fricloud/server-configs
2
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
server-configs/machines/gerd/services/authelia/authelia.nix

108 lines
3.7 KiB
Nix
Raw Blame History

{ config, ... }:
let
svc_domain = "auth.${config.mine.shared.settings.domain}";
authelia_user = "authelia-main";
autheliaStateDir = "/var/lib/authelia-main";
smtp_username = "authelia";
port = 9091;
in {
services.authelia.instances.main = {
enable = true;
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
sessionSecretFile = config.age.secrets.authelia-session.path;
oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
};
settings = {
session.cookies = [ {
domain = svc_domain;
authelia_url = "https://${svc_domain}";
} ];
server.address = "tcp://127.0.0.1:${builtins.toString port}";
# totp - disable for now, as it requires email server
access_control.default_policy = "two_factor";
totp.issuer = svc_domain;
storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
notifier.smtp = rec {
address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
username = smtp_username;
sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
identifier = config.networking.hostName;
tls.server_name = config.mine.shared.settings.mail.domain_smtp;
};
authentication_backend = {
password_reset.disable = false;
refresh_interval = "1m";
ldap = {
implementation = "custom";
address = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
timeout = "5s";
start_tls = false;
base_dn = config.mine.shared.settings.ldap.dc;
additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
llib.mkAnd [
(llib.mkOC lconfig.oc.person)
(llib.mkOr [
(llib.mkSearch "{username_attribute}" "{input}")
(llib.mkSearch "{mail_attribute}" "{input}")
])
]
);
groups_filter = "(member={dn})";
attributes = {
username = config.mine.shared.settings.ldap.attr.uid;
display_name = config.mine.shared.settings.ldap.attr.firstname;
group_name = config.mine.shared.settings.ldap.attr.groupname;
mail = config.mine.shared.settings.ldap.attr.email;
};
user = config.mine.shared.settings.ldap.bind_dn;
};
};
};
};
services.nginx.virtualHosts."${svc_domain}" = {
forceSSL = true;
enableACME = true;
locations."/".proxyPass = "http://localhost:${builtins.toString port}";
};
# persistent files
environment.persistence.root.directories = [
autheliaStateDir
];
# setup secrets for authelia
age.secrets = {
authelia-jwt.owner = authelia_user;
authelia-storage.owner = authelia_user;
authelia-session.owner = authelia_user;
authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
authelia-smtp-password.owner = authelia_user;
};
users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];
# settings
mine.shared.settings.authelia.domain = svc_domain;
}
Reference in a new issue View git blame Copy permalink