{ config, ... }: let instanceName = config.services.authelia.instances.main.name; in { services.authelia.instances.main = { enable = true; settings = { theme = "auto"; default_2fa_method = "totp"; authentication_backend = { password_reset.disable = true; password_change.disable = true; file = { inherit (config.sops.secrets."authelia/users") path; search = { email = true; case_insensitive = false; }; }; }; storage.postgres = { address = "unix:///run/postgresql"; database = "authelia"; username = "authelia"; }; session.cookies = [ { domain = config.services.nginx.domain; authelia_url = "https://auth.${config.services.nginx.domain}"; } ]; notifier.filesystem.filename = ''{{ env "RUNTIME_DIRECTORY" }}/authelia-notifications''; access_control = { }; server = { # Maybe a systemd socket can be used for this in the future, # see: # https://github.com/systemd/systemd/issues/23067#issuecomment-1212232155 address = "unix://${config.systemd.sockets."authelia-${instanceName}".socketConfig.ListenStream}"; }; }; secrets = { jwtSecretFile = config.sops.secrets."authelia/jwt".path; storageEncryptionKeyFile = config.sops.secrets."authelia/storage".path; }; }; systemd.sockets."authelia-${instanceName}" = { socketConfig = { Accept = false; ListenStream = "/var/run/authelia.sock"; SocketGroup = "authelia"; SocketMode = "0660"; }; }; systemd.services."authelia-${instanceName}" = { requires = [ "authelia-${instanceName}.socket" ]; serviceConfig = { RuntimeDirectory = "authelia-${instanceName}"; SupplementaryGroups = [ "authelia" ]; }; }; # TODO: Need to map these to systemd creds to pass them into the # service because user permissions sops.secrets = { "authelia/users" = { }; "authelia/jwt" = { }; "authelia/storage" = { }; }; users.groups.authelia = { }; }