wip: add authelia config
This commit is contained in:
parent
806b00f634
commit
495d54def8
GPG key ID:
1FFAC35E1798174F
1 changed files with 106 additions and 0 deletions
106
sys/srv/authelia.nix
Normal file
106
sys/srv/authelia.nix
Normal file
|
|
@ -0,0 +1,106 @@
|
|||
{
|
||||
lib,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
with lib; {
|
||||
systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"];
|
||||
|
||||
services = {
|
||||
nginx = {
|
||||
virtualHosts."auth.posixlycorrect.com" = {
|
||||
enableACME = true;
|
||||
forceSSL = true;
|
||||
};
|
||||
};
|
||||
|
||||
authelia.instances.main = {
|
||||
enable = true;
|
||||
# config based on https://github.com/authelia/authelia/blob/master/config.template.yml
|
||||
settings = {
|
||||
secrets = {
|
||||
jwtSecretFile = "TODO:";
|
||||
storageEncryptionKeyFile = "TODO:";
|
||||
};
|
||||
|
||||
theme = "dark";
|
||||
default_2fa_method = "totp";
|
||||
server = {
|
||||
disable_healthcheck = true;
|
||||
port = 9091;
|
||||
host = "localhost";
|
||||
address = "tcp://:9091/";
|
||||
};
|
||||
# tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
|
||||
log = {
|
||||
level = "info";
|
||||
format = "text";
|
||||
};
|
||||
telemetry.enabled = false;
|
||||
totp = {
|
||||
disable = false;
|
||||
issuer = "https://getaegis.app/ or whatever you prefer";
|
||||
# default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
|
||||
};
|
||||
webauthn = {
|
||||
disable = false;
|
||||
# default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
|
||||
};
|
||||
duo_api.disable = true;
|
||||
# identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
|
||||
authentication_backend.file = {
|
||||
path = "/var/trust/authelia/users_database.yml"; #TODO:
|
||||
password.algorithm = "argon2";
|
||||
password_policy.zxcvbn = {
|
||||
enable = true;
|
||||
min_score = 3;
|
||||
};
|
||||
};
|
||||
access_control = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
domain = "meet.posixlycorrect.com";
|
||||
policy = "bypass";
|
||||
}
|
||||
];
|
||||
};
|
||||
session = {
|
||||
cookies = {
|
||||
name = "posixlycorrect_session";
|
||||
domain = "auth.posixlycorrect.com";
|
||||
authelia_url = "https://auth.posixlycorrect.com";
|
||||
same_site = "lax";
|
||||
|
||||
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
|
||||
inactivity = "5 minutes";
|
||||
expiration = "1 hour";
|
||||
remember_me = "1 month";
|
||||
};
|
||||
|
||||
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
|
||||
name = "authelia_session";
|
||||
same_site = "lax";
|
||||
inactivity = "5m";
|
||||
expiration = "1h";
|
||||
remember_me = "1M";
|
||||
};
|
||||
|
||||
regulation = {
|
||||
max_retries = 3;
|
||||
find_time = "2 minutes";
|
||||
ban_time = "5 minutes";
|
||||
};
|
||||
|
||||
storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO:
|
||||
|
||||
# TODO:
|
||||
#notifier.smtp = {
|
||||
#
|
||||
#};
|
||||
|
||||
# TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
Reference in a new issue