tlaternet-server/configuration/services/auth/authelia.nix

{ config, ... }:
let
  instanceName = config.services.authelia.instances.main.name;
in
{
  services.authelia.instances.main = {
    enable = true;

    settings = {
      theme = "auto";
      default_2fa_method = "totp";

      authentication_backend = {
        password_reset.disable = true;
        password_change.disable = true;

        file = {
          inherit (config.sops.secrets."authelia/users") path;

          search = {
            email = true;
            case_insensitive = false;
          };
        };
      };

      storage.postgres = {
        address = "unix:///run/postgresql";
        database = "authelia";
        username = "authelia";
      };

      session.cookies = [
        {
          domain = config.services.nginx.domain;
          authelia_url = "https://auth.${config.services.nginx.domain}";
        }
      ];

      notifier.filesystem.filename = ''{{ env "RUNTIME_DIRECTORY" }}/authelia-notifications'';

      access_control = {

      };

      server = {
        # Maybe a systemd socket can be used for this in the future,
        # see:
        # https://github.com/systemd/systemd/issues/23067#issuecomment-1212232155
        address = "unix://${config.systemd.sockets."authelia-${instanceName}".socketConfig.ListenStream}";
      };
    };

    secrets = {
      jwtSecretFile = config.sops.secrets."authelia/jwt".path;
      storageEncryptionKeyFile = config.sops.secrets."authelia/storage".path;
    };
  };

  systemd.sockets."authelia-${instanceName}" = {
    socketConfig = {
      Accept = false;
      ListenStream = "/var/run/authelia.sock";
      SocketGroup = "authelia";
      SocketMode = "0660";
    };
  };

  systemd.services."authelia-${instanceName}" = {
    requires = [ "authelia-${instanceName}.socket" ];

    serviceConfig = {
      RuntimeDirectory = "authelia-${instanceName}";
      SupplementaryGroups = [ "authelia" ];
    };
  };

  # TODO: Need to map these to systemd creds to pass them into the
  # service because user permissions
  sops.secrets = {
    "authelia/users" = { };
    "authelia/jwt" = { };
    "authelia/storage" = { };
  };

  users.groups.authelia = { };
}