den
  1{lib, ...}: {
  2  flake.modules.nixos."services/authelia" = {config, ...}: {
  3    services.authelia.instances = {
  4      main = {
  5        enable = true;
  6        settings = {
  7          theme = "auto";
  8          default_2fa_method = "totp";
  9          log.level = "info";
 10          server = {
 11            address = "tcp://127.0.0.1:9091";
 12            endpoints.authz.forward-auth = {
 13              implementation = "ForwardAuth";
 14              authn_strategies = [
 15                {
 16                  name = "HeaderAuthorization";
 17                  schemes = ["Basic" "Bearer"];
 18                }
 19                {
 20                  name = "CookieSession";
 21                }
 22              ];
 23            };
 24          };
 25          identity_validation.reset_password.jwt_algorithm = "HS512";
 26          identity_providers.oidc = {
 27            cors = {
 28              endpoints = ["authorization" "token" "revocation" "introspection"];
 29              allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
 30            };
 31            clients = [
 32              {
 33                # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
 34                client_id = "forgejo";
 35                client_name = "Forgejo";
 36                client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
 37                public = false;
 38                authorization_policy = "two_factor";
 39                require_pkce = true;
 40                pkce_challenge_method = "S256";
 41                redirect_uris = [
 42                  "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
 43                ];
 44                scopes = ["openid" "email" "profile" "groups"];
 45                response_types = ["code"];
 46                grant_types = ["authorization_code"];
 47                access_token_signed_response_alg = "none";
 48                userinfo_signed_response_alg = "none";
 49                token_endpoint_auth_method = "client_secret_basic";
 50              }
 51              {
 52                # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
 53                client_id = "gokapi";
 54                client_name = "Tribios";
 55                client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
 56                public = false;
 57                authorization_policy = "one_factor";
 58                redirect_uris = [
 59                  "https://send.hpcesia.com/oauth-callback"
 60                ];
 61                scopes = ["openid" "email" "profile" "groups"];
 62                userinfo_signed_response_alg = "none";
 63              }
 64            ];
 65          };
 66          authentication_backend.file = {
 67            path = "/var/lib/authelia-main/users_database.yaml";
 68            password.algorithm = "argon2";
 69          };
 70          storage.local.path = "/var/lib/authelia-main/db.sqlite3";
 71          notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
 72          totp = {
 73            disable = false;
 74            issuer = "hpcesia.com";
 75          };
 76          session.cookies = [
 77            {
 78              domain = "hpcesia.com";
 79              authelia_url = "https://authelia.hpcesia.com";
 80              expiration = "1 hour";
 81              inactivity = "5 minutes";
 82              remember_me = "2 week";
 83            }
 84            {
 85              domain = "trin.one";
 86              authelia_url = "https://auth.trin.one";
 87              expiration = "1 hour";
 88              inactivity = "5 minutes";
 89              remember_me = "4 week";
 90            }
 91          ];
 92          access_control = {
 93            default_policy = "deny";
 94            rules = [
 95              {
 96                domain = "*.hpcesia.com";
 97                policy = "bypass";
 98                resources = ["^/api$" "^/api/"];
 99              }
100              {
101                domain = "*.trin.one";
102                policy = "bypass";
103                resources = ["^/api$" "^/api/"];
104              }
105              {
106                domain = "*.hpcesia.com";
107                policy = "one_factor";
108              }
109              {
110                domain = "*.trin.one";
111                policy = "one_factor";
112              }
113            ];
114          };
115          regulation = {
116            max_retries = 3;
117            find_time = "2 minutes";
118            ban_time = "5 minutes";
119          };
120        };
121        secrets = {
122          jwtSecretFile = config.vaultix.secrets."authelia-main-jwt-secret".path;
123          oidcHmacSecretFile = config.vaultix.secrets."authelia-main-oidc-hmac-secret".path;
124          oidcIssuerPrivateKeyFile = config.vaultix.secrets."authelia-main-oidc-issuer-private-key".path;
125          sessionSecretFile = config.vaultix.secrets."authelia-main-session-secret".path;
126          storageEncryptionKeyFile = config.vaultix.secrets."authelia-main-storage-encryption-key".path;
127        };
128      };
129    };
130
131    services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig =
132      lib.mkIf config.services.caddy.enable
133      (let
134        localAddress = "http://${
135          # Assuming address start with `tcp://`.
136          builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
137        }";
138      in ''
139        encode zstd gzip
140        reverse_proxy ${localAddress}
141      '');
142    services.caddy.virtualHosts."auth.trin.one".extraConfig =
143      lib.mkIf config.services.caddy.enable
144      config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
145
146    vaultix.secrets = lib.mkMerge (
147      map
148      (s: {
149        "authelia-main-${s}" = {
150          file = lib.path.append ./. "${s}.age";
151          owner = "root";
152          group = "authelia-main";
153          mode = "0440";
154        };
155      })
156      [
157        "jwt-secret"
158        "oidc-hmac-secret"
159        "oidc-issuer-private-key"
160        "session-secret"
161        "storage-encryption-key"
162        "client-secrets-forgejo"
163        "client-secrets-gokapi"
164      ]
165    );
166  };
167}