97 lines
3.2 KiB
Nix
97 lines
3.2 KiB
Nix
{ config, ... }:
|
|
|
|
let
|
|
autheliaStateDir = "/var/lib/authelia-main";
|
|
in {
|
|
services.authelia.instances.main = {
|
|
enable = true;
|
|
|
|
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path;
|
|
secrets = {
|
|
jwtSecretFile = config.age.secrets.authelia-jwt.path;
|
|
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
|
|
sessionSecretFile = config.age.secrets.authelia-session.path;
|
|
oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
|
|
};
|
|
|
|
settings = {
|
|
access_control.default_policy = "one_factor";
|
|
session.domain = "fricloud.dk";
|
|
|
|
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
|
|
notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
|
|
|
|
authentication_backend = {
|
|
password_reset.disable = false;
|
|
refresh_interval = "1m";
|
|
|
|
ldap = {
|
|
implementation = "custom";
|
|
|
|
# address in the future
|
|
url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
|
|
timeout = "5s";
|
|
start_tls = false;
|
|
|
|
base_dn = "dc=fricloud,dc=dk";
|
|
additional_users_dn = "ou=people";
|
|
users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
|
|
additional_groups_dn = "ou=groups";
|
|
groups_filter = "(member={dn})";
|
|
|
|
|
|
display_name_attribute = "displayName";
|
|
username_attribute = "uid";
|
|
group_name_attribute = "cn";
|
|
mail_attribute = "mail";
|
|
|
|
user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
# example configuration for forgejo. Should live in forgejo.nix if needed
|
|
# services.authelia.instances.main.settings.identity_providers.oidc.clients = [{
|
|
# id = "forgejo";
|
|
# description = "Forgejo";
|
|
|
|
# # authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
|
|
# secret = "$pbkdf2-sha512$310000$cOGtLwMHyfugAJCIiUUjfQ$ao7zC8QB1m8aTGNf1dxYbRAPivZ0G1eaJ4bNFVfJiTFZX06U5baBjT0emvoaeFHXMFbYHzorb2/8vxnY/D0b5Q";
|
|
|
|
# public = false;
|
|
# authorization_policy = "one_factor";
|
|
# redirect_uris = [ "https://git.fricloud.dk/user/oauth2/authelia/callback" ];
|
|
# scopes = [
|
|
# "openid"
|
|
# "email"
|
|
# "profile"
|
|
# ];
|
|
|
|
# userinfo_signing_algorithm = "none";
|
|
# # userinfo_signed_response_alg = "none";
|
|
# # token_endpoint_auth_method = "client_secret_basic";
|
|
# }];
|
|
|
|
|
|
services.nginx.virtualHosts."auth.fricloud.dk" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";
|
|
};
|
|
|
|
# persistent files
|
|
environment.persistence.root.directories = [
|
|
autheliaStateDir
|
|
];
|
|
|
|
# setup secrets for authelia
|
|
age.secrets = {
|
|
authelia-jwt.owner = "authelia-main";
|
|
authelia-storage.owner = "authelia-main";
|
|
authelia-session.owner = "authelia-main";
|
|
authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
|
|
};
|
|
|
|
users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];
|
|
}
|