draft: partially getting authentik to work

its started at auth.tuxcord.test
2026-05-05 01:14:58 +02:00
parent 82c76dc390
commit 155f3c9504
4 changed files with 145 additions and 1 deletions
@@ -0,0 +1,136 @@
+{ config, ... }:
+let
+  inherit (config.networking) fqdn;
+
+  acmeEnabled = config.acme.enable;
+in
+{
+  services.authelia.instances.main = {
+    enable = true;
+
+    secrets = {
+      jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
+      storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
+      sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
+    };
+
+    settings = {
+      theme = "dark";
+      default_redirection_url = "https://${fqdn}"; # HAS to be httpS
+
+      server.address = "127.0.0.1:3001";
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        file = {
+          path = "/var/lib/authelia-main/users_database.yml";
+        };
+      };
+
+      access_control = {
+        default_policy = "deny";
+        rules = [
+          {
+            domain = [ "auth.${fqdn}" ];
+            policy = "bypass";
+          }
+          {
+            domain = [ "*.${fqdn}" ];
+            policy = "one_factor";
+          }
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me = "1M";
+        domain = "${fqdn}";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
+  # services.openldap = {
+  #   enable = true;
+
+  #   # enable plain connections only
+  #   urlList = [ "ldap:///" ];
+
+  #   settings = {
+  #     attrs = {
+  #       olcLogLevel = "conns config";
+  #     };
+
+  #     children = {
+  #       # "cn=schema".includes = [
+  #       #   "${pkgs.openldap}/etc/schema/core.ldif"
+  #       #   "${pkgs.openldap}/etc/schema/cosine.ldif"
+  #       #   "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+  #       # ];
+
+  #       "olcDatabase={1}mdb".attrs = {
+  #         objectClass = [
+  #           "olcDatabaseConfig"
+  #           "olcMdbConfig"
+  #         ];
+
+  #         olcDatabase = "{1}mdb";
+  #         olcDbDirectory = "/var/lib/openldap/data";
+
+  #         olcSuffix = "dc=example,dc=com";
+
+  #         # your admin account, do not use writeText on a production system
+  #         olcRootDN = "cn=admin,dc=example,dc=com";
+  #         olcRootPW.path = builtins.roFile "olcRootPW" "pass";
+
+  #         olcAccess = [
+  #           # custom access rules for userPassword attributes
+  #           ''
+  #             {0}to attrs=userPassword
+  #                           by self write
+  #                           by anonymous auth
+  #                           by * none''
+
+  #           # allow read on anything else
+  #           ''
+  #             {1}to *
+  #                           by * read''
+  #         ];
+  #       };
+  #     };
+  #   };
+  # };
+}