archive/server_config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-11-21. You can view files and clone it, but cannot push or open issues or pull requests.
server_config/sys/srv/authelia.nix

137 lines
4.6 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}:
with lib; {
#TODO: no poner authelia-main en todo lado, usar config (o let o no sé)
systemd.services.authelia-main = {
preStart = ''
mkdir -p /var/trust/authelia-main/
chown authelia-main:authelia-main /var/trust/authelia-main/
chmod 700 /var/trust/authelia-main/
[ -f /var/trust/authelia-main/jwt-secret ] || {
"${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/jwt-secret
chown authelia-main:authelia-main /var/trust/authelia-main/jwt-secret
chmod 600 /var/trust/authelia-main/jwt-secret
}
[ -f /var/trust/authelia-main/storage-encryption-file ] || {
"${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/storage-encryption-file
chown authelia-main:authelia-main /var/trust/authelia-main/storage-encryption-file
chmod 600 /var/trust/authelia-main/storage-encryption-file
}
[ -f /var/trust/authelia-main/session-secret-file ] || {
"${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/session-secret-file
chown authelia-main:authelia-main /var/trust/authelia-main/session-secret-file
chmod 600 /var/trust/authelia-main/session-secret-file
}
'';
serviceConfig.LoadCredential = [
"jwt-secret:/var/trust/authelia-main/jwt-secret"
"storage-encryption-file:/var/trust/authelia-main/storage-encryption-file"
"session-secret-file:/var/trust/authelia-main/session-secret-file"
];
};
services = {
nginx = {
virtualHosts."auth.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
};
};
authelia.instances.main = {
enable = true;
# config based on https://github.com/authelia/authelia/blob/master/config.template.yml
settings = {
secrets = {
jwtSecretFile = "/var/trust/authelia-main/jwt-secret";
storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file";
sessionSecretFile = "/var/trust/authelia-main/session-secret-file";
};
theme = "dark";
default_2fa_method = "totp";
server = {
disable_healthcheck = true;
port = 9091;
host = "localhost";
address = "tcp://:9091/";
};
# tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
log = {
level = "info";
format = "text";
};
telemetry.enabled = false;
totp = {
disable = false;
issuer = "https://getaegis.app/ or whatever you prefer";
# default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
};
webauthn = {
disable = false;
# default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
};
duo_api.disable = true;
# identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
authentication_backend.file = {
path = "/var/trust/authelia-main/users_database.yml"; #TODO:
password.algorithm = "argon2";
password_policy.zxcvbn = {
enable = true;
min_score = 3;
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "meet.posixlycorrect.com";
policy = "bypass";
}
];
};
session = {
cookies = {
name = "posixlycorrect_session";
domain = "auth.posixlycorrect.com";
authelia_url = "https://auth.posixlycorrect.com";
same_site = "lax";
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
inactivity = "5 minutes";
expiration = "1 hour";
remember_me = "1 month";
};
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
name = "authelia_session";
same_site = "lax";
inactivity = "5m";
expiration = "1h";
remember_me = "1M";
};
regulation = {
max_retries = 3;
find_time = "2 minutes";
ban_time = "5 minutes";
};
storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO:
# TODO:
#notifier.smtp = {
#
#};
# TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714
};
};
};
}
Reference in a new issue View git blame Copy permalink