123 lines
3.9 KiB
Nix
123 lines
3.9 KiB
Nix
{ config, ... }:
|
|
{
|
|
services = {
|
|
authelia.instances.tlaternet = {
|
|
enable = true;
|
|
|
|
environmentVariables = {
|
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
|
config.sops.secrets."authelia/lldap-password".path;
|
|
AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
|
|
};
|
|
|
|
settings = {
|
|
authentication_backend.ldap = {
|
|
# TODO(tlater): Enable when authelia has a webhook notifier:
|
|
# https://github.com/authelia/authelia/issues/7695
|
|
password_reset.disable = true;
|
|
refresh_interval = "1m";
|
|
address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
|
|
implementation = "lldap";
|
|
base_dn = config.services.lldap.settings.ldap_base_dn;
|
|
user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
|
|
};
|
|
|
|
password_policy.zxcvbn.enabled = true;
|
|
|
|
telemetry.metrics.enabled = true;
|
|
|
|
access_control = {
|
|
default_policy = "deny";
|
|
rules = [
|
|
{
|
|
domain = "*.${config.services.nginx.domain}";
|
|
policy = "one_factor";
|
|
}
|
|
];
|
|
};
|
|
notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
|
|
|
|
session = {
|
|
cookies = [
|
|
{
|
|
domain = "${config.services.nginx.domain}";
|
|
authelia_url = "https://auth.${config.services.nginx.domain}";
|
|
}
|
|
];
|
|
redis.host = config.services.redis.servers.authelia.unixSocket;
|
|
};
|
|
|
|
storage = {
|
|
postgres = {
|
|
address = "/var/run/postgresql";
|
|
username = config.services.authelia.instances.tlaternet.user;
|
|
database = config.services.authelia.instances.tlaternet.user;
|
|
};
|
|
};
|
|
|
|
# Auth options
|
|
default_2fa_method = "totp";
|
|
totp.issuer = "tlater.net";
|
|
webauthn = {
|
|
display_name = "tlater.net";
|
|
enable_passkey_login = true;
|
|
|
|
attestation_conveyance_preference = "direct";
|
|
filtering.prohibit_backup_eligibility = true;
|
|
metadata = {
|
|
enabled = true;
|
|
validate_trust_anchor = true;
|
|
validate_entry = true;
|
|
validate_status = true;
|
|
validate_entry_permit_zero_aaguid = false;
|
|
};
|
|
};
|
|
duo_api.disable = true;
|
|
};
|
|
|
|
secrets = {
|
|
storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
|
|
jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
|
|
sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
|
|
};
|
|
};
|
|
|
|
redis.servers.authelia = {
|
|
enable = true;
|
|
user = config.services.authelia.instances.tlaternet.user;
|
|
};
|
|
|
|
lldap = {
|
|
enable = true;
|
|
settings = {
|
|
ldap_base_dn = "dc=tlater,dc=net";
|
|
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
|
|
ldap_host = "127.0.0.1";
|
|
|
|
http_host = "127.0.0.1";
|
|
http_url = "https://lldap.${config.services.nginx.domain}";
|
|
|
|
force_ldap_user_pass_reset = "always";
|
|
|
|
smtp_options.enable_password_reset = false;
|
|
|
|
environment = {
|
|
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
|
|
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
|
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
|
|
};
|
|
};
|
|
};
|
|
|
|
nginx.virtualHosts = {
|
|
"lldap.${config.services.nginx.domain}" = {
|
|
useACMEHost = "tlater.net";
|
|
forceSSL = true;
|
|
enableHSTS = true;
|
|
|
|
locations."/".proxyPass =
|
|
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
|
|
};
|
|
};
|
|
};
|
|
}
|