diff options
Diffstat (limited to 'nix/hosts/corrino/www/sso.emile.space.nix')
-rw-r--r-- | nix/hosts/corrino/www/sso.emile.space.nix | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix new file mode 100644 index 0000000..0f77197 --- /dev/null +++ b/nix/hosts/corrino/www/sso.emile.space.nix @@ -0,0 +1,214 @@ +{ config, pkgs, ... }: + +let + authelia_port = config.services.authelia.instances.main.settings.server.port; +in { + + services.nginx.virtualHosts."sso.emile.space" = { + forceSSL = true; + enableACME = true; + + locations = { + "/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + + extraConfig = '' + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + set_real_ip_from 127.0.0.1/32; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + ''; + }; + + "/api/verify" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + + "/api/authz/" = { + proxyPass = "http://127.0.0.1:${toString authelia_port}"; + }; + }; + }; + + # set the permissions for the secrets... + age.secrets = { + # ... passwed via environment vars + authelia_session_secret.owner = "authelia-main"; + authelia_session_secret.group = "authelia-main"; + authelia_mail_password.owner = "authelia-main"; + authelia_mail_password.group = "authelia-main"; + + # ... passed via the services.authelia.instances.main.secrets attribute + authelia_storage_encryption_key.owner = "authelia-main"; + authelia_storage_encryption_key.group = "authelia-main"; + authelia_jwt_secret.owner = "authelia-main"; + authelia_jwt_secret.group = "authelia-main"; + authelia_oidc_issuer_private_key.owner = "authelia-main"; + authelia_oidc_issuer_private_key.group = "authelia-main"; + authelia_oidc_hmac_secret.owner = "authelia-main"; + authelia_oidc_hmac_secret.group = "authelia-main"; + }; + + + services.authelia.instances = { + main = { + enable = true; + package = pkgs.authelia; + + # pass some of the secrets in as env-vars + environmentVariables = with config.age.secrets; { + AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; + }; + secrets = with config.age.secrets; { + manual = true; + + # some other secrets can be defined here, but not all... + storageEncryptionKeyFile = authelia_storage_encryption_key.path; + jwtSecretFile = authelia_jwt_secret.path; + oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; + oidcHmacSecretFile = authelia_oidc_hmac_secret.path; + }; + settings = { + theme = "dark"; + + server = { + host = "127.0.0.1"; + port = config.emile.ports.authelia; + }; + + # we're using a file to store the user information + authentication_backend = { + refresh_interval = "20s"; + file = { + path = "/var/lib/authelia-main/user.yml"; + watch = true; + password = { + algorithm = "argon2id"; + iterations = 3; + key_length = 32; + salt_length = 16; + memory = 65; + parallelism = 4; + }; + }; + }; + + storage.local.path = "/var/lib/authelia-main/db.sqlite"; + + session = { + domain = "sso.emile.space"; + expiration = 3600; # 1 hour + inactivity = 300; # 5 minutes + }; + + notifier = { + disable_startup_check = false; + smtp = { + host = "mail.emile.space"; + port = 587; + timeout = "30s"; + username = "mail@emile.space"; + + sender = "mail@emile.space"; + subject = "[Authelia] {title}"; + + disable_require_tls = false; + disable_starttls = false; + disable_html_emails = true; + + tls = { + server_name = "mail.emile.space"; + skip_verify = true; + minimum_version = "TLS1.3"; + }; + }; + }; + + identity_providers = { + oidc = { + # regenerate keys like this: + # ; nix run nixpkgs#authelia -- crypto certificate rsa generate + # current serial: deb83f17e27e663f544a16ad2947631d + + enable_client_debug_messages = false; + minimum_parameter_entropy = 8; + enforce_pkce = "public_clients_only"; + enable_pkce_plain_challenge = false; + cors = { + endpoints = [ + "authorization" + "token" + "revocation" + "introspection" + ]; + allowed_origins = [ + "https://emile.space" + ]; + allowed_origins_from_client_redirect_uris = false; + }; + }; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.emile.space"; + policy = "two_factor"; + } + ]; + }; + + totp = { + disable = false; + issuer = "sso.emile.space"; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + + ntp = { + address = "time.cloudflare.com:123"; + version = 3; + max_desync = "3s"; + disable_startup_check = false; + disable_failure = false; + }; + }; + }; + }; +} |