archive/server_config
Archived
1
0
Fork 0
Code Issues 1 Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-11-21. You can view files and clone it, but cannot push or open issues or pull requests.
server_config/sys/srv/authelia/default.nix
Fabian Montero d6f40dd4fd
still wip
2024-08-24 18:50:57 -06:00

175 lines
5.7 KiB
Nix
Raw Blame History

{
lib,
pkgs,
...
}:
with lib; {
options = {
services.nginx.virtualHosts = mkOption {
type = with lib.types;
attrsOf (
submodule
(
{config, ...}: {
options = {
enableAuthelia = mkOption {
default = false;
type = bool;
};
};
config = mkIf config.enableAuthelia {
extraConfig = ''
include ${./authelia-authrequest.conf};
include ${./authelia-location.conf};
'';
};
}
)
);
};
};
config = {
systemd.services.authelia-main.before = [ "nginx.service" ];
services = {
nginx = {
recommendedProxySettings = true;
recommendedTlsSettings = true;
commonHttpConfig = ''
## Headers
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
## Basic Proxy Configuration
client_body_buffer_size 128k;
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
# proxy_redirect http:// $scheme://;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
## Trusted Proxies Configuration
## Please read the following documentation before configuring this:
## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
# set_real_ip_from 10.0.0.0/8;
# set_real_ip_from 172.16.0.0/12;
# set_real_ip_from 192.168.0.0/16;
# set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
virtualHosts."auth.posixlycorrect.com" = {
enableACME = true;
forceSSL = true;
locations = {
"/" = {
proxyPass = "http://localhost:9091"; #TODO: hacer que eso esté en alguna config o en algún let
};
"= /api/verify" = {
proxyPass = "http://localhost:9091";
};
"= /api/authz/" = {
proxyPass = "http://localhost:9091";
};
};
};
};
authelia.instances.main = {
enable = true;
# config based on https://github.com/authelia/authelia/blob/master/config.template.yml
secrets = {
jwtSecretFile = "/var/trust/authelia-main/jwt-secret";
storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file";
sessionSecretFile = "/var/trust/authelia-main/session-secret-file";
};
settings = {
theme = "dark";
default_2fa_method = "totp";
server = {
disable_healthcheck = true;
port = 9091;
host = "localhost";
address = "tcp://localhost:9091/"; #TODO: user unix socket
endpoints.authz.auth-request.implementation = "AuthRequest";
};
# tls settings not modified https://github.com/authelia/authelia/blob/master/config.template.yml#L53
log = {
level = "info";
format = "text";
};
telemetry.enabled = false;
totp = {
disable = false;
issuer = "https://getaegis.app/ or whatever you prefer";
# default values assumed https://github.com/authelia/authelia/blob/master/config.template.yml#L181
};
webauthn = {
disable = false;
# default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L231
};
duo_api.disable = true;
# identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266
authentication_backend.file = {
path = "/var/trust/authelia-main/users_database.yml"; #TODO:
password.algorithm = "argon2";
password_policy.zxcvbn = {
enable = true;
min_score = 3;
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "auth.posixlycorrect.com";
policy = "bypass";
}
{
domain = "meet.posixlycorrect.com";
policy = "bypass";
}
];
};
session = {
cookies = {
name = "posixlycorrect_session";
domain = "auth.posixlycorrect.com";
authelia_url = "https://auth.posixlycorrect.com";
default_redirection_url = "https://posixlycorrect.com";
same_site = "lax";
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L756
inactivity = "5 minutes";
expiration = "1 hour";
remember_me = "1 month";
};
# see https://github.com/authelia/authelia/blob/master/config.template.yml#L774
name = "authelia_session";
same_site = "lax";
inactivity = "5m";
expiration = "1h";
remember_me = "1M";
};
regulation = {
max_retries = 3;
find_time = "2 minutes";
ban_time = "5 minutes";
};
storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO:
# TODO:
#notifier.smtp = {
#
#};
};
};
};
};
}
Reference in a new issue View git blame Copy permalink