about summary refs log tree commit diff
path: root/nix/hosts/corrino/modules
diff options
context:
space:
mode:
Diffstat (limited to 'nix/hosts/corrino/modules')
-rw-r--r--nix/hosts/corrino/modules/authelia.emile.space.nix214
1 files changed, 0 insertions, 214 deletions
diff --git a/nix/hosts/corrino/modules/authelia.emile.space.nix b/nix/hosts/corrino/modules/authelia.emile.space.nix
deleted file mode 100644
index 0f77197..0000000
--- a/nix/hosts/corrino/modules/authelia.emile.space.nix
+++ /dev/null
@@ -1,214 +0,0 @@
-{ config, pkgs, ... }:
-
-let
-	authelia_port = config.services.authelia.instances.main.settings.server.port;
-in {
-
-	services.nginx.virtualHosts."sso.emile.space" = {
-		forceSSL = true;
-		enableACME = true;
-
-		locations = {
-			"/" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-
-				extraConfig = ''
-					## Headers
-					proxy_set_header Host $host;
-					proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-					proxy_set_header X-Forwarded-Proto $scheme;
-					proxy_set_header X-Forwarded-Host $http_host;
-					proxy_set_header X-Forwarded-URI $request_uri;
-					proxy_set_header X-Forwarded-Ssl on;
-					proxy_set_header X-Forwarded-For $remote_addr;
-					proxy_set_header X-Real-IP $remote_addr;
-
-					## Basic Proxy Configuration
-					client_body_buffer_size 128k;
-					proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
-					proxy_redirect  http://  $scheme://;
-					proxy_http_version 1.1;
-					proxy_cache_bypass $cookie_session;
-					proxy_no_cache $cookie_session;
-					proxy_buffers 64 256k;
-
-					## Trusted Proxies Configuration
-					## Please read the following documentation before configuring this:
-					##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
-					# set_real_ip_from 10.0.0.0/8;
-					# set_real_ip_from 172.16.0.0/12;
-					# set_real_ip_from 192.168.0.0/16;
-					# set_real_ip_from fc00::/7;
-					set_real_ip_from 127.0.0.1/32;
-					real_ip_header X-Forwarded-For;
-					real_ip_recursive on;
-
-					## Advanced Proxy Configuration
-					send_timeout 5m;
-					proxy_read_timeout 360;
-					proxy_send_timeout 360;
-					proxy_connect_timeout 360;
-				'';
-			};
-
-			"/api/verify" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-	    };
-
-	    "/api/authz/" = {
-				proxyPass = "http://127.0.0.1:${toString authelia_port}";
-	    };
-		};
-	};
-
-	# set the permissions for the secrets...
-	age.secrets = {
-		# ... passwed via environment vars
-		authelia_session_secret.owner = "authelia-main";
-		authelia_session_secret.group = "authelia-main";
-		authelia_mail_password.owner = "authelia-main";
-		authelia_mail_password.group = "authelia-main";
-
-		# ... passed via the services.authelia.instances.main.secrets attribute
-		authelia_storage_encryption_key.owner = "authelia-main";
-		authelia_storage_encryption_key.group = "authelia-main";
-		authelia_jwt_secret.owner = "authelia-main";
-		authelia_jwt_secret.group = "authelia-main";
-		authelia_oidc_issuer_private_key.owner = "authelia-main";
-		authelia_oidc_issuer_private_key.group = "authelia-main";
-		authelia_oidc_hmac_secret.owner = "authelia-main";
-		authelia_oidc_hmac_secret.group = "authelia-main";
-	};
-
-
-	services.authelia.instances = {
-		main = {
-			enable = true;
-			package = pkgs.authelia;
-
-			# pass some of the secrets in as env-vars
-			environmentVariables = with config.age.secrets; {
-				AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path;
-				AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path;
-			};
-			secrets = with config.age.secrets; {
-				manual = true;
-
-				# some other secrets can be defined here, but not all...
-				storageEncryptionKeyFile = authelia_storage_encryption_key.path;
-				jwtSecretFile = authelia_jwt_secret.path;
-				oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path;
-				oidcHmacSecretFile = authelia_oidc_hmac_secret.path;
-			};
-			settings = {
-				theme = "dark";
-
-				server = {
-					host = "127.0.0.1";
-					port = config.emile.ports.authelia;
-				};
-
-				# we're using a file to store the user information
-				authentication_backend = {
-					refresh_interval = "20s";
-					file = {
-						path = "/var/lib/authelia-main/user.yml";
-						watch = true;
-						password = {
-							algorithm = "argon2id";
-							iterations = 3;
-							key_length = 32;
-							salt_length = 16;
-							memory = 65;
-							parallelism = 4;
-						};
-					};
-				};
-
-				storage.local.path = "/var/lib/authelia-main/db.sqlite";
-
-				session = {
-					domain = "sso.emile.space";
-					expiration = 3600; # 1 hour
-					inactivity = 300; # 5 minutes
-				};
-
-				notifier = {
-					disable_startup_check = false;
-					smtp = {
-						host = "mail.emile.space";
-						port = 587;
-						timeout = "30s";
-						username = "mail@emile.space";
-
-						sender = "mail@emile.space";
-						subject = "[Authelia] {title}";
-
-						disable_require_tls = false;
-						disable_starttls = false;
-						disable_html_emails = true;
-
-						tls = {
-							server_name = "mail.emile.space";
-							skip_verify = true;
-							minimum_version = "TLS1.3";
-						};
-					};
-				};
-
-				identity_providers = {
-					oidc = {
-							# regenerate keys like this:
-							# ; nix run nixpkgs#authelia -- crypto certificate rsa generate
-							# current serial: deb83f17e27e663f544a16ad2947631d
-
-							enable_client_debug_messages = false;
-							minimum_parameter_entropy = 8;
-							enforce_pkce = "public_clients_only";
-							enable_pkce_plain_challenge = false;
-							cors = {
-							endpoints = [
-								"authorization"
-								"token"
-								"revocation"
-								"introspection"
-							];
-							allowed_origins = [
-								"https://emile.space"
-							];
-							allowed_origins_from_client_redirect_uris = false;
-						};
-					};
-				};
-
-				access_control = {
-					default_policy = "deny";
-					rules = [
-						{
-							domain = "*.emile.space";
-							policy = "two_factor";
-						}
-					];
-				};
-
-				totp = {
-				  disable = false;
-				  issuer = "sso.emile.space";
-				  algorithm = "sha1";
-				  digits = 6;
-				  period = 30;
-				  skew = 1;
-				  secret_size = 32;
-				};
-
-				ntp = {
-				  address = "time.cloudflare.com:123";
-				  version = 3;
-				  max_desync = "3s";
-				  disable_startup_check = false;
-				  disable_failure = false;
-				};
-			};
-		};
-	};
-}