old
1{config, ...}: {
2 services.authelia.instances = {
3 main = {
4 enable = true;
5 settings = {
6 theme = "auto";
7 default_2fa_method = "totp";
8 log.level = "info";
9 server = {
10 address = "tcp://127.0.0.1:9091";
11 endpoints.authz.forward-auth = {
12 implementation = "ForwardAuth";
13 authn_strategies = [
14 {
15 name = "HeaderAuthorization";
16 schemes = ["Basic" "Bearer"];
17 }
18 {
19 name = "CookieSession";
20 }
21 ];
22 };
23 };
24 identity_validation.reset_password.jwt_algorithm = "HS512";
25 identity_providers.oidc = {
26 cors = {
27 endpoints = ["authorization" "token" "revocation" "introspection"];
28 allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
29 };
30 clients = [
31 {
32 # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
33 client_id = "forgejo";
34 client_name = "Forgejo";
35 client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
36 public = false;
37 authorization_policy = "two_factor";
38 require_pkce = true;
39 pkce_challenge_method = "S256";
40 redirect_uris = [
41 "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
42 ];
43 scopes = ["openid" "email" "profile" "groups"];
44 response_types = ["code"];
45 grant_types = ["authorization_code"];
46 access_token_signed_response_alg = "none";
47 userinfo_signed_response_alg = "none";
48 token_endpoint_auth_method = "client_secret_basic";
49 }
50 {
51 # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
52 client_id = "gokapi";
53 client_name = "Tribios";
54 client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
55 public = false;
56 authorization_policy = "one_factor";
57 redirect_uris = [
58 "https://send.hpcesia.com/oauth-callback"
59 ];
60 scopes = ["openid" "email" "profile" "groups"];
61 userinfo_signed_response_alg = "none";
62 }
63 {
64 # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
65 client_id = "gts-trinnon";
66 claims_policy = "gotosocial";
67 client_name = "Trinnon (GoToSocial)";
68 client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
69 public = false;
70 authorization_policy = "two_factor";
71 require_pkce = false;
72 pkce_challenge_method = "";
73 redirect_uris = [
74 "https://trin.one/auth/callback"
75 ];
76 scopes = ["openid" "email" "profile" "groups"];
77 response_types = ["code"];
78 grant_types = ["authorization_code"];
79 access_token_signed_response_alg = "none";
80 userinfo_signed_response_alg = "none";
81 token_endpoint_auth_method = "client_secret_basic";
82 }
83 ];
84 claims_policies.gotosocial.id_token = ["preferred_username"];
85 };
86 authentication_backend.file = {
87 path = "/var/lib/authelia-main/users_database.yaml";
88 password.algorithm = "argon2";
89 };
90 storage.local.path = "/var/lib/authelia-main/db.sqlite3";
91 notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
92 totp = {
93 disable = false;
94 issuer = "hpcesia.com";
95 };
96 session.cookies = [
97 {
98 domain = "hpcesia.com";
99 authelia_url = "https://authelia.hpcesia.com";
100 expiration = "1 hour";
101 inactivity = "5 minutes";
102 remember_me = "2 week";
103 }
104 {
105 domain = "trin.one";
106 authelia_url = "https://auth.trin.one";
107 expiration = "1 hour";
108 inactivity = "5 minutes";
109 remember_me = "4 week";
110 }
111 ];
112 access_control = {
113 default_policy = "deny";
114 rules = [
115 {
116 domain = "*.hpcesia.com";
117 policy = "bypass";
118 resources = ["^/api$" "^/api/"];
119 }
120 {
121 domain = "*.trin.one";
122 policy = "bypass";
123 resources = ["^/api$" "^/api/"];
124 }
125 {
126 domain = "*.hpcesia.com";
127 policy = "one_factor";
128 }
129 {
130 domain = "*.trin.one";
131 policy = "one_factor";
132 }
133 ];
134 };
135 regulation = {
136 max_retries = 3;
137 find_time = "2 minutes";
138 ban_time = "5 minutes";
139 };
140 };
141 secrets = {
142 jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
143 oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
144 oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
145 sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
146 storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
147 };
148 };
149 };
150}