160 lines
3.9 KiB
Nix
160 lines
3.9 KiB
Nix
{ config, lib, pkgs, ... }:
|
|
let
|
|
inherit (lib.options) mkEnableOption;
|
|
inherit (lib.modules) mkIf;
|
|
|
|
user = "authelia-testing";
|
|
in
|
|
{
|
|
options.modules.services.auth = {
|
|
enable = mkEnableOption "Auth";
|
|
};
|
|
|
|
config = mkIf config.modules.services.auth.enable {
|
|
environment.systemPackages = with pkgs; [
|
|
authelia
|
|
];
|
|
|
|
services.authelia.instances.testing = {
|
|
enable = true;
|
|
|
|
secrets = {
|
|
storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
|
|
jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
|
|
sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
|
|
};
|
|
|
|
settings = {
|
|
theme = "auto";
|
|
|
|
server = {
|
|
address = "tcp://127.0.0.1:9091";
|
|
};
|
|
|
|
log = {
|
|
level = "info";
|
|
format = "json";
|
|
};
|
|
|
|
authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
|
|
|
|
access_control = {
|
|
default_policy = "deny";
|
|
|
|
rules = [
|
|
{
|
|
domain = ["auth.kruining.eu"];
|
|
policy = "bypass";
|
|
}
|
|
{
|
|
domain = ["*.kruining.eu"];
|
|
policy = "one_factor";
|
|
}
|
|
];
|
|
};
|
|
|
|
session = {
|
|
name = "authelia_testing_session";
|
|
expiration = "12h";
|
|
inactivity = "45m";
|
|
remember_me = "1m";
|
|
# redis.host = "/run/redis-authelia-testing/redis.sock";
|
|
cookies = [
|
|
{
|
|
domain = "kruining.eu";
|
|
authelia_url = "https://auth.kruining.eu";
|
|
default_redirection_url = "https://kaas.kruining.eu";
|
|
name = "authelia_session";
|
|
}
|
|
];
|
|
};
|
|
|
|
regulation = {
|
|
max_retries = 300;
|
|
find_time = "5m";
|
|
ban_time = "15m";
|
|
};
|
|
|
|
storage = {
|
|
local.path = "/var/authelia/testing/db.sqlite3";
|
|
};
|
|
|
|
notifier = {
|
|
disable_startup_check = false;
|
|
filesystem.filename = "/var/authelia/testing/notifications.txt";
|
|
};
|
|
|
|
# identity_providers.oidc.clients = [];
|
|
};
|
|
};
|
|
|
|
systemd = {
|
|
tmpfiles.rules = [
|
|
"d /var/authelia/testing 400 ${user} ${user} -"
|
|
];
|
|
};
|
|
|
|
# These should not be set from nix but through other means to not leak the secret!
|
|
# This is purely for testing purposes!
|
|
environment.etc = {
|
|
"authelia/testing/storageEncryptionKeyFile" = {
|
|
mode = "0400";
|
|
user = user;
|
|
text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
|
|
};
|
|
|
|
"authelia/testing/jwtSecretFile" = {
|
|
mode = "0400";
|
|
user = user;
|
|
text = "a_very_important_secret";
|
|
};
|
|
|
|
"authelia/testing/sessionSecrets" = {
|
|
mode = "0400";
|
|
user = user;
|
|
text = "some_session_secrets";
|
|
};
|
|
|
|
"authelia/testing/users_database.yml" = {
|
|
mode = "0400";
|
|
user = user;
|
|
text = ''
|
|
users:
|
|
chris:
|
|
disabled: false
|
|
displayname: chris
|
|
# password of password
|
|
password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
|
|
email: chris@kruining.eu
|
|
groups:
|
|
- admin
|
|
- dev
|
|
'';
|
|
};
|
|
};
|
|
|
|
services.caddy = {
|
|
enable = true;
|
|
virtualHosts = {
|
|
"auth.kruining.eu".extraConfig = ''
|
|
reverse_proxy authelia:9091
|
|
'';
|
|
"kaas.kruining.eu".extraConfig = ''
|
|
import auth
|
|
|
|
respond "KAAS"
|
|
'';
|
|
};
|
|
extraConfig = ''
|
|
(auth) {
|
|
forward_auth authelia:9091 {
|
|
uri /api/authz/forward-auth
|
|
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
|
}
|
|
}
|
|
'';
|
|
};
|
|
|
|
networking.firewall.allowedTCPPorts = [ 80 443 ];
|
|
};
|
|
}
|