homelab/hosts/thea/authelia.nix

{
  pkgs,
  config,
  lib,
  ...
}:
let
  cfg = config.services.authelia.instances.main;
  dataDir = "/var/lib/authelia-${cfg.name}";
  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
in
{
  services.authelia.instances = {
    main = {
      enable = true;
      secrets = {
        jwtSecretFile = config.age.secrets.authelia-jwt.path;
        storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
        sessionSecretFile = config.age.secrets.authelia-session.path;
      };
      settings = {
        theme = "light";
        log.level = "debug";

        authentication_backend = {
          file = {
            path = dataDir + "/users.yml";
          };
        };
        storage = {
          local = {
            path = dataDir + "/db.sqlite3";
          };
        };
        session = {
          cookies = [
            {
              domain = "shobu.fr";
              authelia_url = "https://auth.shobu.fr";
              default_redirection_url = "https://shobu.fr";
            }
          ];
        };
        notifier = {
          filesystem = {
            filename = "${dataDir}/notification.txt";
          };
        };
        access_control = {
          default_policy = "deny";
          rules = [
            {
              domain = "radarr.shobu.fr";
              policy = "bypass";
            }
            {
              domain = "*.shobu.fr";
              policy = "one_factor";
            }
          ];
        };
        server = {
          endpoints = {
            authz = {
              auth-request = {
                implementation = "AuthRequest";
              };
            };
          };
        };
      };
    };
  };

  # systemd.tmpfiles.rules = lib.mkIf cfg.enable [
  #   "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
  # ];

  age.secrets = {
    authelia-jwt = {
      owner = cfg.user;
      file = ./secrets/authelia-jwt.age;
      mode = "700";
    };
    authelia-encryption = {
      owner = cfg.user;
      file = ./secrets/authelia-encryption.age;
      mode = "700";
    };
    authelia-session = {
      owner = cfg.user;
      file = ./secrets/authelia-session.age;
      mode = "700";
    };
  };

  services.nginx = {
    enable = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;

    virtualHosts."auth.shobu.fr" =
      let
        upstream = "http://thea:9091";
      in
      {
        enableACME = true;
        forceSSL = true;

        locations."/" = {
          proxyPass = upstream;
          extraConfig = ''
            error_log /var/log/nginx/debug_authelia.log debug;
            include ${authelia-snippets.proxy};
            set $upstream ${upstream};
          '';
        };
        locations."/api/verify" = {
          proxyPass = upstream;
        };
        locations."/api/authz" = {
          proxyPass = upstream;
        };
      };
  };
}