nixos/utils/modules/authelia/default.nix

{ config, ... }:

{
  sops.secrets.authelia-jwt-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-backend-ldap-password = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-storage-encryption-key = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-session-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
    owner = "authelia-main";
    sopsFile = ./secrets.yaml;
  };

  services.authelia.instances.main = {
    enable = true;
    secrets = {
      jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
      storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
      sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
      oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
      oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
    };
    environmentVariables = {
      "AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;

    };
    settings = {
      theme = "dark";
      default_redirection_url = "https://cloud.cloonar.com";
  
      server = {
        host = "127.0.0.1";
        port = 9091;
      };
  
      # log = {
      #   level = "debug";
      #   format = "text";
      # };
  
      authentication_backend = {
        ldap = {
          url = "ldaps://ldap.cloonar.com";
          base_dn = "DC=cloonar,DC=com";
          additional_users_dn = "OU=users";
          users_filter = "(&({username_attribute}={input})(objectClass=person))";
          username_attribute = "mail";
          mail_attribute = "mail";
          display_name_attribute = "displayName";
          additional_groups_dn = "OU=groups";
          groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
          group_name_attribute = "cn";
          permit_referrals = false;
          permit_unauthenticated_bind = false;
          user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
        };
      };
  
      access_control = {
        default_policy = "one_factor";
        # rules = [
        #   {
        #     domain = ["auth.example.com"];
        #     policy = "bypass";
        #   }
        #   {
        #     domain = ["*.example.com"];
        #     policy = "one_factor";
        #   }
        # ];
      };
  
      session = {
        name = "authelia_session";
        expiration = "12h";
        inactivity = "45m";
        remember_me_duration = "1M";
        domain = "auth.cloonar.com";
      };
  
      regulation = {
        max_retries = 3;
        find_time = "5m";
        ban_time = "15m";
      };
  
      storage = {
        # mysql = {
        #   host = "/run/mysqld/mysqld.sock'";
        #   port = 3306;
        #   database = "authelia_main";
        #   username = "authelia_main";
        #   password = "socket_auth";
        #   timeout = "5s";
        # };
        local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };
  
      notifier = {
        disable_startup_check = false;
        filesystem = {
          filename = "/var/lib/authelia-main/notification.txt";
        };
      };
      identity_providers = {
        oidc = {
          ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
          ## See: https://www.authelia.com/c/oidc
          clients = [
            {
              id = "nextcloud";
              description = "NextCloud";
              secret = "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://nextcloud.example.com/apps/oidc_login/oidc" ];
              scopes = [
                "openid"
                "profile"
                "email"
                "groups"
              ];
              userinfo_signing_algorithm = "none";
            }
            {
              id = "gitea";
              description = "Gitea";
              secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
              pre_configured_consent_duration = "1y";
              scopes = [
                "openid"
                "profile"
                "email"
              ];
              userinfo_signing_algorithm = "none";
            }
            {
              id = "gbv-aktuell-typo3";
              description = "GBV Aktuell";
              secret = "$pbkdf2-sha512$310000$Uo9yGyKfhLxouYNFierOLQ$e37Ui7FIEUCezV4zgM1WX96ruzSA7dz4Q27G0o2iFiNUV/giHh0lyJklcI1UIs10Fs3bsZHDgRnDwaGL3DYsDw";
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ "https://gbv-aktuell.cloonar.dev/callback" ];
              pre_configured_consent_duration = "1y";
              scopes = [
                "openid"
                "profile"
                "email"
              ];
              userinfo_signing_algorithm = "none";
            }
          ];
        };
      };
    };
  };
  services.nginx.virtualHosts."auth.cloonar.com" = {
    enableACME = true;
    forceSSL = true;
    acmeRoot = null;

    locations."/" = {
      proxyPass = "http://127.0.0.1:9091";
      proxyWebsockets = true;
    };
  };
}