init authelia

2025-04-02 03:09:27 -04:00 · 2025-04-02 03:09:27 -04:00 · 026abe5123
commit 026abe5123
parent da709432f5
8 changed files with 126 additions and 3 deletions
--- a/modules/authelia.nix
+++ b/modules/authelia.nix
@ -0,0 +1,68 @@
+{
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.my.authelia;
+  getSecret = path: config.sops.secrets.${path}.path;
+  sopsConfig = {
+    sopsFile = ../secrets/services/authelia.yaml;
+    owner = "authelia-main";
+  };
+  domain = "auth.cy7.sh";
+  varPath = "/var/lib/authelia-main";
+in
+{
+  options.my.authelia = {
+    enable = lib.mkEnableOption "authelia";
+  };
+
+  config = lib.mkIf cfg.enable {
+    services.authelia.instances.main = {
+      enable = true;
+      settings = {
+        theme = "dark";
+        default_2fa_method = "webauthn";
+        log.level = "info";
+        log.format = "text";
+        server = {
+          disable_healthcheck = true;
+          endpoints.authz.forward-auth.implementation = "ForwardAuth";
+        };
+        authentication_backend.file.path = "${varPath}/users_database.yaml";
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "red.cy7.sh";
+              policy = "one_factor";
+            }
+          ];
+        };
+        session.cookies = [{
+          domain = "cy7.sh";
+          authelia_url = "https://${domain}";
+        }];
+        storage.local.path = "${varPath}/db.sqlite3";
+        notifier.filesystem.filename = "${varPath}/notifications.txt";
+      };
+      secrets = {
+        sessionSecretFile = getSecret "authelia/session";
+        storageEncryptionKeyFile = getSecret "authelia/storage";
+        jwtSecretFile = getSecret "authelia/jwt";
+      };
+    };
+
+    sops.secrets = {
+      "authelia/jwt" = sopsConfig;
+      "authelia/storage" = sopsConfig;
+      "authelia/session" = sopsConfig;
+    };
+
+    services.caddy.virtualHosts.${domain}.extraConfig = ''
+      import common
+      reverse_proxy localhost:9091
+    '';
+  };
+}
--- a/modules/caddy.nix
+++ b/modules/caddy.nix
@ -34,6 +34,13 @@ in
            resolvers 1.1.1.1 8.8.8.8
          }
        }
+
+        (authelia) {
+          forward_auth localhost:9091 {
+		        uri /api/authz/forward-auth
+		        copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+	        }
+        }
      '';
      environmentFile = config.sops.secrets."caddy/env".path;
      
--- a/modules/default.nix
+++ b/modules/default.nix
@ -9,5 +9,6 @@
    ./vaultwarden.nix
    ./searx.nix
    ./attic.nix
+    ./authelia.nix
  ];
 }