DEVELOPMENT ENVIRONMENT

~liljamo/nix-arta

ref: 1ed6268e307d7b7d3dfa1c36757788192339a05e nix-arta/systems/hosts/auth/authelia-main.nix -rw-r--r-- 5.6 KiB
1ed6268eJonni Liljamo chore: update nvim-flake 14 days ago
                                                                                
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
{config, ...}: let
  instance = {
    secrets = "authelia-main";
    name = "main";
    user = "authelia-main";
    group = "authelia-main";
    port = 3001;
    redisPath = "/run/redis-authelia-main/redis.sock";
    psql = {
      schema = "public";
      db = "authelia-main";
      user = "authelia-main";
    };
  };
in {
  sops.secrets."${instance.secrets}/storage" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/session" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/oidcIssuer" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/oidcIssuerPublic" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/oidcHmac" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/jwt" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/storagePwd" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/users" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/acl" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/notifier" = {
    owner = instance.user;
    group = instance.group;
  };
  sops.secrets."${instance.secrets}/oidc" = {
    owner = instance.user;
    group = instance.group;
  };

  users.users.${instance.user} = {
    group = instance.group;
    isSystemUser = true;
  };
  users.groups.${instance.group} = {};

  networking.firewall.allowedTCPPorts = [instance.port];

  services = {
    redis.servers."authelia-${instance.name}" = {
      enable = true;
      user = instance.user;
      port = 0;
      unixSocket = instance.redisPath;
      unixSocketPerm = 600;
    };
    postgresql = {
      ensureDatabases = [instance.psql.db];
      ensureUsers = [
        {
          name = instance.psql.user;
          ensureDBOwnership = true;
        }
      ];
    };
    authelia.instances = {
      ${instance.name} = {
        enable = true;
        user = instance.user;
        group = instance.group;
        secrets = {
          storageEncryptionKeyFile = config.sops.secrets."${instance.secrets}/storage".path;
          sessionSecretFile = config.sops.secrets."${instance.secrets}/session".path;
          oidcIssuerPrivateKeyFile = config.sops.secrets."${instance.secrets}/oidcIssuer".path;
          oidcHmacSecretFile = config.sops.secrets."${instance.secrets}/oidcHmac".path;
          jwtSecretFile = config.sops.secrets."${instance.secrets}/jwt".path;
        };
        environmentVariables = {
          "AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE" = config.sops.secrets."${instance.secrets}/storagePwd".path;
        };
        settingsFiles = [
          #  config.sops.secrets."${instance.secrets}/users".path
          config.sops.secrets."${instance.secrets}/acl".path
          config.sops.secrets."${instance.secrets}/notifier".path
          config.sops.secrets."${instance.secrets}/oidc".path
        ];
        # https://github.com/authelia/authelia/blob/v4.37.5/config.template.yml
        settings = {
          theme = "light";
          default_2fa_method = "totp";
          server = {
            host = "0.0.0.0";
            port = instance.port;
            path = "";
            enable_pprof = false;
            enable_expvars = false;
            disable_healthcheck = true;
            headers.csp_template = "";
          };
          log = {
            level = "info";
            format = "text";
          };
          telemetry.metrics.enabled = false;
          totp = {
            disable = false;
            issuer = "liljamo.com";
            algorithm = "sha512";
            digits = 8;
            period = 30;
            skew = 1;
            secret_size = 32;
          };
          webauthn.disable = true;
          ntp = {
            address = "time.cloudflare.com:123";
            version = 4;
            max_desync = "3s";
            disable_startup_check = false;
            disable_failure = false;
          };
          authentication_backend = {
            password_reset.disable = true;
            refresh_interval = "5m";
            file = {
              path = config.sops.secrets."${instance.secrets}/users".path;
              watch = false;
              search = {
                email = false;
                case_insensitive = false;
              };
              password = {
                algorithm = "argon2";
                argon2 = {
                  variant = "argon2id";
                  iterations = 3;
                  memory = 65536;
                  parallelism = 4;
                  key_length = 32;
                  salt_length = 16;
                };
              };
            };
          };
          session = {
            name = "authelia_session";
            domain = "liljamo.com";
            same_site = "lax";
            expiration = "1h";
            inactivity = "5m";
            remember_me_duration = "1M";
            redis = {
              host = instance.redisPath;
            };
          };
          regulation = {
            max_retries = 3;
            find_time = "2m";
            ban_time = "5m";
          };
          storage = {
            postgres = {
              host = "127.0.0.1";
              port = 5432;
              database = instance.psql.db;
              schema = instance.psql.schema;
              username = instance.psql.user;
            };
          };
        };
      };
    };
  };
}