108 lines
3.7 KiB
Nix
108 lines
3.7 KiB
Nix
{ config, ... }:
|
|
|
|
let
|
|
svc_domain = "auth.${config.mine.shared.settings.domain}";
|
|
|
|
authelia_user = "authelia-main";
|
|
autheliaStateDir = "/var/lib/authelia-main";
|
|
smtp_username = "authelia";
|
|
port = 9091;
|
|
in {
|
|
services.authelia.instances.main = {
|
|
enable = true;
|
|
|
|
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
|
|
environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
|
|
secrets = {
|
|
jwtSecretFile = config.age.secrets.authelia-jwt.path;
|
|
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
|
|
sessionSecretFile = config.age.secrets.authelia-session.path;
|
|
oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
|
|
};
|
|
|
|
settings = {
|
|
session.cookies = [ {
|
|
domain = config.mine.shared.settings.domain;
|
|
authelia_url = "https://${svc_domain}";
|
|
} ];
|
|
|
|
server.address = "tcp://127.0.0.1:${builtins.toString port}";
|
|
|
|
# totp - disable for now, as it requires email server
|
|
access_control.default_policy = "two_factor";
|
|
totp.issuer = svc_domain;
|
|
|
|
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
|
|
|
|
notifier.smtp = rec {
|
|
address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
|
|
username = smtp_username;
|
|
sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
|
|
identifier = config.networking.hostName;
|
|
tls.server_name = config.mine.shared.settings.mail.domain_smtp;
|
|
};
|
|
|
|
authentication_backend = {
|
|
password_reset.disable = false;
|
|
refresh_interval = "1m";
|
|
|
|
ldap = {
|
|
implementation = "custom";
|
|
|
|
address = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
|
|
timeout = "5s";
|
|
start_tls = false;
|
|
|
|
base_dn = config.mine.shared.settings.ldap.dc;
|
|
additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
|
|
additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
|
|
users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
|
|
llib.mkAnd [
|
|
(llib.mkOC lconfig.oc.person)
|
|
(llib.mkOr [
|
|
(llib.mkSearch "{username_attribute}" "{input}")
|
|
(llib.mkSearch "{mail_attribute}" "{input}")
|
|
])
|
|
]
|
|
);
|
|
groups_filter = "(member={dn})";
|
|
|
|
|
|
attributes = {
|
|
username = config.mine.shared.settings.ldap.attr.uid;
|
|
display_name = config.mine.shared.settings.ldap.attr.firstname;
|
|
group_name = config.mine.shared.settings.ldap.attr.groupname;
|
|
mail = config.mine.shared.settings.ldap.attr.email;
|
|
};
|
|
|
|
user = config.mine.shared.settings.ldap.bind_dn;
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
services.nginx.virtualHosts."${svc_domain}" = {
|
|
forceSSL = true;
|
|
enableACME = true;
|
|
locations."/".proxyPass = "http://localhost:${builtins.toString port}";
|
|
};
|
|
|
|
# persistent files
|
|
environment.persistence.root.directories = [
|
|
autheliaStateDir
|
|
];
|
|
|
|
# setup secrets for authelia
|
|
age.secrets = {
|
|
authelia-jwt.owner = authelia_user;
|
|
authelia-storage.owner = authelia_user;
|
|
authelia-session.owner = authelia_user;
|
|
authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
|
|
authelia-smtp-password.owner = authelia_user;
|
|
};
|
|
|
|
users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];
|
|
|
|
# settings
|
|
mine.shared.settings.authelia.domain = svc_domain;
|
|
}
|