os/hosts/chonk/authelia.nix

{
  pkgs,
  config,
  self,
  ...
}: let
  containerStateDir = "/var/lib/authelia-gssws";
  hostStateDir = "/opt/authelia";
  domain = "auth.gssws.de";
  redirectDomain = "home.gssws.de";
  servicePort = 9091;
in {
  age.secrets.authelia_users = {
    file = "${self}/secrets/chonk_authelia_users.age";
    owner = "999";
    group = "999";
  };

  age.secrets.authelia_storage_encryption_key = {
    file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
    owner = "999";
    group = "999";
  };

  age.secrets.authelia_jwt_secret = {
    file = "${self}/secrets/chonk_authelia_jwt_secret.age";
    owner = "999";
    group = "999";
  };

  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString servicePort}";
    };
  };

  containers."authelia" = {
    autoStart = true;
    ephemeral = true;
    bindMounts = {
      "${containerStateDir}" = {
        hostPath = hostStateDir;
        isReadOnly = false;
      };

      "/run/agenix" = {
        hostPath = "/run/agenix";
        isReadOnly = false;
      };

      "/run/agenix.d" = {
        hostPath = "/run/agenix.d";
        isReadOnly = false;
      };
    };

    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.enable = false;

      services.authelia.instances."gssws" = {
        enable = true;

        secrets = {
          jwtSecretFile = "/run/agenix/authelia_jwt_secret";
          storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
        };

        settings = {
          theme = "dark";
          server.port = servicePort;

          session.domain = domain;
          default_redirection_url = "https://${redirectDomain}/";

          access_control.default_policy = "two_factor";

          authentication_backend = {
            password_reset.disable = true;
            file = {
              path = "/run/agenix/authelia_users";
            };
          };

          storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";

          totp = {
            issuer = "auth.gssws.de";
            algorithm = "SHA512";
            digits = 8;
          };

          webauthn = {
            display_name = "auth.gssws.de";
          };

          notifier.smtp = {
            host = "mail.gssws.de";
            port = 25;
            sender = "Authelia <authelia@gssws.de>";
            identifier = "auth.gssws.de";
          };
        };
      };

      system.stateVersion = "23.05";
    };
  };
}