nixos/utils/modules/authelia/default.nix

{ config, ... }:

{
  sops.secrets.authelia-jwt-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-backend-ldap-password = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-storage-encryption-key = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-session-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };

  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
      oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
      oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
    };
    environmentVariables = {
      "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;

    };
    settings = {
      theme = "dark";
      default_redirection_url = "https://cloonar.com";
  
      server = {
        host = "127.0.0.1";
        port = 9091;
      };
  
      # log = {
      #   level = "debug";
      #   format = "text";
      # };
  
      authentication_backend = {
        ldap = {
          url = "ldaps://ldap.cloonar.com";
          base_dn = "DC=cloonar,DC=com";
          additional_users_dn = "OU=users";
          users_filter = "(&({username_attribute}={input})(objectClass=person))";
          username_attribute = "mail";
          mail_attribute = "mail";
          display_name_attribute = "displayName";
          additional_groups_dn = "OU=groups";
          groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
          group_name_attribute = "cn";
          permit_referrals = false;
          permit_unauthenticated_bind = false;
          user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
        };
      };
  
      access_control = {
        default_policy = "deny";
        rules = [
          {
            domain = ["auth.cloonar.com"];
            policy = "bypass";
          }
          {
            domain = ["*.cloonar.com"];
            policy = "one_factor";
          }
        ];
      };
  
      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me_duration = "1M";
        domain = "auth.cloonar.com";
      };
  
      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };
  
      storage = {
        # mysql = {
        #   host = "/run/mysqld/mysqld.sock'";
        #   port = 3306;
        #   database = "authelia_main";
        #   username = "authelia_main";
        #   password = "socket_auth";
        #   timeout = "5s";
        # };
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
  
      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
      identity_providers = {
        oidc = {
          ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
          ## See: https://www.authelia.com/c/oidc
          clients = [
            {
              id = "gitea";
              description = "Gitea";
              secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
              pre_configured_consent_duration = "1y";
              scopes = [
                "openid"
                "profile"
                "email"
              ];
              userinfo_signing_algorithm = "none";
            }
          ];
        };
      };
    };
  };
  services.nginx.virtualHosts."auth.cloonar.com" = {
    enableACME = true;
    forceSSL = true;
    acmeRoot = null;

    locations."/" = {
      proxyPass = "http://127.0.0.1:9091";
      proxyWebsockets = true;

      extraConfig = ''
        client_body_buffer_size 128k;

        #Timeout if the real server is dead
        proxy_next_upstream error timeout invalid_header http_500 http_502     http_503;

        # Advanced Proxy Config
        send_timeout 5m;
        proxy_read_timeout 360;
        proxy_send_timeout 360;
        proxy_connect_timeout 360;

        # Basic Proxy Config
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Uri $request_uri;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_redirect  http://  $scheme://;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_cache_bypass $cookie_session;
        proxy_no_cache $cookie_session;
        proxy_buffers 64 256k;

        # If behind reverse proxy, forwards the correct IP
        set_real_ip_from 10.0.0.0/8;
        set_real_ip_from 172.0.0.0/8;
        set_real_ip_from 192.168.0.0/16;
        set_real_ip_from fc00::/7;
        real_ip_header X-Forwarded-For;
        real_ip_recursive on;
      '';
    };
  };
}