }; services.nginx.virtualHosts."${domain}" = { forceSSL = true; enableACME = true; locations."/" = { proxyPass = "http://127.0.0.1:${toString servicePort}"; }; }; containers."authelia" = { autoStart = true; ephemeral = true; bindMounts = { "${containerStateDir}" = { hostPath = hostStateDir; isReadOnly = false; }; "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; }; "/run/agenix.d" = { hostPath = "/run/agenix.d"; isReadOnly = false; }; }; config = { config, pkgs, ... }: { networking.firewall.enable = false; services.authelia.instances."gssws" = { enable = true; secrets = { jwtSecretFile = "/run/agenix/authelia_jwt_secret"; storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key"; }; settings = { theme = "auto"; server.port = servicePort; session.domain = domain; default_redirection_url = "https://home.gssws.de/"; access_control.default_policy = "two_factor"; authentication_backend = { password_reset.disable = false; file = { path = "/run/agenix/authelia_users"; }; }; storage.local.path = "/var/lib/authelia-gssws/db.sqlite3"; totp = { issuer = "auth.gssws.de"; algorithm = "SHA512"; digits = 8; }; webauthn = { display_name = "auth.gssws.de"; }; notifier.smtp = { address = "smtp://mail.gssws.de:25"; sender = "Authelia "; identifier = "auth.gssws.de"; }; }; }; system.stateVersion = "23.05"; }; }; }