Add Authelia

2024-11-19 21:00:51 +01:00 · 2024-11-19 21:00:51 +01:00 · 8531d066ad
commit 8531d066ad
parent d6ac70abab
1 changed files with 85 additions and 3 deletions
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@ -25,6 +25,85 @@
    trustedInterfaces = [ "tailscale0" ];
  };

+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
+      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
+      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
+    };
+    settings = {
+      theme = "auto";
+      default_redirection_url = "https://auth.johannes-rothe.de";
+
+      server = {
+        host = "127.0.0.1";
+        port = 9091;
+      };
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        #file = {
+        #  path = "/var/lib/authelia-main/users_database.yml";
+        #};
+      };
+
+      access_control = {
+        default_policy = "one_factor";
+        rules = [
+          #{
+          #  domain = ["auth.example.com"];
+          #  policy = "bypass";
+          #}
+          #{
+          #  domain = ["*.example.com"];
+          #  policy = "one_factor";
+          #}
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me_duration = "1M";
+        domain = "example.com";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
  services.headscale = {
      enable = true;
      address = "0.0.0.0";
@ -46,6 +125,9 @@
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
+      "auth.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:9091
+      '';
      "cloud.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5002
      '';
@ -55,9 +137,9 @@
      "git.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:3001
      '';
-      #"headscale.johannes-rothe.de".extraConfig = ''
-      #  reverse_proxy base:5232
-      #'';
+      "headscale.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:8080
+      '';
      "radicale.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5232
      '';