WIP: Auth

configuration/services/auth/authelia.nix

@@ -0,0 +1,87 @@
+{ config, ... }:
+let
+  instanceName = config.services.authelia.instances.main.name;
+in
+{
+  services.authelia.instances.main = {
+    enable = true;
+
+    settings = {
+      theme = "auto";
+      default_2fa_method = "totp";
+
+      authentication_backend = {
+        password_reset.disable = true;
+        password_change.disable = true;
+
+        file = {
+          inherit (config.sops.secrets."authelia/users") path;
+
+          search = {
+            email = true;
+            case_insensitive = false;
+          };
+        };
+      };
+
+      storage.postgres = {
+        address = "unix:///run/postgresql";
+        database = "authelia";
+        username = "authelia";
+      };
+
+      session.cookies = [
+        {
+          domain = config.services.nginx.domain;
+          authelia_url = "https://auth.${config.services.nginx.domain}";
+        }
+      ];
+
+      notifier.filesystem.filename = ''{{ env "RUNTIME_DIRECTORY" }}/authelia-notifications'';
+
+      access_control = {
+
+      };
+
+      server = {
+        # Maybe a systemd socket can be used for this in the future,
+        # see:
+        # https://github.com/systemd/systemd/issues/23067#issuecomment-1212232155
+        address = "unix://${config.systemd.sockets."authelia-${instanceName}".socketConfig.ListenStream}";
+      };
+    };
+
+    secrets = {
+      jwtSecretFile = config.sops.secrets."authelia/jwt".path;
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storage".path;
+    };
+  };
+
+  systemd.sockets."authelia-${instanceName}" = {
+    socketConfig = {
+      Accept = false;
+      ListenStream = "/var/run/authelia.sock";
+      SocketGroup = "authelia";
+      SocketMode = "0660";
+    };
+  };
+
+  systemd.services."authelia-${instanceName}" = {
+    requires = [ "authelia-${instanceName}.socket" ];
+
+    serviceConfig = {
+      RuntimeDirectory = "authelia-${instanceName}";
+      SupplementaryGroups = [ "authelia" ];
+    };
+  };
+
+  # TODO: Need to map these to systemd creds to pass them into the
+  # service because user permissions
+  sops.secrets = {
+    "authelia/users" = { };
+    "authelia/jwt" = { };
+    "authelia/storage" = { };
+  };
+
+  users.groups.authelia = { };
+}

configuration/services/auth/default.nix

@@ -0,0 +1,5 @@
+{
+  imports = [
+    ./authelia.nix
+  ];
+}

configuration/services/postgres.nix

@@ -17,6 +17,10 @@
     # that operation needs to be performed manually on the system as
     # well.
     ensureUsers = [
+      {
+        name = "authelia";
+        ensureDBOwnership = true;
+      }
       {
         name = "grafana";
         ensureDBOwnership = true;
@@ -28,6 +32,7 @@
     ];
 
     ensureDatabases = [
+      "authelia"
       "grafana"
       "nextcloud"
     ];