{ pkgs, config, ... }: let user = config.services.authelia.instances.main.user; domain = "auth.${config.services.nginx.domain}"; in { services.authelia.instances.main = { enable = true; settings = { theme = "auto"; access_control.default_policy = "one_factor"; authentication_backend = { password_reset.disable = true; file.path = "/var/lib/authelia-main/users.yml"; }; notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt"; session = { domain = config.services.nginx.domain; redis.host = config.services.redis.servers.authelia.unixSocket; }; storage.postgres = { host = "/run/postgresql"; port = 5432; database = user; username = user; password = "unnecessary"; }; }; secrets = { storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path; }; }; systemd.services.authelia-main.after = ["postgresql.service"]; services.nginx = { # TODO(tlater): Possibly remove on next authelia release additionalModules = with pkgs.nginxModules; [ develkit set-misc ]; virtualHosts."${domain}" = { forceSSL = true; enableACME = true; enableHSTS = true; locations = { "/" = { proxyPass = "http://127.0.0.1:9091"; recommendedProxySettings = false; enableAutheliaProxy = true; }; "/api/verify" = { proxyPass = "http://127.0.0.1:9091"; recommendedProxySettings = false; }; }; }; }; services.redis.servers.authelia = { inherit user; enable = true; }; sops.secrets = { "authelia/storageEncryptionKey" = { owner = user; group = user; }; "authelia/sessionSecret" = { owner = user; group = user; }; "authelia/jwtSecret" = { owner = user; group = user; }; }; }