main
1{lib, ...}: {
2 flake.modules.nixos."services/authelia" = {config, ...}: {
3 services.authelia.instances = {
4 main = {
5 enable = true;
6 settings = {
7 theme = "auto";
8 default_2fa_method = "totp";
9 log.level = "info";
10 server = {
11 address = "tcp://127.0.0.1:9091";
12 endpoints.authz.forward-auth = {
13 implementation = "ForwardAuth";
14 authn_strategies = [
15 {
16 name = "HeaderAuthorization";
17 schemes = ["Basic" "Bearer"];
18 }
19 {
20 name = "CookieSession";
21 }
22 ];
23 };
24 };
25 identity_validation.reset_password.jwt_algorithm = "HS512";
26 identity_providers.oidc = {
27 cors = {
28 endpoints = ["authorization" "token" "revocation" "introspection"];
29 allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
30 };
31 clients = [
32 {
33 # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
34 client_id = "forgejo";
35 client_name = "Forgejo";
36 client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
37 public = false;
38 authorization_policy = "two_factor";
39 require_pkce = true;
40 pkce_challenge_method = "S256";
41 redirect_uris = [
42 "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
43 ];
44 scopes = ["openid" "email" "profile" "groups"];
45 response_types = ["code"];
46 grant_types = ["authorization_code"];
47 access_token_signed_response_alg = "none";
48 userinfo_signed_response_alg = "none";
49 token_endpoint_auth_method = "client_secret_basic";
50 }
51 {
52 # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
53 client_id = "gokapi";
54 client_name = "Tribios";
55 client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
56 public = false;
57 authorization_policy = "one_factor";
58 redirect_uris = [
59 "https://send.hpcesia.com/oauth-callback"
60 ];
61 scopes = ["openid" "email" "profile" "groups"];
62 userinfo_signed_response_alg = "none";
63 }
64 ];
65 };
66 authentication_backend.file = {
67 path = "/var/lib/authelia-main/users_database.yaml";
68 password.algorithm = "argon2";
69 };
70 storage.local.path = "/var/lib/authelia-main/db.sqlite3";
71 notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
72 totp = {
73 disable = false;
74 issuer = "hpcesia.com";
75 };
76 session.cookies = [
77 {
78 domain = "hpcesia.com";
79 authelia_url = "https://authelia.hpcesia.com";
80 expiration = "1 hour";
81 inactivity = "5 minutes";
82 remember_me = "2 week";
83 }
84 {
85 domain = "trin.one";
86 authelia_url = "https://auth.trin.one";
87 expiration = "1 hour";
88 inactivity = "5 minutes";
89 remember_me = "4 week";
90 }
91 ];
92 access_control = {
93 default_policy = "deny";
94 rules = [
95 {
96 domain = "*.hpcesia.com";
97 policy = "bypass";
98 resources = ["^/api$" "^/api/"];
99 }
100 {
101 domain = "*.trin.one";
102 policy = "bypass";
103 resources = ["^/api$" "^/api/"];
104 }
105 {
106 domain = "*.hpcesia.com";
107 policy = "one_factor";
108 }
109 {
110 domain = "*.trin.one";
111 policy = "one_factor";
112 }
113 ];
114 };
115 regulation = {
116 max_retries = 3;
117 find_time = "2 minutes";
118 ban_time = "5 minutes";
119 };
120 };
121 secrets = {
122 jwtSecretFile = config.vaultix.secrets."authelia-main-jwt-secret".path;
123 oidcHmacSecretFile = config.vaultix.secrets."authelia-main-oidc-hmac-secret".path;
124 oidcIssuerPrivateKeyFile = config.vaultix.secrets."authelia-main-oidc-issuer-private-key".path;
125 sessionSecretFile = config.vaultix.secrets."authelia-main-session-secret".path;
126 storageEncryptionKeyFile = config.vaultix.secrets."authelia-main-storage-encryption-key".path;
127 };
128 };
129 };
130
131 services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig =
132 lib.mkIf config.services.caddy.enable
133 (let
134 localAddress = "http://${
135 # Assuming address start with `tcp://`.
136 builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
137 }";
138 in ''
139 encode zstd gzip
140 reverse_proxy ${localAddress}
141 '');
142 services.caddy.virtualHosts."auth.trin.one".extraConfig =
143 lib.mkIf config.services.caddy.enable
144 config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
145
146 vaultix.secrets = lib.mkMerge (
147 map
148 (s: {
149 "authelia-main-${s}" = {
150 file = lib.path.append ./. "${s}.age";
151 owner = "root";
152 group = "authelia-main";
153 mode = "0440";
154 };
155 })
156 [
157 "jwt-secret"
158 "oidc-hmac-secret"
159 "oidc-issuer-private-key"
160 "session-secret"
161 "storage-encryption-key"
162 "client-secrets-forgejo"
163 "client-secrets-gokapi"
164 ]
165 );
166 };
167}