{ config, pkgs, ... }: let # authelia_port = config.services.authelia.instances.main.settings.server.port; authelia_port = config.emile.ports.authelia; in { services.nginx.virtualHosts."sso.emile.space" = { forceSSL = true; enableACME = true; locations = { "/" = { proxyPass = "http://127.0.0.1:${toString authelia_port}"; extraConfig = '' ## Headers proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-URI $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Real-IP $remote_addr; ## Basic Proxy Configuration client_body_buffer_size 128k; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; ## Trusted Proxies Configuration ## Please read the following documentation before configuring this: ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies # set_real_ip_from 10.0.0.0/8; # set_real_ip_from 172.16.0.0/12; # set_real_ip_from 192.168.0.0/16; # set_real_ip_from fc00::/7; set_real_ip_from 127.0.0.1/32; real_ip_header X-Forwarded-For; real_ip_recursive on; ## Advanced Proxy Configuration send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; ''; }; "/api/verify" = { proxyPass = "http://127.0.0.1:${toString authelia_port}"; }; "/api/authz/" = { proxyPass = "http://127.0.0.1:${toString authelia_port}"; }; }; }; users.users."authelia-main" = { # isNormalUser = true; name = "authelia-main"; }; users.groups."authelia-main" = { name = "authelia-main"; members = [ "authelia-main" ]; }; # set the permissions for the secrets... age.secrets = { # ... passwed via environment vars authelia_session_secret.owner = "authelia-main"; authelia_session_secret.group = "authelia-main"; authelia_mail_password.owner = "authelia-main"; authelia_mail_password.group = "authelia-main"; # ... passed via the services.authelia.instances.main.secrets attribute authelia_storage_encryption_key.owner = "authelia-main"; authelia_storage_encryption_key.group = "authelia-main"; authelia_jwt_secret.owner = "authelia-main"; authelia_jwt_secret.group = "authelia-main"; authelia_oidc_issuer_private_key.owner = "authelia-main"; authelia_oidc_issuer_private_key.group = "authelia-main"; authelia_oidc_hmac_secret.owner = "authelia-main"; authelia_oidc_hmac_secret.group = "authelia-main"; }; services.authelia.instances = { main = { enable = true; package = pkgs.authelia; # pass some of the secrets in as env-vars environmentVariables = with config.age.secrets; { AUTHELIA_SESSION_SECRET_FILE = authelia_session_secret.path; AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = authelia_mail_password.path; }; secrets = with config.age.secrets; { manual = true; # some other secrets can be defined here, but not all... storageEncryptionKeyFile = authelia_storage_encryption_key.path; jwtSecretFile = authelia_jwt_secret.path; oidcIssuerPrivateKeyFile = authelia_oidc_issuer_private_key.path; oidcHmacSecretFile = authelia_oidc_hmac_secret.path; }; settings = { theme = "dark"; server = { address = "127.0.0.1:${toString config.emile.ports.authelia}"; # host = "127.0.0.1"; # port = config.emile.ports.authelia; }; # we're using a file to store the user information authentication_backend = { refresh_interval = "60s"; file = { path = "/var/lib/authelia-main/user.yml"; watch = true; password = { algorithm = "argon2id"; iterations = 3; key_length = 32; salt_length = 16; memory = 65; parallelism = 4; }; }; }; storage.local.path = "/var/lib/authelia-main/db.sqlite"; session = { # domain = "sso.emile.space"; # expiration = 3600; # 1 hour # inactivity = 300; # 5 minutes cookies = [ { domain = "emile.space"; authelia_url = "https://sso.emile.space"; # The period of time the user can be inactive for until the session is destroyed. Useful if you want long session timers but don’t want unused devices to be vulnerable. inactivity = "1h"; # The period of time before the cookie expires and the session is destroyed. This is overridden by remember_me when the remember me box is checked. expiration = "1d"; # The period of time before the cookie expires and the session is destroyed when the remember me box is checked. Setting this to -1 disables this feature entirely for this session cookie domain remember_me = "3M"; } ]; }; notifier = { disable_startup_check = false; smtp = { host = "mail.emile.space"; port = 587; timeout = "30s"; username = "mail@emile.space"; sender = "mail@emile.space"; subject = "[Authelia] {title}"; disable_require_tls = false; disable_starttls = false; disable_html_emails = true; tls = { server_name = "mail.emile.space"; skip_verify = true; minimum_version = "TLS1.3"; }; }; }; identity_providers = { oidc = { # regenerate keys like this: # ; nix run nixpkgs#authelia -- crypto certificate rsa generate # current serial: deb83f17e27e663f544a16ad2947631d enable_client_debug_messages = false; minimum_parameter_entropy = 8; enforce_pkce = "public_clients_only"; enable_pkce_plain_challenge = false; cors = { endpoints = [ "authorization" "token" "revocation" "introspection" ]; allowed_origins = [ "https://emile.space" ]; allowed_origins_from_client_redirect_uris = false; }; }; }; access_control = { default_policy = "deny"; rules = [ { # silverbullet needs access to these without auth domain = "sb.emile.space"; policy = "bypass"; resources = [ "/.client/manifest.json$" "/.client/[a-zA-Z0-9_-]+.png$" "/service_worker.js$" ]; } { domain = "*.emile.space"; policy = "two_factor"; } ]; }; # type = types.enum [ "" "totp" "webauthn" "mobile_push" ]; default_2fa_method = "totp"; totp = { disable = false; issuer = "sso.emile.space"; algorithm = "sha1"; digits = 6; period = 30; skew = 1; secret_size = 32; }; ntp = { address = "time.cloudflare.com:123"; version = 3; max_desync = "3s"; disable_startup_check = false; disable_failure = false; }; }; }; }; }