{ config, ... }: { sops.secrets.authelia-jwt-secret = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-backend-ldap-password = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-storage-encryption-key = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-session-secret = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-identity-providers-oidc-hmac-secret = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-identity-providers-oidc-issuer-private-key = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; services.authelia.instances.main = { enable = true; secrets = { jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; sessionSecretFile = config.sops.secrets.authelia-session-secret.path; oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path; oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path; }; environmentVariables = { "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; }; settings = { theme = "dark"; default_redirection_url = "https://cloonar.com"; server = { host = "127.0.0.1"; port = 9091; }; # log = { # level = "debug"; # format = "text"; # }; authentication_backend = { ldap = { url = "ldaps://ldap.cloonar.com"; base_dn = "DC=cloonar,DC=com"; additional_users_dn = "OU=users"; users_filter = "(&({username_attribute}={input})(objectClass=person))"; username_attribute = "mail"; mail_attribute = "mail"; display_name_attribute = "displayName"; additional_groups_dn = "OU=groups"; groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; group_name_attribute = "cn"; permit_referrals = false; permit_unauthenticated_bind = false; user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; }; }; access_control = { default_policy = "deny"; rules = [ { domain = ["auth.cloonar.com"]; policy = "bypass"; } { domain = ["*.cloonar.com"]; policy = "one_factor"; } ]; }; session = { name = "authelia_session"; expiration = "12h"; inactivity = "45m"; remember_me_duration = "1M"; domain = "cloonar.com"; # todo: enable with 4.38 # cookies = [ # { # domain = "cloonar.com"; # } # { # domain = "cloonar.dev"; # } # { # domain = "gbv-aktuell.at"; # same_site = "strict"; # } # ]; }; regulation = { max_retries = 3; find_time = "5m"; ban_time = "15m"; }; storage = { # mysql = { # host = "/run/mysqld/mysqld.sock'"; # port = 3306; # database = "authelia_main"; # username = "authelia_main"; # password = "socket_auth"; # timeout = "5s"; # }; local = { path = "/var/lib/authelia-main/db.sqlite3"; }; }; notifier = { disable_startup_check = false; filesystem = { filename = "/var/lib/authelia-main/notification.txt"; }; }; identity_providers = { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc clients = [ { id = "gitea"; description = "Gitea"; secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; pre_configured_consent_duration = "1y"; scopes = [ "openid" "profile" "email" ]; userinfo_signing_algorithm = "none"; } { id = "nextcloud"; description = "Nextcloud"; secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://nextcloud.cloonar.com/apps/oidc_login/oidc" "https://cloud.cloonar.com/apps/user_oidc/code" ]; pre_configured_consent_duration = "1y"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } { id = "hv"; description = "proxmox"; secret = "$pbkdf2-sha512$310000$j5XK.Af8d3BImh/tzaffoA$//S88bs99FmA0I48w2V862cgyCl7vvLIfXh9LNaZJs69jjcTYdzcFRgca8Nt23.6EouVT8cv/92MLJqOEI6Gow"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://hv.cloonar.com:8006" ]; pre_configured_consent_duration = "1y"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } { id = "grafana"; description = "Grafana"; secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; pre_configured_consent_duration = "1y"; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } ]; }; }; }; }; services.nginx.virtualHosts."auth.cloonar.com" = { enableACME = true; forceSSL = true; acmeRoot = null; locations."/api/verify" = { proxyPass = "http://127.0.0.1:9091"; proxyWebsockets = true; extraConfig = '' allow 127.0.0.1; allow 49.12.244.139; deny all; ''; }; locations."/" = { proxyPass = "http://127.0.0.1:9091"; proxyWebsockets = true; extraConfig = '' client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; ''; }; }; }