wiro.world / dotfiles
yep, more dotfiles
fork atom
dotfiles / hosts / weird-row-server / authelia.nix
at main 6.2 kB view raw
1{ config 2, ... 3}: 4 5let 6 authelia-port = 3008; 7 authelia-hostname = "auth.wiro.world"; 8 9 authelia-metrics-port = 9004; 10 headscale-hostname = "headscale.wiro.world"; 11 grafana-hostname = "console.net.wiro.world"; 12 miniflux-hostname = "news.wiro.world"; 13in 14{ 15 config = { 16 age.secrets.authelia-jwt-secret = { file = secrets/authelia-jwt-secret.age; owner = config.services.authelia.instances.main.user; }; 17 age.secrets.authelia-issuer-private-key = { file = secrets/authelia-issuer-private-key.age; owner = config.services.authelia.instances.main.user; }; 18 age.secrets.authelia-storage-key = { file = secrets/authelia-storage-key.age; owner = config.services.authelia.instances.main.user; }; 19 age.secrets.authelia-ldap-password = { file = secrets/authelia-ldap-password.age; owner = config.services.authelia.instances.main.user; }; 20 age.secrets.authelia-smtp-password = { file = secrets/authelia-smtp-password.age; owner = config.services.authelia.instances.main.user; }; 21 services.authelia.instances.main = { 22 enable = true; 23 24 secrets = { 25 jwtSecretFile = config.age.secrets.authelia-jwt-secret.path; 26 oidcIssuerPrivateKeyFile = config.age.secrets.authelia-issuer-private-key.path; 27 storageEncryptionKeyFile = config.age.secrets.authelia-storage-key.path; 28 }; 29 environmentVariables = { 30 AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path; 31 AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path; 32 }; 33 settings = { 34 server.address = "localhost:${toString authelia-port}"; 35 storage.local.path = "/var/lib/authelia-main/db.sqlite3"; 36 telemetry.metrics = { 37 enabled = true; 38 address = "tcp://:${toString authelia-metrics-port}/metrics"; 39 }; 40 41 session = { 42 cookies = [{ 43 domain = "wiro.world"; 44 authelia_url = "https://${authelia-hostname}"; 45 default_redirection_url = "https://wiro.world"; 46 }]; 47 }; 48 49 authentication_backend.ldap = { 50 address = "ldap://localhost:3890"; 51 timeout = "5m"; # replace with systemd dependency 52 53 user = "uid=authelia,ou=people,dc=wiro,dc=world"; 54 # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`. 55 # password = ""; 56 57 base_dn = "dc=wiro,dc=world"; 58 users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))"; 59 additional_users_dn = "ou=people"; 60 groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; 61 additional_groups_dn = "ou=groups"; 62 63 attributes = { 64 username = "uid"; 65 display_name = "cn"; 66 given_name = "givenname"; 67 family_name = "last_name"; 68 mail = "mail"; 69 picture = "avatar"; 70 71 group_name = "cn"; 72 }; 73 }; 74 75 access_control = { 76 default_policy = "deny"; 77 # Rules are sequential and do not apply to OIDC 78 rules = [ 79 { 80 domain = "headscale.wiro.world"; 81 policy = "two_factor"; 82 83 } 84 { 85 domain = "news.wiro.world"; 86 policy = "one_factor"; 87 88 subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ]; 89 } 90 { 91 domain = "*.wiro.world"; 92 policy = "two_factor"; 93 } 94 ]; 95 }; 96 97 identity_providers.oidc = { 98 enforce_pkce = "always"; 99 100 authorization_policies = 101 let 102 mkStrictPolicy = policy: subject: 103 { default_policy = "deny"; rules = [{ inherit policy subject; }]; }; 104 in 105 { 106 headscale = mkStrictPolicy "two_factor" [ "group:headscale" ]; 107 tailscale = mkStrictPolicy "two_factor" [ "group:headscale" ]; 108 grafana = mkStrictPolicy "one_factor" [ "group:grafana" ]; 109 miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ]; 110 }; 111 112 claims_policies.headscale = { id_token = [ "email" "name" "preferred_username" "picture" "groups" ]; }; 113 114 clients = [ 115 { 116 client_name = "Headscale"; 117 client_id = "headscale"; 118 client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos"; 119 redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ]; 120 authorization_policy = "headscale"; 121 claims_policy = "headscale"; 122 } 123 { 124 client_name = "Tailscale"; 125 client_id = "tailscale"; 126 client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc"; 127 redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ]; 128 authorization_policy = "tailscale"; 129 } 130 { 131 client_name = "Grafana Console"; 132 client_id = "grafana"; 133 client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs"; 134 redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ]; 135 authorization_policy = "grafana"; 136 } 137 { 138 client_name = "Miniflux"; 139 client_id = "miniflux"; 140 client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw"; 141 redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ]; 142 authorization_policy = "miniflux"; 143 } 144 ]; 145 }; 146 147 notifier.smtp = { 148 address = "smtp://smtp.resend.com:2587"; 149 username = "resend"; 150 # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`. 151 # password = ""; 152 sender = "authelia@wiro.world"; 153 }; 154 }; 155 }; 156 157 services.caddy = { 158 virtualHosts.${authelia-hostname}.extraConfig = '' 159 reverse_proxy http://localhost:${toString authelia-port} 160 ''; 161 }; 162 }; 163}