{ pkgs, config, lib, ... }: let cfg = config.services.authelia.instances.main; dataDir = "/var/lib/authelia-${cfg.name}"; authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; }; in { services.authelia.instances = { main = { enable = true; secrets = { jwtSecretFile = config.age.secrets.authelia-jwt.path; storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path; sessionSecretFile = config.age.secrets.authelia-session.path; }; settings = { theme = "light"; log.level = "debug"; authentication_backend = { file = { path = dataDir + "/users.yml"; }; }; storage = { local = { path = dataDir + "/db.sqlite3"; }; }; session = { cookies = [ { domain = "shobu.fr"; authelia_url = "https://auth.shobu.fr"; default_redirection_url = "https://shobu.fr"; } ]; }; notifier = { filesystem = { filename = "${dataDir}/notification.txt"; }; }; access_control = { default_policy = "deny"; rules = [ { domain = "*.shobu.fr"; policy = "one_factor"; } ]; }; server = { endpoints = { authz = { auth-request = { implementation = "AuthRequest"; }; }; }; }; }; }; }; # systemd.tmpfiles.rules = lib.mkIf cfg.enable [ # "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -" # ]; age.secrets = { authelia-jwt = { owner = cfg.user; file = ./secrets/authelia-jwt.age; mode = "700"; }; authelia-encryption = { owner = cfg.user; file = ./secrets/authelia-encryption.age; mode = "700"; }; authelia-session = { owner = cfg.user; file = ./secrets/authelia-session.age; mode = "700"; }; }; services.nginx = { enable = true; recommendedProxySettings = true; recommendedTlsSettings = true; virtualHosts."auth.shobu.fr" = let upstream = "http://thea:9091"; in { enableACME = true; forceSSL = true; locations."/" = { proxyPass = upstream; extraConfig = '' include ${authelia-snippets.proxy}; ''; }; locations."/api/verify" = { proxyPass = upstream; }; locations."/api/authz" = { proxyPass = upstream; }; }; }; }