about summary refs log tree commit diff
path: root/nix/hosts/corrino/www
diff options
context:
space:
mode:
authorEmile <git@emile.space>2024-08-03 12:33:43 +0200
committerEmile <git@emile.space>2024-08-03 12:33:43 +0200
commit285644fbb46f6d8ff21acbe28f16b7b5b70ddd9b (patch)
tree6791726e6814b231ee1b6776a9a58cd527a13bcb /nix/hosts/corrino/www
parentd36cd0e580fed99d34cc5d2d6f536b8d5fe6c8b0 (diff)
(corrino): moved authelia. to sso. in www dir
Diffstat (limited to 'nix/hosts/corrino/www')
-rw-r--r--nix/hosts/corrino/www/sso.emile.space.nix214
1 files changed, 214 insertions, 0 deletions
diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix
new file mode 100644
index 0000000..0f77197
--- /dev/null
+++ b/nix/hosts/corrino/www/sso.emile.space.nix
@@ -0,0 +1,214 @@
+{ config, pkgs, ... }:
+
+let
+	authelia_port = config.services.authelia.instances.main.settings.server.port;
+in {
+
+	services.nginx.virtualHosts."sso.emile.space" = {
+		forceSSL = true;
+		enableACME = true;
+
+		locations = {
+			"/" = {
+				proxyPass = "http://127.0.0.1:${toString authelia_port}";
+
+				extraConfig = ''
+					## Headers
+					proxy_set_header Host $host;
+					proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+					proxy_set_header X-Forwarded-Proto $scheme;
+					proxy_set_header X-Forwarded-Host $http_host;
+					proxy_set_header X-Forwarded-URI $request_uri;
+					proxy_set_header X-Forwarded-Ssl on;
+					proxy_set_header X-Forwarded-For $remote_addr;
+					proxy_set_header X-Real-IP $remote_addr;
+
+					## Basic Proxy Configuration
+					client_body_buffer_size 128k;
+					proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+					proxy_redirect  http://  $scheme://;
+					proxy_http_version 1.1;
+					proxy_cache_bypass $cookie_session;
+					proxy_no_cache $cookie_session;
+					proxy_buffers 64 256k;
+
+					## Trusted Proxies Configuration
+					## Please read the following documentation before configuring this:
+					##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+					# set_real_ip_from 10.0.0.0/8;
+					# set_real_ip_from 172.16.0.0/12;
+					# set_real_ip_from 192.168.0.0/16;
+					# set_real_ip_from fc00::/7;
+					set_real_ip_from 127.0.0.1/32;
+					real_ip_header X-Forwarded-For;
+					real_ip_recursive on;
+
+					## Advanced Proxy Configuration
+					send_timeout 5m;
+					proxy_read_timeout 360;
+					proxy_send_timeout 360;
+					proxy_connect_timeout 360;
+				'';
+			};
+
+			"/api/verify" = {
+				proxyPass = "http://127.0.0.1:${toString authelia_port}";
+	    };
+
+	    "/api/authz/" = {
+				proxyPass = "http://127.0.0.1:${toString authelia_port}";
+	    };
+		};
+	};
+
+	# set the permissions for the secrets...
+	age.secrets = {
+		# ... passwed via environment vars
+		authelia_session_secret.owner = "authelia-main";
+		authelia_session_secret.group = "authelia-main";
+		authelia_mail_password.owner = "authelia-main";
+		authelia_mail_password.group = "authelia-main";
+
+		# ... passed via the services.authelia.instances.main.secrets attribute
+		authelia_storage_encryption_key.owner = "authelia-main";
+		authelia_storage_encryption_key.group = "authelia-main";
+		authelia_jwt_secret.owner = "authelia-main";
+		authelia_jwt_secret.group = "authelia-main";
+		authelia_oidc_issuer_private_key.owner = "authelia-main";
+		authelia_oidc_issuer_private_key.group = "authelia-main";
+		authelia_oidc_hmac_secret.owner = "authelia-main";
+		authelia_oidc_hmac_secret.group = "authelia-main";
+	};
+
+
+	services.authelia.instances = {
+		main = {
+			enable = true;
+			package = pkgs.authelia;
+
+			# pass some of the secrets in as env-vars
+			environmentVariables = with config.age.secrets; {
+				AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path;
+				AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path;
+			};
+			secrets = with config.age.secrets; {
+				manual = true;
+
+				# some other secrets can be defined here, but not all...
+				storageEncryptionKeyFile = authelia_storage_encryption_key.path;
+				jwtSecretFile = authelia_jwt_secret.path;
+				oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path;
+				oidcHmacSecretFile = authelia_oidc_hmac_secret.path;
+			};
+			settings = {
+				theme = "dark";
+
+				server = {
+					host = "127.0.0.1";
+					port = config.emile.ports.authelia;
+				};
+
+				# we're using a file to store the user information
+				authentication_backend = {
+					refresh_interval = "20s";
+					file = {
+						path = "/var/lib/authelia-main/user.yml";
+						watch = true;
+						password = {
+							algorithm = "argon2id";
+							iterations = 3;
+							key_length = 32;
+							salt_length = 16;
+							memory = 65;
+							parallelism = 4;
+						};
+					};
+				};
+
+				storage.local.path = "/var/lib/authelia-main/db.sqlite";
+
+				session = {
+					domain = "sso.emile.space";
+					expiration = 3600; # 1 hour
+					inactivity = 300; # 5 minutes
+				};
+
+				notifier = {
+					disable_startup_check = false;
+					smtp = {
+						host = "mail.emile.space";
+						port = 587;
+						timeout = "30s";
+						username = "mail@emile.space";
+
+						sender = "mail@emile.space";
+						subject = "[Authelia] {title}";
+
+						disable_require_tls = false;
+						disable_starttls = false;
+						disable_html_emails = true;
+
+						tls = {
+							server_name = "mail.emile.space";
+							skip_verify = true;
+							minimum_version = "TLS1.3";
+						};
+					};
+				};
+
+				identity_providers = {
+					oidc = {
+							# regenerate keys like this:
+							# ; nix run nixpkgs#authelia -- crypto certificate rsa generate
+							# current serial: deb83f17e27e663f544a16ad2947631d
+
+							enable_client_debug_messages = false;
+							minimum_parameter_entropy = 8;
+							enforce_pkce = "public_clients_only";
+							enable_pkce_plain_challenge = false;
+							cors = {
+							endpoints = [
+								"authorization"
+								"token"
+								"revocation"
+								"introspection"
+							];
+							allowed_origins = [
+								"https://emile.space"
+							];
+							allowed_origins_from_client_redirect_uris = false;
+						};
+					};
+				};
+
+				access_control = {
+					default_policy = "deny";
+					rules = [
+						{
+							domain = "*.emile.space";
+							policy = "two_factor";
+						}
+					];
+				};
+
+				totp = {
+				  disable = false;
+				  issuer = "sso.emile.space";
+				  algorithm = "sha1";
+				  digits = 6;
+				  period = 30;
+				  skew = 1;
+				  secret_size = 32;
+				};
+
+				ntp = {
+				  address = "time.cloudflare.com:123";
+				  version = 3;
+				  max_desync = "3s";
+				  disable_startup_check = false;
+				  disable_failure = false;
+				};
+			};
+		};
+	};
+}