1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
{config, ...}: let
instance = {
secrets = "authelia-main";
name = "main";
user = "authelia-main";
group = "authelia-main";
port = 3001;
redisPath = "/run/redis-authelia-main/redis.sock";
psql = {
schema = "public";
db = "authelia-main";
user = "authelia-main";
};
};
in {
sops.secrets."${instance.secrets}/storage" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/session" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/oidcIssuer" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/oidcIssuerPublic" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/oidcHmac" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/jwt" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/storagePwd" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/users" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/acl" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/notifier" = {
owner = instance.user;
group = instance.group;
};
sops.secrets."${instance.secrets}/oidc" = {
owner = instance.user;
group = instance.group;
};
users.users.${instance.user} = {
group = instance.group;
isSystemUser = true;
};
users.groups.${instance.group} = {};
networking.firewall.allowedTCPPorts = [instance.port];
services = {
redis.servers."authelia-${instance.name}" = {
enable = true;
user = instance.user;
port = 0;
unixSocket = instance.redisPath;
unixSocketPerm = 600;
};
postgresql = {
ensureDatabases = [instance.psql.db];
ensureUsers = [
{
name = instance.psql.user;
ensureDBOwnership = true;
}
];
};
authelia.instances = {
${instance.name} = {
enable = true;
user = instance.user;
group = instance.group;
secrets = {
storageEncryptionKeyFile = config.sops.secrets."${instance.secrets}/storage".path;
sessionSecretFile = config.sops.secrets."${instance.secrets}/session".path;
oidcIssuerPrivateKeyFile = config.sops.secrets."${instance.secrets}/oidcIssuer".path;
oidcHmacSecretFile = config.sops.secrets."${instance.secrets}/oidcHmac".path;
jwtSecretFile = config.sops.secrets."${instance.secrets}/jwt".path;
};
environmentVariables = {
"AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE" = config.sops.secrets."${instance.secrets}/storagePwd".path;
};
settingsFiles = [
# config.sops.secrets."${instance.secrets}/users".path
config.sops.secrets."${instance.secrets}/acl".path
config.sops.secrets."${instance.secrets}/notifier".path
config.sops.secrets."${instance.secrets}/oidc".path
];
# https://github.com/authelia/authelia/blob/v4.37.5/config.template.yml
settings = {
theme = "light";
default_2fa_method = "totp";
server = {
address = "tcp://0.0.0.0:${toString instance.port}/";
endpoints = {
enable_pprof = false;
enable_expvars = false;
};
disable_healthcheck = true;
headers.csp_template = "";
};
log = {
level = "info";
format = "text";
};
telemetry.metrics.enabled = false;
totp = {
disable = false;
issuer = "liljamo.com";
algorithm = "sha512";
digits = 8;
period = 30;
skew = 1;
secret_size = 32;
};
webauthn.disable = true;
ntp = {
address = "time.cloudflare.com:123";
version = 4;
max_desync = "3s";
disable_startup_check = false;
disable_failure = false;
};
authentication_backend = {
password_reset.disable = true;
refresh_interval = "5m";
file = {
path = config.sops.secrets."${instance.secrets}/users".path;
watch = false;
search = {
email = false;
case_insensitive = false;
};
password = {
algorithm = "argon2";
argon2 = {
variant = "argon2id";
iterations = 3;
memory = 65536;
parallelism = 4;
key_length = 32;
salt_length = 16;
};
};
};
};
session = {
name = "authelia_session";
same_site = "lax";
expiration = "1h";
inactivity = "5m";
remember_me = "1M";
cookies = [
{
domain = "liljamo.com";
authelia_url = "https://auth.liljamo.com";
}
];
redis = {
host = instance.redisPath;
};
};
regulation = {
max_retries = 3;
find_time = "2m";
ban_time = "5m";
};
storage = {
postgres = {
address = "tcp://127.0.0.1:5432";
database = instance.psql.db;
schema = instance.psql.schema;
username = instance.psql.user;
};
};
};
};
};
};
}