nixos-config/modules/authelia.nix

{
  config,
  lib,
  ...
}:
let
  cfg = config.my.authelia;
  getSecret = path: config.sops.secrets.${path}.path;
  sopsConfig = {
    sopsFile = ../secrets/services/authelia.yaml;
    owner = "authelia-main";
  };
  domain = "auth.cy7.sh";
  varPath = "/var/lib/authelia-main";
in
{
  options.my.authelia = {
    enable = lib.mkEnableOption "authelia";
  };

  config = lib.mkIf cfg.enable {
    services.authelia.instances.main = {
      enable = true;
      settings = {
        theme = "dark";
        default_2fa_method = "webauthn";
        log.level = "info";
        log.format = "text";
        server = {
          disable_healthcheck = true;
          endpoints.authz.forward-auth.implementation = "ForwardAuth";
        };
        authentication_backend.file.path = "${varPath}/users_database.yaml";
        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "*.cy7.sh";
              policy = "one_factor";
            }
          ];
        };
        session.cookies = [{
          domain = "cy7.sh";
          authelia_url = "https://${domain}";
        }];
        storage.local.path = "${varPath}/db.sqlite3";
        notifier.filesystem.filename = "${varPath}/notifications.txt";
        webauthn = {
          enable_passkey_login = true;
        };
        identity_providers.oidc.claims_policies = {
          # https://github.com/karakeep-app/karakeep/issues/410
          # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
          karakeep.id_token = [ "email" ];
        };
        identity_providers.oidc.clients = [
          {
            client_id = "4EIrpRb9rnwHWjYWvlz2gYrtTmoOLF1D5gqXw28BvmOS0f-9T2p4CFwuctf4Co1hkpo2sd4Y";
            client_name = "immich";
            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$Vny2G8EbSPafSwnIuq2Zkg$eF2om4WDEaqCFmrAG27h2mYl+cXxXyttPJ7gaPLs+f8";
            public = false;
            authorization_policy = "two_factor";
            redirect_uris = [
              "https://photos.cy7.sh/auth/login"
              "https://photos.cy7.sh/user-settings"
              "app.immich:///oauth-callback"
            ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
          }
          {
            client_id = "_kuUEYxyfXjInJCniwugpw2Qn6iI-YW24NOkHZG~63BAhnAACDZ.xsLqOdGghj2DNZxXR0sU";
            client_name = "Forgejo";
            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$O2O5r/7A8hc4EMvernQ4Dw$YOVqtwY3jv0HlcxmviPq2CRnD7Dw85V9KDtTSUQE7bA";
            public = false;
            authorization_policy = "two_factor";
            redirect_uris = [
              "https://git.cy7.sh/user/oauth2/authelia/callback"
            ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
            token_endpoint_auth_method = "client_secret_basic";
          }
          {
            client_id = "b_ITCG0uNzy9lZ5nVC~Ny5R35te8I3hoQW1uraCbdxeiE9VuiCIelMmZZ7dAZLg_anTUWSQG";
            client_name = "HedgeDoc";
            client_secret = "$argon2id$v=19$m=65536,t=3,p=4$MFSXW3gjIZf0M3e8s8RJCg$6KWwksJe2vdUebPEdYc0Zy88fzGcHPrbStcqkiXl+Hg";
            public = false;
            authorization_policy = "two_factor";
            redirect_uris = [
              "https://pad.cy7.sh/auth/oauth2/callback"
            ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
            grant_types = [ "refresh_token" "authorization_code" ];
            response_types = [ "code" ];
            response_modes = [ "form_post" "query" "fragment" ];
            audience = [];
            token_endpoint_auth_method = "client_secret_post";
          }
          {
            client_id = "0SbsGvw5APYJ4px~dv38rCVgXtK2XWrF1QvyuaFz48cgsNm-rAXkSgNOctfxS21IWOFSfsm5";
            client_name = "Karakeep";
            client_secret = "$pbkdf2-sha512$310000$4UanDZq.6oholJW3CmKwtQ$9e3hqR8qGU4LoneR/Y9jtJTx0iSzATI4iXymrs8QrmGw4JY1BPF4.IJ9Jbc.8cikU4qpfUIFO6r2dG7JHznCnw";
            public = false;
            authorization_policy = "two_factor";
            redirect_uris = [ "https://keep.cy7.sh/api/auth/callback/custom" ];
            scopes = [ "openid" "profile" "email" ];
            userinfo_signed_response_alg = "none";
            claims_policy = "karakeep";
          }
        ];
      };
      secrets = {
        sessionSecretFile = getSecret "authelia/session";
        storageEncryptionKeyFile = getSecret "authelia/storage";
        jwtSecretFile = getSecret "authelia/jwt";
        oidcHmacSecretFile = getSecret "authelia/hmac";
        oidcIssuerPrivateKeyFile = getSecret "authelia/oidc_private";
      };
    };

    sops.secrets = {
      "authelia/jwt" = sopsConfig;
      "authelia/storage" = sopsConfig;
      "authelia/session" = sopsConfig;
      "authelia/hmac" = sopsConfig;
      "authelia/oidc_private" = sopsConfig;
    };

    services.caddy.virtualHosts.${domain}.extraConfig = ''
      import common
      reverse_proxy localhost:9091
    '';
  };
}