tuxcord/tuxcord.nix
8
2
Fork 1
Code Issues 13 Pull Requests Actions Packages Projects 1 Releases Wiki Activity
Files
155f3c9504a42bd7c65873d772b8a6a14b08dff7
tuxcord.nix/nixos/modules/authelia.nix
T
javalsai 155f3c9504
Check / Nix flake (push) Failing after 9s
Details
Lint / Nix expressions (push) Failing after 10s
Details
draft: partially getting authentik to work 
its started at auth.tuxcord.test
2026-05-05 01:14:58 +02:00

137 lines
3.3 KiB
Nix
Raw Blame History

{ config, ... }:
let
inherit (config.networking) fqdn;
acmeEnabled = config.acme.enable;
in
{
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH";
storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey";
};
settings = {
theme = "dark";
default_redirection_url = "https://${fqdn}"; # HAS to be httpS
server.address = "127.0.0.1:3001";
log = {
level = "debug";
format = "text";
};
authentication_backend = {
file = {
path = "/var/lib/authelia-main/users_database.yml";
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "auth.${fqdn}" ];
policy = "bypass";
}
{
domain = [ "*.${fqdn}" ];
policy = "one_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me = "1M";
domain = "${fqdn}";
redis.host = "/run/redis-authelia-main/redis.sock";
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/notification.txt";
};
};
};
};
services.redis.servers.authelia-main = {
enable = true;
user = "authelia-main";
port = 0;
unixSocket = "/run/redis-authelia-main/redis.sock";
unixSocketPerm = 600;
};
# services.openldap = {
# enable = true;
# # enable plain connections only
# urlList = [ "ldap:///" ];
# settings = {
# attrs = {
# olcLogLevel = "conns config";
# };
# children = {
# # "cn=schema".includes = [
# # "${pkgs.openldap}/etc/schema/core.ldif"
# # "${pkgs.openldap}/etc/schema/cosine.ldif"
# # "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
# # ];
# "olcDatabase={1}mdb".attrs = {
# objectClass = [
# "olcDatabaseConfig"
# "olcMdbConfig"
# ];
# olcDatabase = "{1}mdb";
# olcDbDirectory = "/var/lib/openldap/data";
# olcSuffix = "dc=example,dc=com";
# # your admin account, do not use writeText on a production system
# olcRootDN = "cn=admin,dc=example,dc=com";
# olcRootPW.path = builtins.roFile "olcRootPW" "pass";
# olcAccess = [
# # custom access rules for userPassword attributes
# ''
# {0}to attrs=userPassword
# by self write
# by anonymous auth
# by * none''
# # allow read on anything else
# ''
# {1}to *
# by * read''
# ];
# };
# };
# };
# };
}
Reference in New Issue View Git Blame Copy Permalink