lorenzo/servers
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
servers/common/services/authelia.nix
foehammer127 18611e2359
Add authelia.
2025-06-04 16:09:29 -05:00

158 lines
4 KiB
Nix
Raw Blame History

{
config,
lib,
...
}: let
inherit (lib) mkIf types mkOption mkEnableOption;
cfg = config.foehammer.services.authelia;
in {
options.foehammer.services.authelia = {
enable = mkEnableOption "Enable authelia server component.";
domain = mkOption {
type = types.str;
description = ''
Authelia's domain.
'';
};
userDbFile = mkOption {
type = types.path;
};
jwtSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your JWT secret used during identity verificaton.
'';
};
oidcIssuerPrivateKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your private key file used to encrypt OIDC JWTs.
'';
};
oidcHmacSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your HMAC secret used to sign OIDC JWTs.
'';
};
sessionSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your session secret. Only used when redis is used as session storage.
'';
};
storageEncryptionKeyFile = mkOption {
type = types.nullOr types.path;
default = null;
description = ''
Path to your storage encryption key.
'';
};
port = mkOption {
type = lib.types.port;
default = 9001;
description = ''
What external port to serve over.
'';
};
settingsFiles = mkOption {
type = types.listOf types.path;
default = [];
example = [
"/etc/authelia/config.yml"
"/etc/authelia/access-control.yml"
"/etc/authelia/config/"
];
description = ''
Here you can provide authelia with configuration files or directories.
It is possible to give authelia multiple files and use the nix generated configuration
file set via {option}`services.authelia.<instance>.settings`.
'';
};
environmentVariables = mkOption {
type = types.attrsOf types.str;
description = ''
Additional environment variables to provide to authelia.
If you are providing secrets please consider the options under {option}`services.authelia.<instance>.secrets`
or make sure you use the `_FILE` suffix.
If you provide the raw secret rather than the location of a secret file that secret will be preserved in the nix store.
For more details: https://www.authelia.com/configuration/methods/secrets/
'';
default = {};
};
};
config = mkIf cfg.enable {
services.authelia.instances.main = {
inherit (cfg) settingsFiles environmentVariables;
enable = true;
settings = {
theme = "dark";
default_2fa_method = "totp";
server.address = "tcp://:${toString cfg.port}";
log = {
level = "info";
format = "json";
# file_path = "/var/log/authelia/authelia.log";
};
totp = {
disable = false;
issuer = cfg.domain;
};
duo_api.disable = true;
access_control.default_policy = "two_factor";
session.cookies = [
{
domain = cfg.domain;
authelia_url = "https://${cfg.domain}";
}
];
notifier = {
filesystem.filename = "/var/lib/authelia-main/notifications.txt";
};
authentication_backend = {
password_change.disable = true;
password_reset.disable = true;
file = {
path = cfg.userDbFile;
};
};
storage.local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
secrets = {
inherit
(cfg)
jwtSecretFile
oidcIssuerPrivateKeyFile
oidcHmacSecretFile
sessionSecretFile
storageEncryptionKeyFile
;
};
};
};
}
Reference in a new issue View git blame Copy permalink