{ lib, pkgs, ... }: with lib; { #TODO: no poner authelia-main en todo lado, usar config (o let o no sé) systemd.services.authelia-main = { preStart = '' mkdir -p /var/trust/authelia-main/ chown authelia-main:authelia-main /var/trust/authelia-main/ chmod 700 /var/trust/authelia-main/ [ -f /var/trust/authelia-main/jwt-secret ] || { "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/jwt-secret chown authelia-main:authelia-main /var/trust/authelia-main/jwt-secret chmod 600 /var/trust/authelia-main/jwt-secret } [ -f /var/trust/authelia-main/storage-encryption-file ] || { "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/storage-encryption-file chown authelia-main:authelia-main /var/trust/authelia-main/storage-encryption-file chmod 600 /var/trust/authelia-main/storage-encryption-file } [ -f /var/trust/authelia-main/session-secret-file ] || { "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/session-secret-file chown authelia-main:authelia-main /var/trust/authelia-main/session-secret-file chmod 600 /var/trust/authelia-main/session-secret-file } ''; serviceConfig.LoadCredential = [ "jwt-secret:/var/trust/authelia-main/jwt-secret" "storage-encryption-file:/var/trust/authelia-main/storage-encryption-file" "session-secret-file:/var/trust/authelia-main/session-secret-file" ]; }; services = { nginx = { virtualHosts."auth.posixlycorrect.com" = { enableACME = true; forceSSL = true; }; }; authelia.instances.main = { enable = true; # config based on https://github.com/authelia/authelia/blob/master/config.template.yml settings = { secrets = { jwtSecretFile = "/var/trust/authelia-main/jwt-secret"; storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file"; sessionSecretFile = "/var/trust/authelia-main/session-secret-file"; }; theme = "dark"; default_2fa_method = "totp"; server = { disable_healthcheck = true; port = 9091; host = "localhost"; address = "tcp://:9091/"; }; # tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53 log = { level = "info"; format = "text"; }; telemetry.enabled = false; totp = { disable = false; issuer = "https://getaegis.app/ or whatever you prefer"; # default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181 }; webauthn = { disable = false; # default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231 }; duo_api.disable = true; # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266 authentication_backend.file = { path = "/var/trust/authelia-main/users_database.yml"; #TODO: password.algorithm = "argon2"; password_policy.zxcvbn = { enable = true; min_score = 3; }; }; access_control = { default_policy = "deny"; rules = [ { domain = "auth.posixlycorrect.com"; policy = "bypass"; } { domain = "meet.posixlycorrect.com"; policy = "bypass"; } ]; }; session = { cookies = { name = "posixlycorrect_session"; domain = "auth.posixlycorrect.com"; authelia_url = "https://auth.posixlycorrect.com"; same_site = "lax"; # see https://github.com/authelia/authelia/blob/master/config.template.yml#L756 inactivity = "5 minutes"; expiration = "1 hour"; remember_me = "1 month"; }; # see https://github.com/authelia/authelia/blob/master/config.template.yml#L774 name = "authelia_session"; same_site = "lax"; inactivity = "5m"; expiration = "1h"; remember_me = "1M"; }; regulation = { max_retries = 3; find_time = "2 minutes"; ban_time = "5 minutes"; }; storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO: # TODO: #notifier.smtp = { # #}; }; }; }; }