server-configs/machines/gerd/services/authelia/authelia.nix

{ pkgs, config, ... }:

let
  svc_domain = "auth.${config.mine.shared.settings.domain}";

  authelia_user = "authelia-main";
  autheliaStateDir = "/var/lib/authelia-main";
  smtp_username = "authelia";
  port = 9091;
in {
  services.authelia.instances.main = {
    enable = true;
    package = pkgs.authelia.override {
      authelia-web = pkgs.authelia.passthru.web.overrideAttrs (old: {
        postPatch = old.postPatch + ''
          substituteInPlace src/views/LoginPortal/FirstFactor/FirstFactorForm.tsx \
            --replace-fail "const [rememberMe, setRememberMe] = useState(false)" "const [rememberMe, setRememberMe] = useState(true)"
        '';
      });
    };

    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.lldap-bind-user-pass.path;
    environmentVariables.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;
    secrets = {
      jwtSecretFile = config.age.secrets.authelia-jwt.path;
      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
      sessionSecretFile = config.age.secrets.authelia-session.path;
      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
    };

    settings = {
      session.cookies = [ {
        domain = config.mine.shared.settings.domain;
        authelia_url = "https://${svc_domain}";
      } ];

      # setup redis for sessions, otherwise it's in-memory, and everyone
      # has to login again each time authelia is restarted
      session.redis.host = "${config.services.redis.servers.authelia.unixSocket}";

      server.address = "tcp://127.0.0.1:${builtins.toString port}";

      # totp - disable for now, as it requires email server
      access_control.default_policy = "two_factor";
      totp.issuer = svc_domain;

      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";

      notifier.smtp = rec {
        address = "submissions://${config.mine.shared.settings.mail.domain_smtp}:${builtins.toString config.mine.shared.settings.mail.ports.submissions}";
        username = smtp_username;
        sender = "Authelia <${username}@${config.mine.shared.settings.domain}>";
        identifier = config.networking.hostName;
        tls.server_name = config.mine.shared.settings.mail.domain_smtp;
      };

      authentication_backend = {
        password_reset.disable = false;
        refresh_interval = "1m";

        ldap = {
          implementation = "custom";

          address = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
          timeout = "5s";
          start_tls = false;

          base_dn = config.mine.shared.settings.ldap.dc;
          additional_users_dn = "ou=${config.mine.shared.settings.ldap.ou.users}";
          additional_groups_dn = "ou=${config.mine.shared.settings.ldap.ou.groups}";
          users_filter = config.mine.shared.lib.ldap.mkFilter (lconfig: llib:
            llib.mkAnd [
              (llib.mkOC lconfig.oc.person)
              (llib.mkOr [
                (llib.mkSearch "{username_attribute}" "{input}")
                (llib.mkSearch "{mail_attribute}" "{input}")
              ])
            ]
          );
          groups_filter = "(member={dn})";


          attributes = {
            username = config.mine.shared.settings.ldap.attr.uid;
            display_name = config.mine.shared.settings.ldap.attr.firstname;
            group_name = config.mine.shared.settings.ldap.attr.groupname;
            mail = config.mine.shared.settings.ldap.attr.email;
          };

          user = config.mine.shared.settings.ldap.bind_dn;
        };
      };

      # authelia have changed how the by-default handles auth, so in theory everything
      # should contact the `userinfo` endpoint. but not everything does, which leads to us
      # having to create a default policy for this
      # https://github.com/pulsejet/nextcloud-oidc-login/issues/311#issuecomment-2763239352
      identity_providers.oidc.claims_policies.default.id_token = [
        "rat"
        "groups"
        "email"
        "email_verified"
        "alt_emails"
        "preferred_username"
        "name"
      ];
    };
  };

  # setup redis for persisting session
  # across reboots
  services.redis.servers.authelia = {
    enable = true;
    user = authelia_user;
  };

  # setup lldap user for authelia that can send emails
  services.lldap.provision.users = config.mine.shared.lib.ldap.mkScope (lconfig: llib: {
    authelia = llib.mkProvisionUserSystem "authelia" config.age.secrets.authelia-smtp-password.path;
  });

  services.nginx.virtualHosts."${svc_domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/".proxyPass = "http://localhost:${builtins.toString port}";
  };

  # persistent files
  environment.persistence.root.directories = [
    autheliaStateDir
  ];

  # setup secrets for authelia
  age.secrets = {
    authelia-jwt.owner = authelia_user;
    authelia-storage.owner = authelia_user;
    authelia-session.owner = authelia_user;
    authelia-oidc-issuer-privatekey-pem.owner = authelia_user;
    authelia-smtp-password.owner = authelia_user;
  };

  users.groups."${config.age.secrets.lldap-bind-user-pass.group}".members = [ config.users.users.authelia-main.name ];

  # settings
  mine.shared.settings.authelia.domain = svc_domain;
}