WIP: feat(authelia): Add authentication with authelia
This commit is contained in:
parent
94ec261a94
commit
27f28457b2
9 changed files with 256 additions and 9 deletions
configuration/services/auth
93
configuration/services/auth/authelia.nix
Normal file
93
configuration/services/auth/authelia.nix
Normal file
|
@ -0,0 +1,93 @@
|
|||
{ config, ... }:
|
||||
{
|
||||
systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
|
||||
|
||||
services = {
|
||||
authelia.instances.tlaternet = {
|
||||
enable = true;
|
||||
|
||||
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
||||
config.sops.secrets."authelia/lldap-password".path;
|
||||
|
||||
settings = {
|
||||
authentication_backend.ldap =
|
||||
let
|
||||
cfglldap = config.services.lldap.settings;
|
||||
in
|
||||
{
|
||||
# TODO(tlater): Enable when authelia has a webhook notifier:
|
||||
# https://github.com/authelia/authelia/issues/7695
|
||||
password_reset.disable = true;
|
||||
refresh_interval = "1m";
|
||||
address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
|
||||
implementation = "lldap";
|
||||
base_dn = cfglldap.ldap_base_dn;
|
||||
user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
|
||||
};
|
||||
|
||||
password_policy.zxcvbn.enabled = true;
|
||||
|
||||
telemetry.metrics.enabled = true;
|
||||
|
||||
access_control = {
|
||||
default_policy = "deny";
|
||||
rules = [
|
||||
{
|
||||
domain = "*.${config.services.nginx.domain}";
|
||||
policy = "one_factor";
|
||||
}
|
||||
];
|
||||
};
|
||||
notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
|
||||
|
||||
session = {
|
||||
cookies = [
|
||||
{
|
||||
domain = "${config.services.nginx.domain}";
|
||||
authelia_url = "https://auth.${config.services.nginx.domain}";
|
||||
}
|
||||
];
|
||||
redis.host = config.services.redis.servers.authelia.unixSocket;
|
||||
};
|
||||
|
||||
storage = {
|
||||
postgres = {
|
||||
address = "/var/run/postgresql";
|
||||
username = config.services.authelia.instances.tlaternet.user;
|
||||
database = config.services.authelia.instances.tlaternet.user;
|
||||
};
|
||||
};
|
||||
|
||||
# Auth options
|
||||
default_2fa_method = "totp";
|
||||
totp.issuer = "tlater.net";
|
||||
webauthn = {
|
||||
display_name = "tlater.net";
|
||||
enable_passkey_login = true;
|
||||
|
||||
attestation_conveyance_preference = "direct";
|
||||
filtering.prohibit_backup_eligibility = true;
|
||||
metadata = {
|
||||
enabled = true;
|
||||
validate_trust_anchor = true;
|
||||
validate_entry = true;
|
||||
validate_status = true;
|
||||
validate_entry_permit_zero_aaguid = false;
|
||||
};
|
||||
};
|
||||
duo_api.disable = true;
|
||||
};
|
||||
|
||||
secrets = {
|
||||
storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
|
||||
jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
|
||||
sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
|
||||
};
|
||||
};
|
||||
|
||||
redis.servers.authelia = {
|
||||
enable = true;
|
||||
user = config.services.authelia.instances.tlaternet.user;
|
||||
};
|
||||
};
|
||||
}
|
Loading…
Add table
Add a link
Reference in a new issue