server-configs/machines/gerd/services/authelia/authelia.nix

{ config, ... }:

let
  svc_domain = "auth.${config.mine.shared.settings.domain}";

  autheliaStateDir = "/var/lib/authelia-main";
  port = 9091;
in {
  services.authelia.instances.main = {
    enable = true;

    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
    secrets = {
      jwtSecretFile = config.age.secrets.authelia-jwt.path;
      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
      sessionSecretFile = config.age.secrets.authelia-session.path;
      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
    };

    settings = {
      session.domain = config.mine.shared.settings.domain;

      server.address = "tcp://127.0.0.1:${builtins.toString port}";

      # totp - disable for now, as it requires email server
      access_control.default_policy = "one_factor";
      # totp.disable = true;
      # webauthn.disable = true;
      # default_2fa_method = "totp";
      # totp.issuer = "auth.fricloud.dk";

      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";

      authentication_backend = {
        password_reset.disable = false;
        refresh_interval = "1m";

        ldap = {
          implementation = "custom";

          # address in the future
          url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
          timeout = "5s";
          start_tls = false;

          base_dn = config.mine.shared.settings.ldap.dc;
          additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
          additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
          groups_filter = "(member={dn})";


          display_name_attribute = config.mine.shared.settings.ldap.attr.firstname;
          username_attribute = config.mine.shared.settings.ldap.attr.uid;
          group_name_attribute = config.mine.shared.settings.ldap.attr.groupname;
          mail_attribute = config.mine.shared.settings.ldap.attr.email;

          user = config.mine.shared.settings.ldap.bind_dn;
        };
      };
    };
  };

  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString port}";
  };

  # persistent files
  environment.persistence.root.directories = [
    autheliaStateDir
  ];

  # setup secrets for authelia
  age.secrets = {
    authelia-jwt.owner = "authelia-main";
    authelia-storage.owner = "authelia-main";
    authelia-session.owner = "authelia-main";
    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
  };

  users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];

  # settings
  mine.shared.settings.authelia.domain = svc_domain;
}
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`{ config, ... }:`

			`let`
modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`svc_domain = "auth.${config.mine.shared.settings.domain}";`
configure domain in a central file 2024-08-11 12:50:32 +00:00
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`autheliaStateDir = "/var/lib/authelia-main";`
bump from nixos-24.11 to nixos-unstable + bumped stateVersion 2024-08-16 12:19:37 +00:00			`port = 9091;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`in {`
			`services.authelia.instances.main = {`
			`enable = true;`

gerd.forgejo: now uses authelia for authentication + patches for signin 2024-08-12 11:56:34 +00:00			`environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`secrets = {`
			`jwtSecretFile = config.age.secrets.authelia-jwt.path;`
			`storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;`
			`sessionSecretFile = config.age.secrets.authelia-session.path;`
			`oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;`
			`};`

			`settings = {`
modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`session.domain = config.mine.shared.settings.domain;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00
bump from nixos-24.11 to nixos-unstable + bumped stateVersion 2024-08-16 12:19:37 +00:00			`server.address = "tcp://127.0.0.1:${builtins.toString port}";`

gerd.forgejo: now uses authelia for authentication + patches for signin 2024-08-12 11:56:34 +00:00			`# totp - disable for now, as it requires email server`
			`access_control.default_policy = "one_factor";`
gerd.authelia: moved to own directory + added nginx proxy example 2024-08-12 12:36:01 +00:00			`# totp.disable = true;`
			`# webauthn.disable = true;`
			`# default_2fa_method = "totp";`
			`# totp.issuer = "auth.fricloud.dk";`
gerd.forgejo: now uses authelia for authentication + patches for signin 2024-08-12 11:56:34 +00:00
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`storage.local.path = "${autheliaStateDir}/authelia.sqlite3";`
			`notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";`

			`authentication_backend = {`
			`password_reset.disable = false;`
			`refresh_interval = "1m";`

			`ldap = {`
			`implementation = "custom";`

			`# address in the future`
			`url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";`
			`timeout = "5s";`
			`start_tls = false;`

modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`base_dn = config.mine.shared.settings.ldap.dc;`
			`additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";`
			`additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`users_filter = "(&(\|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";`
			`groups_filter = "(member={dn})";`


modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`display_name_attribute = config.mine.shared.settings.ldap.attr.firstname;`
			`username_attribute = config.mine.shared.settings.ldap.attr.uid;`
			`group_name_attribute = config.mine.shared.settings.ldap.attr.groupname;`
			`mail_attribute = config.mine.shared.settings.ldap.attr.email;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00
modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`user = config.mine.shared.settings.ldap.bind_dn;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`};`
			`};`
			`};`
			`};`

configure domain in a central file 2024-08-11 12:50:32 +00:00			`services.nginx.virtualHosts."${svc_domain}" = {`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`forceSSL = true;`
			`enableACME = true;`
bump from nixos-24.11 to nixos-unstable + bumped stateVersion 2024-08-16 12:19:37 +00:00			`locations."/".proxyPass = "http://localhost:${builtins.toString port}";`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`};`

			`# persistent files`
			`environment.persistence.root.directories = [`
			`autheliaStateDir`
			`];`

			`# setup secrets for authelia`
			`age.secrets = {`
			`authelia-jwt.owner = "authelia-main";`
			`authelia-storage.owner = "authelia-main";`
			`authelia-session.owner = "authelia-main";`
			`authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";`
			`};`
gerd.lldap: renamed user-pass to admin-user-pass and added bind-user-pass 2024-08-10 17:23:17 +00:00
			`users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];`
gerd.forgejo: now uses authelia for authentication + patches for signin 2024-08-12 11:56:34 +00:00
			`# settings`
modules.settings->shared: renamed mine.settings to mine.shared.settings Allows to use it with other things, such as ... mine.shared.lib mine.shared.meta mine.shared.settings 2024-08-12 18:51:38 +00:00			`mine.shared.settings.authelia.domain = svc_domain;`
gerd.authelia: add initial authelia configuration It is one big mess, and I'm unsure what is and what isn't needed. 2024-08-09 19:38:40 +00:00			`}`