initial authelia config

2023-08-17 01:04:21 +02:00
parent 819c34ee7d
commit 7f05bc88e7
4 changed files with 164 additions and 0 deletions
--- a/utils/modules/authelia/default.nix
+++ b/utils/modules/authelia/default.nix
@@ -0,0 +1,125 @@
+{ config, ... }:
+
+{
+  sops.secrets.authelia-jwt-secret = {
+    sopsFile = ./secrets.yaml;
+  };
+  sops.secrets.authelia-backend-ldap-password = {
+    sopsFile = ./secrets.yaml;
+  };
+  sops.secrets.authelia-storage-encryption-key = {
+    sopsFile = ./secrets.yaml;
+  };
+  sops.secrets.authelia-session-secret = {
+    sopsFile = ./secrets.yaml;
+  };
+
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
+      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
+      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
+      authenticationBackendLDAPPasswordFile = config.sops.secrets.authelia-backend-ldap-password.path;
+    };
+    settings = {
+      theme = "dark";
+      default_redirection_url = "https://cloud.cloonar.com";
+  
+      server = {
+        host = "127.0.0.1";
+        port = 9091;
+      };
+  
+      # log = {
+      #   level = "debug";
+      #   format = "text";
+      # };
+  
+      authentication_backend = {
+        ldap = {
+          url = "ldaps://ldap.cloonar.com";
+          timout = "5s";
+          base_dn = "DC=cloonar,DC=com";
+          additional_users_dn = "OU=users";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          username_attribute = "uid";
+          mail_attribute = "mail";
+          display_name_attribute = "displayName";
+          additional_groups_dn = "OU=groups";
+          groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
+          group_name_attribute = "cn";
+          permit_referrals = false;
+          permit_unauthenticated_bind = false;
+          user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
+        }
+      };
+  
+      # access_control = {
+      #   default_policy = "deny";
+      #   rules = [
+      #     {
+      #       domain = ["auth.example.com"];
+      #       policy = "bypass";
+      #     }
+      #     {
+      #       domain = ["*.example.com"];
+      #       policy = "one_factor";
+      #     }
+      #   ];
+      # };
+  
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me_duration = "1M";
+        domain = "auth.cloonar.com";
+      };
+  
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+  
+      storage = {
+        mysql = {
+          host = "/run/mysqld/mysqld.sock'";
+          database = "authelia";
+          username = "authelia";
+          timeout = "5s";
+        };
+      };
+  
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+  services.nginx.virtualHosts."auth.cloonar.com" = {
+    enableACME = true;
+    forceSSL = true;
+    acmeRoot = null;
+
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:9091";
+      proxyWebsockets = true;
+    };
+  };
+
+  config.services.mysql.ensureUsers = [
+    {
+      name = "authelia";
+      ensurePermissions = {
+        "authelia.*" = "ALL PRIVILEGES";
+      };
+    }
+  ];
+
+  config.services.mysql.ensureDatabases = [ "authelia" ];
+  config.services.mysqlBackup.databases = [ "authelia" ];
+}