{ config, ... }: { sops.secrets.authelia-jwt-secret = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-backend-ldap-password = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-storage-encryption-key = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; sops.secrets.authelia-session-secret = { owner = "authelia-main"; sopsFile = ./secrets.yaml; }; services.authelia.instances.main = { enable = true; secrets = { jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; sessionSecretFile = config.sops.secrets.authelia-session-secret.path; }; environmentVariables = { "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path; }; settings = { theme = "dark"; default_redirection_url = "https://cloud.cloonar.com"; server = { host = "127.0.0.1"; port = 9091; }; # log = { # level = "debug"; # format = "text"; # }; authentication_backend = { ldap = { url = "ldaps://ldap.cloonar.com"; base_dn = "DC=cloonar,DC=com"; additional_users_dn = "OU=users"; users_filter = "(&({username_attribute}={input})(objectClass=person))"; username_attribute = "mail"; mail_attribute = "mail"; display_name_attribute = "displayName"; additional_groups_dn = "OU=groups"; groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; group_name_attribute = "cn"; permit_referrals = false; permit_unauthenticated_bind = false; user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; }; }; access_control = { default_policy = "one_factor"; # rules = [ # { # domain = ["auth.example.com"]; # policy = "bypass"; # } # { # domain = ["*.example.com"]; # policy = "one_factor"; # } # ]; }; session = { name = "authelia_session"; expiration = "12h"; inactivity = "45m"; remember_me_duration = "1M"; domain = "auth.cloonar.com"; }; regulation = { max_retries = 3; find_time = "5m"; ban_time = "15m"; }; storage = { # mysql = { # host = "/run/mysqld/mysqld.sock'"; # port = 3306; # database = "authelia_main"; # username = "authelia_main"; # password = "socket_auth"; # timeout = "5s"; # }; local = { path = "/var/lib/authelia-main/db.sqlite3"; }; }; notifier = { disable_startup_check = false; filesystem = { filename = "/var/lib/authelia-main/notification.txt"; }; }; identity_providers = { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc clients = [ { id = "nextcloud"; description = "NextCloud"; secret = "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://nextcloud.example.com/apps/oidc_login/oidc" ]; scopes = [ "openid" "profile" "email" "groups" ]; userinfo_signing_algorithm = "none"; } { id = "gitea"; description = "Gitea"; secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; public = false; authorization_policy = "one_factor"; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; scopes = [ "openid" "profile" "email" ]; userinfo_signing_algorithm = "none"; } ]; }; }; }; }; services.nginx.virtualHosts."auth.cloonar.com" = { enableACME = true; forceSSL = true; acmeRoot = null; locations."/" = { proxyPass = "http://127.0.0.1:9091"; proxyWebsockets = true; }; }; }