{ config, ... }: let autheliaStateDir = "/var/lib/authelia-main"; in { services.authelia.instances.main = { enable = true; environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path; secrets = { jwtSecretFile = config.age.secrets.authelia-jwt.path; storageEncryptionKeyFile = config.age.secrets.authelia-storage.path; sessionSecretFile = config.age.secrets.authelia-session.path; oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path; }; settings = { access_control.default_policy = "one_factor"; session.domain = "fricloud.dk"; storage.local.path = "${autheliaStateDir}/authelia.sqlite3"; notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt"; authentication_backend = { password_reset.disable = false; refresh_interval = "1m"; ldap = { implementation = "custom"; # address in the future url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}"; timeout = "5s"; start_tls = false; base_dn = "dc=fricloud,dc=dk"; additional_users_dn = "ou=people"; users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; additional_groups_dn = "ou=groups"; groups_filter = "(member={dn})"; display_name_attribute = "displayName"; username_attribute = "uid"; group_name_attribute = "cn"; mail_attribute = "mail"; user = "uid=bind_user,ou=people,dc=fricloud,dc=dk"; }; }; }; }; services.nginx.virtualHosts."auth.fricloud.dk" = { forceSSL = true; enableACME = true; locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}"; }; # persistent files environment.persistence.root.directories = [ autheliaStateDir ]; # setup secrets for authelia age.secrets = { authelia-jwt.owner = "authelia-main"; authelia-storage.owner = "authelia-main"; authelia-session.owner = "authelia-main"; authelia-oidc-issuer-privatekey-pem.owner = "authelia-main"; authelia-lldap-bind-user-pass.owner = "authelia-main"; }; }