server-configs/machines/gerd/services/authelia/authelia.nix
2024-08-20 23:16:46 +02:00

96 lines
3.2 KiB
Nix

{ config, ... }:
let
svc_domain = "auth.${config.mine.shared.settings.domain}";
autheliaStateDir = "/var/lib/authelia-main";
port = 9091;
in {
services.authelia.instances.main = {
enable = true;
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
};
settings = {
session.domain = config.mine.shared.settings.domain;
server.address = "tcp://127.0.0.1:${builtins.toString port}";
# totp - disable for now, as it requires email server
access_control.default_policy = "one_factor";
# totp.disable = true;
# webauthn.disable = true;
# default_2fa_method = "totp";
# totp.issuer = "auth.fricloud.dk";
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
authentication_backend = {
password_reset.disable = false;
refresh_interval = "1m";
ldap = {
implementation = "custom";
# address in the future
url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
timeout = "5s";
start_tls = false;
base_dn = config.mine.shared.settings.ldap.dc;
additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
llib.mkAnd [
(llib.mkOC lconfig.oc.person)
(llib.mkOr [
(llib.mkSearch "{username_attribute}" "{input}")
(llib.mkSearch "{mail_attribute}" "{input}")
])
]
);
groups_filter = "(member={dn})";
display_name_attribute = config.mine.shared.settings.ldap.attr.firstname;
username_attribute = config.mine.shared.settings.ldap.attr.uid;
group_name_attribute = config.mine.shared.settings.ldap.attr.groupname;
mail_attribute = config.mine.shared.settings.ldap.attr.email;
user = config.mine.shared.settings.ldap.bind_dn;
};
};
};
};
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString port}";
};
# persistent files
environment.persistence.root.directories = [
autheliaStateDir
];
# setup secrets for authelia
age.secrets = {
authelia-jwt.owner = "authelia-main";
authelia-storage.owner = "authelia-main";
authelia-session.owner = "authelia-main";
authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
};
users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];
# settings
mine.shared.settings.authelia.domain = svc_domain;
}