{ lib, pkgs, ... }: with lib; { options = { services.nginx.virtualHosts = mkOption { type = with lib.types; attrsOf ( submodule ( {config, ...}: { options = { enableAuthelia = mkOption { default = false; type = bool; }; }; config = mkIf config.enableAuthelia { extraConfig = '' include ${./authelia-authrequest.conf}; include ${./authelia-location.conf}; ''; }; } ) ); }; }; config = { systemd.services.authelia-main.before = [ "nginx.service" ]; services = { nginx = { recommendedProxySettings = true; recommendedTlsSettings = true; commonHttpConfig = '' ## Headers proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-Ssl on; ## Basic Proxy Configuration client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. # proxy_redirect http:// $scheme://; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; ## Trusted Proxies Configuration ## Please read the following documentation before configuring this: ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies # set_real_ip_from 10.0.0.0/8; # set_real_ip_from 172.16.0.0/12; # set_real_ip_from 192.168.0.0/16; # set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; ''; virtualHosts."auth.posixlycorrect.com" = { enableACME = true; forceSSL = true; locations = { "/" = { proxyPass = "http://localhost:9091"; #TODO: hacer que eso estĂ© en alguna config o en algĂșn let }; "= /api/verify" = { proxyPass = "http://localhost:9091"; }; "= /api/authz/" = { proxyPass = "http://localhost:9091"; }; }; }; }; authelia.instances.main = { enable = true; # config based on https://github.com/authelia/authelia/blob/master/config.template.yml secrets = { jwtSecretFile = "/var/trust/authelia-main/jwt-secret"; storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file"; sessionSecretFile = "/var/trust/authelia-main/session-secret-file"; }; settings = { theme = "dark"; default_2fa_method = "totp"; server = { disable_healthcheck = true; port = 9091; host = "localhost"; address = "tcp://localhost:9091/"; #TODO: user unix socket endpoints.authz.auth-request.implementation = "AuthRequest"; }; # tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53 log = { level = "info"; format = "text"; }; telemetry.enabled = false; totp = { disable = false; issuer = "https://getaegis.app/ or whatever you prefer"; # default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181 }; webauthn = { disable = false; # default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231 }; duo_api.disable = true; # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266 authentication_backend.file = { path = "/var/trust/authelia-main/users_database.yml"; #TODO: password.algorithm = "argon2"; password_policy.zxcvbn = { enable = true; min_score = 3; }; }; access_control = { default_policy = "deny"; rules = [ { domain = "auth.posixlycorrect.com"; policy = "bypass"; } { domain = "meet.posixlycorrect.com"; policy = "bypass"; } ]; }; session = { cookies = { name = "posixlycorrect_session"; domain = "auth.posixlycorrect.com"; authelia_url = "https://auth.posixlycorrect.com"; default_redirection_url = "https://posixlycorrect.com"; same_site = "lax"; # see https://github.com/authelia/authelia/blob/master/config.template.yml#L756 inactivity = "5 minutes"; expiration = "1 hour"; remember_me = "1 month"; }; # see https://github.com/authelia/authelia/blob/master/config.template.yml#L774 name = "authelia_session"; same_site = "lax"; inactivity = "5m"; expiration = "1h"; remember_me = "1M"; }; regulation = { max_retries = 3; find_time = "2 minutes"; ban_time = "5 minutes"; }; storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO: # TODO: #notifier.smtp = { # #}; }; }; }; }; }