fablab-nea/nix-gscheits
1
0
Fork 0
Code Issues 7 Pull requests 3 Projects Releases Packages Wiki Activity Actions
nix-gscheits/machines/raven/services/authelia.nix
Jakob Lechner c24fbdf955 Refactoring
2025-04-14 22:23:28 +02:00

76 lines
2 KiB
Nix
Raw Blame History

{ config, ... }:
let
domain = "authelia.fablab-nea.de";
cfg = config.services.authelia.instances.default;
port = 9001;
in
{
sops.secrets = {
"authelia/jwtSecret" = {
sopsFile = ../secrets.yaml;
owner = cfg.user;
};
"authelia/storageEncryptionKey" = {
sopsFile = ../secrets.yaml;
owner = cfg.user;
};
};
services = {
authelia.instances.default = {
enable = true;
settings = {
server.address = "tcp://127.0.0.1:${toString port}/";
access_control = {
default_policy = "one_factor";
};
notifier.filesystem = {
filename = "/var/lib/authelia-${cfg.name}/notif.txt";
};
storage.postgres = {
address = "unix:///run/postgresql";
database = "authelia-${cfg.name}";
username = "authelia-${cfg.name}";
password = "authelia-${cfg.name}";
};
authentication_backend = {
file.path = "/var/lib/authelia-${cfg.name}/user.yml";
};
session = {
cookies = [
{
inherit domain;
authelia_url = "https://${domain}";
name = "authelia_session";
}
];
};
};
secrets = {
jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path;
};
};
postgresql = {
ensureUsers = [{
name = "authelia-${cfg.name}";
ensureDBOwnership = true;
}];
ensureDatabases = [ "authelia-${cfg.name}" ];
};
nginx.virtualHosts."${domain}" = {
enableACME = true;
forceSSL = true;
extraConfig = ''
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
'';
locations."/" = {
proxyPass = "http://127.0.0.1:${toString port}";
recommendedProxySettings = true;
};
};
};
}
Reference in a new issue View git blame Copy permalink