{ config, pkgs, ... }: let unstable = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz") { config = config.nixpkgs.config; system = pkgs.system; }; in { sops.secrets.authelia-jwt-secret = { owner = "authelia-main"; }; sops.secrets.authelia-backend-ldap-password = { owner = "authelia-main"; }; sops.secrets.authelia-storage-encryption-key = { owner = "authelia-main"; }; sops.secrets.authelia-session-secret = { owner = "authelia-main"; }; sops.secrets.authelia-identity-providers-oidc-hmac-secret = { owner = "authelia-main"; }; sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = { owner = "authelia-main"; }; sops.secrets.authelia-identity-providers-oidc-issuer-private-key = { owner = "authelia-main"; }; services.authelia.instances.main = { package = unstable.authelia; enable = true; secrets = { jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; sessionSecretFile = config.sops.secrets.authelia-session-secret.path; oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path; oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path; }; environmentVariables = { "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; "AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; }; settings = { theme = "dark"; default_redirection_url = "https://cloonar.com"; # log = { # level = "debug"; # format = "text"; # }; authentication_backend = { ldap = { url = "ldaps://ldap.cloonar.com"; base_dn = "DC=cloonar,DC=com"; additional_users_dn = "OU=users"; users_filter = "(&({username_attribute}={input})(objectClass=person))"; username_attribute = "mail"; mail_attribute = "mail"; display_name_attribute = "cn"; additional_groups_dn = "OU=groups"; groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; group_name_attribute = "cn"; permit_referrals = false; permit_unauthenticated_bind = false; user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; }; }; webauthn = { disable = false; display_name = "Authelia"; attestation_conveyance_preference = "indirect"; user_verification = "preferred"; timeout = "60s"; }; totp = { disable = false; issuer = "auth.cloonar.com"; algorithm = "sha1"; digits = 6; period = 30; skew = 1; secret_size = 32; }; access_control = { default_policy = "deny"; rules = [ { domain = ["auth.cloonar.com"]; policy = "bypass"; } { domain = ["*.cloonar.com"]; policy = "two_factor"; } ]; }; session = { name = "authelia_session"; expiration = "12h"; inactivity = "45m"; remember_me_duration = "1M"; domain = "cloonar.com"; # todo: enable with 4.38 # cookies = [ # { # domain = "cloonar.com"; # } # { # domain = "cloonar.dev"; # } # { # domain = "gbv-aktuell.at"; # same_site = "strict"; # } # ]; }; regulation = { max_retries = 3; find_time = "5m"; ban_time = "15m"; }; storage = { # mysql = { # host = "/run/mysqld/mysqld.sock'"; # port = 3306; # database = "authelia_main"; # username = "authelia_main"; # password = "socket_auth"; # timeout = "5s"; # }; local = { path = "/var/lib/authelia-main/db.sqlite3"; }; }; notifier = { disable_startup_check = false; smtp = { host = "mail.cloonar.com"; port = 25; username = "authelia@cloonar.com"; sender = "Authelia "; }; }; identity_providers = { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc # authorization_policies = { # support = { # default_policy = "deny"; # rules = [ # { # policy = "two_factor"; # subject = "group:support"; # Deny access to users of services group # } # { # policy = "two_factor"; # subject = "group:admin"; # Deny access to users of services group # } # ]; # }; # }; clients = [ { id = "gitea"; description = "Gitea"; secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; consent_mode = "implicit"; scopes = [ "openid" "profile" "email" ]; userinfo_signing_algorithm = "none"; } { id = "nextcloud"; description = "Nextcloud"; secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://nextcloud.cloonar.com/apps/oidc_login/oidc" ]; consent_mode = "implicit"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } { id = "grafana"; description = "Grafana"; secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; consent_mode = "implicit"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } { id = "freescout"; description = "FreeScout Support platform"; secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ]; consent_mode = "implicit"; token_endpoint_auth_method = "client_secret_post"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } ]; }; }; }; }; services.nginx.virtualHosts."auth.cloonar.com" = { enableACME = true; forceSSL = true; acmeRoot = null; locations."/api/verify" = { proxyPass = "http://127.0.0.1:9091"; proxyWebsockets = true; extraConfig = '' allow 127.0.0.1; allow 49.12.244.139; allow 77.119.230.30; deny all; ''; }; locations."/" = { proxyPass = "http://127.0.0.1:9091"; proxyWebsockets = true; extraConfig = '' client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; ''; }; }; }