servers/common/services/authelia.nix

{
  config,
  lib,
  ...
}:
let
  inherit (lib)
    mkIf
    types
    mkOption
    mkEnableOption
    ;

  cfg = config.foehammer.services.authelia;
in
{
  options.foehammer.services.authelia = {
    enable = mkEnableOption "Enable authelia server component.";
    domain = mkOption {
      type = types.str;
      description = ''
        Authelia's domain.
      '';
    };

    url = mkOption {
      type = types.str;
      description = ''
        Authelia's url.
      '';
    };

    userDbFile = mkOption {
      type = types.path;
    };

    # https://www.authelia.com/integration/ldap/lldap/
    ldap = {
      addr = mkOption {
        type = types.str;
        description = "LDAP URL";
      };

      passwordFile = mkOption {
        type = types.nullOr types.path;
        default = null;
        description = "Path to LDAP service account password file";
      };

      baseDN = mkOption {
        type = types.str;
        example = "DC=example,DC=com";
      };

      user = mkOption {
        type = types.str;
        example = "UID=authelia,OU=people,DC=example,DC=com";
      };
    };

    jwtSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your JWT secret used during identity verificaton.
      '';
    };

    oidcIssuerPrivateKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your private key file used to encrypt OIDC JWTs.
      '';
    };

    oidcHmacSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your HMAC secret used to sign OIDC JWTs.
      '';
    };

    sessionSecretFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your session secret. Only used when redis is used as session storage.
      '';
    };

    storageEncryptionKeyFile = mkOption {
      type = types.nullOr types.path;
      default = null;
      description = ''
        Path to your storage encryption key.
      '';
    };

    port = mkOption {
      type = lib.types.port;
      default = 9001;
      description = ''
        What external port to serve over.
      '';
    };

    settingsFiles = mkOption {
      type = types.listOf types.path;
      default = [ ];
      example = [
        "/etc/authelia/config.yml"
        "/etc/authelia/access-control.yml"
        "/etc/authelia/config/"
      ];
      description = ''
        Here you can provide authelia with configuration files or directories.
        It is possible to give authelia multiple files and use the nix generated configuration
        file set via {option}`services.authelia.<instance>.settings`.
      '';
    };

    environmentVariables = mkOption {
      type = types.attrsOf types.str;
      description = ''
        Additional environment variables to provide to authelia.
        If you are providing secrets please consider the options under {option}`services.authelia.<instance>.secrets`
        or make sure you use the `_FILE` suffix.
        If you provide the raw secret rather than the location of a secret file that secret will be preserved in the nix store.
        For more details: https://www.authelia.com/configuration/methods/secrets/
      '';
      default = { };
    };
  };

  config = mkIf cfg.enable {
    services.authelia.instances.main = {
      inherit (cfg) settingsFiles;

      enable = true;

      settings = {
        theme = "dark";
        default_2fa_method = "totp";
        server.address = "tcp://:${toString cfg.port}";
        log = {
          level = "info";
          format = "json";
          # file_path = "/var/log/authelia/authelia.log";
        };
        totp = {
          disable = false;
          issuer = cfg.domain;
        };
        duo_api.disable = true;

        access_control.default_policy = "two_factor";

        session.cookies = [
          {
            domain = cfg.domain;
            authelia_url = cfg.url;
          }
        ];

        notifier = {
          filesystem.filename = "/var/lib/authelia-main/notifications.txt";
        };

        authentication_backend = {
          password_change.disable = true;
          password_reset.disable = true;

          ldap = {
            implementation = "lldap";
            address = cfg.ldap.addr;
            base_dn = cfg.ldap.baseDN;
            user = cfg.ldap.user;
          };
        };

        server.endpoints.authz = {
          forward-auth = {
            implementation = "ForwardAuth";
          };
        };

        storage.local = {
          path = "/var/lib/authelia-main/db.sqlite3";
        };
      };

      environmentVariables = cfg.environmentVariables // {
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = cfg.ldap.passwordFile;
      };

      secrets = {
        inherit (cfg)
          jwtSecretFile
          oidcIssuerPrivateKeyFile
          oidcHmacSecretFile
          sessionSecretFile
          storageEncryptionKeyFile
          ;
      };
    };
  };
}
Add authelia. 2025-06-04 16:08:13 -05:00			`{`
			`config,`
			`lib,`
			`...`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`}:`
			`let`
			`inherit (lib)`
			`mkIf`
			`types`
			`mkOption`
			`mkEnableOption`
			`;`
Add authelia. 2025-06-04 16:08:13 -05:00
			`cfg = config.foehammer.services.authelia;`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`in`
			`{`
Add authelia. 2025-06-04 16:08:13 -05:00			`options.foehammer.services.authelia = {`
			`enable = mkEnableOption "Enable authelia server component.";`
			`domain = mkOption {`
			`type = types.str;`
			`description = ''`
			`Authelia's domain.`
			`'';`
			`};`

Fix authelia urls. 2025-06-05 18:00:38 -05:00			`url = mkOption {`
			`type = types.str;`
			`description = ''`
			`Authelia's url.`
			`'';`
			`};`

Add authelia. 2025-06-04 16:08:13 -05:00			`userDbFile = mkOption {`
			`type = types.path;`
			`};`

