old
  1{config, ...}: {
  2  services.authelia.instances = {
  3    main = {
  4      enable = true;
  5      settings = {
  6        theme = "auto";
  7        default_2fa_method = "totp";
  8        log.level = "info";
  9        server = {
 10          address = "tcp://127.0.0.1:9091";
 11          endpoints.authz.forward-auth = {
 12            implementation = "ForwardAuth";
 13            authn_strategies = [
 14              {
 15                name = "HeaderAuthorization";
 16                schemes = ["Basic" "Bearer"];
 17              }
 18              {
 19                name = "CookieSession";
 20              }
 21            ];
 22          };
 23        };
 24        identity_validation.reset_password.jwt_algorithm = "HS512";
 25        identity_providers.oidc = {
 26          cors = {
 27            endpoints = ["authorization" "token" "revocation" "introspection"];
 28            allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
 29          };
 30          clients = [
 31            {
 32              # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
 33              client_id = "forgejo";
 34              client_name = "Forgejo";
 35              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
 36              public = false;
 37              authorization_policy = "two_factor";
 38              require_pkce = true;
 39              pkce_challenge_method = "S256";
 40              redirect_uris = [
 41                "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
 42              ];
 43              scopes = ["openid" "email" "profile" "groups"];
 44              response_types = ["code"];
 45              grant_types = ["authorization_code"];
 46              access_token_signed_response_alg = "none";
 47              userinfo_signed_response_alg = "none";
 48              token_endpoint_auth_method = "client_secret_basic";
 49            }
 50            {
 51              # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
 52              client_id = "gokapi";
 53              client_name = "Tribios";
 54              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
 55              public = false;
 56              authorization_policy = "one_factor";
 57              redirect_uris = [
 58                "https://send.hpcesia.com/oauth-callback"
 59              ];
 60              scopes = ["openid" "email" "profile" "groups"];
 61              userinfo_signed_response_alg = "none";
 62            }
 63            {
 64              # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
 65              client_id = "gts-trinnon";
 66              claims_policy = "gotosocial";
 67              client_name = "Trinnon (GoToSocial)";
 68              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
 69              public = false;
 70              authorization_policy = "two_factor";
 71              require_pkce = false;
 72              pkce_challenge_method = "";
 73              redirect_uris = [
 74                "https://trin.one/auth/callback"
 75              ];
 76              scopes = ["openid" "email" "profile" "groups"];
 77              response_types = ["code"];
 78              grant_types = ["authorization_code"];
 79              access_token_signed_response_alg = "none";
 80              userinfo_signed_response_alg = "none";
 81              token_endpoint_auth_method = "client_secret_basic";
 82            }
 83          ];
 84          claims_policies.gotosocial.id_token = ["preferred_username"];
 85        };
 86        authentication_backend.file = {
 87          path = "/var/lib/authelia-main/users_database.yaml";
 88          password.algorithm = "argon2";
 89        };
 90        storage.local.path = "/var/lib/authelia-main/db.sqlite3";
 91        notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
 92        totp = {
 93          disable = false;
 94          issuer = "hpcesia.com";
 95        };
 96        session.cookies = [
 97          {
 98            domain = "hpcesia.com";
 99            authelia_url = "https://authelia.hpcesia.com";
100            expiration = "1 hour";
101            inactivity = "5 minutes";
102            remember_me = "2 week";
103          }
104          {
105            domain = "trin.one";
106            authelia_url = "https://auth.trin.one";
107            expiration = "1 hour";
108            inactivity = "5 minutes";
109            remember_me = "4 week";
110          }
111        ];
112        access_control = {
113          default_policy = "deny";
114          rules = [
115            {
116              domain = "*.hpcesia.com";
117              policy = "bypass";
118              resources = ["^/api$" "^/api/"];
119            }
120            {
121              domain = "*.trin.one";
122              policy = "bypass";
123              resources = ["^/api$" "^/api/"];
124            }
125            {
126              domain = "*.hpcesia.com";
127              policy = "one_factor";
128            }
129            {
130              domain = "*.trin.one";
131              policy = "one_factor";
132            }
133          ];
134        };
135        regulation = {
136          max_retries = 3;
137          find_time = "2 minutes";
138          ban_time = "5 minutes";
139        };
140      };
141      secrets = {
142        jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
143        oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
144        oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
145        sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
146        storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
147      };
148    };
149  };
150}