tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

draft: partially getting authentik to work
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 10s
Details

Browse Source 
its started at auth.tuxcord.test
This commit is contained in:
javalsai
2026-05-05 01:14:58 +02:00
parent 82c76dc390
commit 155f3c9504
4 changed files with 145 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
nixos/common.nix
+4 -1
View File
@@ -99,7 +99,10 @@ in
extraHosts = extraHosts =
let let
subdomains = [ "git" ]; subdomains = [
"git"
"auth"
];
inherit (config.networking) fqdn; inherit (config.networking) fqdn;
hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains; hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains;
nixos/modules/authelia.nix
+136
View File
@@ -0,0 +1,136 @@
{ config, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
in
{
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
};
settings = {
theme = "dark";
default_redirection_url = "https://${fqdn}"; # HAS to be httpS
server.address = "127.0.0.1:3001";
log = {
level = "debug";
format = "text";
};
authentication_backend = {
file = {
path = "/var/lib/authelia-main/users_database.yml";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "auth.${fqdn}" ];
policy = "bypass";
}
{
domain = [ "*.${fqdn}" ];
policy = "one_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1M";
domain = "${fqdn}";
redis.host = "/run/redis-authelia-main/redis.sock";
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/notification.txt";
};
};
};
};
services.redis.servers.authelia-main = {
enable = true;
user = "authelia-main";
port = 0;
unixSocket = "/run/redis-authelia-main/redis.sock";
unixSocketPerm = 600;
};
# services.openldap = {
# enable = true;
# # enable plain connections only
# urlList = [ "ldap:///" ];
# settings = {
# attrs = {
# olcLogLevel = "conns config";
# };
# children = {
# # "cn=schema".includes = [
# # "${pkgs.openldap}/etc/schema/core.ldif"
# # "${pkgs.openldap}/etc/schema/cosine.ldif"
# # "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
# # ];
# "olcDatabase={1}mdb".attrs = {
# objectClass = [
# "olcDatabaseConfig"
# "olcMdbConfig"
# ];
# olcDatabase = "{1}mdb";
# olcDbDirectory = "/var/lib/openldap/data";
# olcSuffix = "dc=example,dc=com";
# # your admin account, do not use writeText on a production system
# olcRootDN = "cn=admin,dc=example,dc=com";
# olcRootPW.path = builtins.roFile "olcRootPW" "pass";
# olcAccess = [
# # custom access rules for userPassword attributes
# ''
# {0}to attrs=userPassword
# by self write
# by anonymous auth
# by * none''
# # allow read on anything else
# ''
# {1}to *
# by * read''
# ];
# };
# };
# };
# };
}
nixos/modules/default.nix
+1
View File
@@ -1,6 +1,7 @@
{ {
imports = [ imports = [
./acme.nix ./acme.nix
./authelia.nix
./dns.nix ./dns.nix
./fail2ban.nix ./fail2ban.nix
./gitea.nix ./gitea.nix
nixos/modules/nginx.nix
+4
View File
@@ -60,6 +60,10 @@ in
"git.${fqdn}" = mkVhost { } { "git.${fqdn}" = mkVhost { } {
"/" = mkProxy config.services.gitea.settings.server.HTTP_PORT; "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT;
}; };
"auth.${fqdn}" = mkVhost { } {
"/" = mkProxy 3001;
};
}; };
}; };