Connect Authelia to LDAP with LLDAP 2025-12-31 22:54:03 -06:00			`# https://www.authelia.com/integration/ldap/lldap/`
			`ldap = {`
			`addr = mkOption {`
			`type = types.str;`
			`description = "LDAP URL";`
			`};`

			`passwordFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = "Path to LDAP service account password file";`
			`};`

			`baseDN = mkOption {`
			`type = types.str;`
			`example = "DC=example,DC=com";`
			`};`

			`user = mkOption {`
			`type = types.str;`
			`example = "UID=authelia,OU=people,DC=example,DC=com";`
			`};`
			`};`

Add authelia. 2025-06-04 16:08:13 -05:00			`jwtSecretFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`Path to your JWT secret used during identity verificaton.`
			`'';`
			`};`

			`oidcIssuerPrivateKeyFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`Path to your private key file used to encrypt OIDC JWTs.`
			`'';`
			`};`

			`oidcHmacSecretFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`Path to your HMAC secret used to sign OIDC JWTs.`
			`'';`
			`};`

			`sessionSecretFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`Path to your session secret. Only used when redis is used as session storage.`
			`'';`
			`};`

			`storageEncryptionKeyFile = mkOption {`
			`type = types.nullOr types.path;`
			`default = null;`
			`description = ''`
			`Path to your storage encryption key.`
			`'';`
			`};`

			`port = mkOption {`
			`type = lib.types.port;`
			`default = 9001;`
			`description = ''`
			`What external port to serve over.`
			`'';`
			`};`

			`settingsFiles = mkOption {`
			`type = types.listOf types.path;`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`default = [ ];`
Add authelia. 2025-06-04 16:08:13 -05:00			`example = [`
			`"/etc/authelia/config.yml"`
			`"/etc/authelia/access-control.yml"`
			`"/etc/authelia/config/"`
			`];`
			`description = ''`
			`Here you can provide authelia with configuration files or directories.`
			`It is possible to give authelia multiple files and use the nix generated configuration`
			file set via {option}`services.authelia.<instance>.settings`.
			`'';`
			`};`

			`environmentVariables = mkOption {`
			`type = types.attrsOf types.str;`
			`description = ''`
			`Additional environment variables to provide to authelia.`
			If you are providing secrets please consider the options under {option}`services.authelia.<instance>.secrets`
			or make sure you use the `_FILE` suffix.
			`If you provide the raw secret rather than the location of a secret file that secret will be preserved in the nix store.`
			`For more details: https://www.authelia.com/configuration/methods/secrets/`
			`'';`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`default = { };`
Add authelia. 2025-06-04 16:08:13 -05:00			`};`
			`};`

			`config = mkIf cfg.enable {`
			`services.authelia.instances.main = {`
Connect Authelia to LDAP with LLDAP 2025-12-31 22:54:03 -06:00			`inherit (cfg) settingsFiles;`
Add authelia. 2025-06-04 16:08:13 -05:00
			`enable = true;`

			`settings = {`
			`theme = "dark";`
			`default_2fa_method = "totp";`
			`server.address = "tcp://:${toString cfg.port}";`
			`log = {`
			`level = "info";`
			`format = "json";`
			`# file_path = "/var/log/authelia/authelia.log";`
			`};`
			`totp = {`
			`disable = false;`
			`issuer = cfg.domain;`
			`};`
			`duo_api.disable = true;`

			`access_control.default_policy = "two_factor";`

			`session.cookies = [`
			`{`
			`domain = cfg.domain;`
Fix authelia urls. 2025-06-05 18:00:38 -05:00			`authelia_url = cfg.url;`
Add authelia. 2025-06-04 16:08:13 -05:00			`}`
			`];`

			`notifier = {`
			`filesystem.filename = "/var/lib/authelia-main/notifications.txt";`
			`};`

			`authentication_backend = {`
			`password_change.disable = true;`
			`password_reset.disable = true;`
Connect Authelia to LDAP with LLDAP 2025-12-31 22:54:03 -06:00
			`ldap = {`
			`implementation = "lldap";`
			`address = cfg.ldap.addr;`
			`base_dn = cfg.ldap.baseDN;`
			`user = cfg.ldap.user;`
Add authelia. 2025-06-04 16:08:13 -05:00			`};`
			`};`

Fix authelia urls. 2025-06-05 18:00:38 -05:00			`server.endpoints.authz = {`
			`forward-auth = {`
			`implementation = "ForwardAuth";`
			`};`
			`};`

Add authelia. 2025-06-04 16:08:13 -05:00			`storage.local = {`
			`path = "/var/lib/authelia-main/db.sqlite3";`
			`};`
			`};`

Connect Authelia to LDAP with LLDAP 2025-12-31 22:54:03 -06:00			`environmentVariables = cfg.environmentVariables // {`
			`AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = cfg.ldap.passwordFile;`
			`};`

Add authelia. 2025-06-04 16:08:13 -05:00			`secrets = {`
Nixfmt Tree 2026-02-24 00:00:35 -08:00			`inherit (cfg)`
Add authelia. 2025-06-04 16:08:13 -05:00			`jwtSecretFile`
			`oidcIssuerPrivateKeyFile`
			`oidcHmacSecretFile`
			`sessionSecretFile`
			`storageEncryptionKeyFile`
			`;`
			`};`
			`};`
			`};`
			`}`