archive/server_config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity

wip: add authelia config

Browse source
This commit is contained in:
Fabian Montero 2024-08-24 03:36:28 -06:00
parent 806b00f634
commit 495d54def8
Signed by untrusted user: fabian
GPG key ID: 1FFAC35E1798174F
1 changed files with 106 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

106
sys/srv/authelia.nix Normal file
View file

@ -0,0 +1,106 @@
{
lib,
pkgs,
...
}:
with lib; {
systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"];
services = {
nginx = {
virtualHosts."auth.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
};
};
authelia.instances.main = {
enable = true;
# config based on https://github.com/authelia/authelia/blob/master/config.template.yml
settings = {
secrets = {
jwtSecretFile = "TODO:";
storageEncryptionKeyFile = "TODO:";
};
theme = "dark";
default_2fa_method = "totp";
server = {
disable_healthcheck = true;
port = 9091;
host = "localhost";
address = "tcp://:9091/";
};
# tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
log = {
level = "info";
format = "text";
};
telemetry.enabled = false;
totp = {
disable = false;
issuer = "https://getaegis.app/ or whatever you prefer";
# default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
};
webauthn = {
disable = false;
# default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
};
duo_api.disable = true;
# identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
authentication_backend.file = {
path = "/var/trust/authelia/users_database.yml"; #TODO:
password.algorithm = "argon2";
password_policy.zxcvbn = {
enable = true;
min_score = 3;
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "meet.posixlycorrect.com";
policy = "bypass";
}
];
};
session = {
cookies = {
name = "posixlycorrect_session";
domain = "auth.posixlycorrect.com";
authelia_url = "https://auth.posixlycorrect.com";
same_site = "lax";
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
inactivity = "5 minutes";
expiration = "1 hour";
remember_me = "1 month";
};
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
name = "authelia_session";
same_site = "lax";
inactivity = "5m";
expiration = "1h";
remember_me = "1M";
};
regulation = {
max_retries = 3;
find_time = "2 minutes";
ban_time = "5 minutes";
};
storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO:
# TODO:
#notifier.smtp = {
#
#};
# TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714
};
};
};
}