From 8531d066ad84c6fab064a560153a224ceff48b4f Mon Sep 17 00:00:00 2001
From: Johannes Rothe <mail@johannes-rothe.de>
Date: Tue, 19 Nov 2024 21:00:51 +0100
Subject: [PATCH] Add Authelia

---
 vps-configuration.nix | 88 +++++++++++++++++++++++++++++++++++++++++--
 1 file changed, 85 insertions(+), 3 deletions(-)

diff --git a/vps-configuration.nix b/vps-configuration.nix
index 6c04ee5..b73c033 100644
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@@ -25,6 +25,85 @@
     trustedInterfaces = [ "tailscale0" ];
   };
 
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
+      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
+      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
+    };
+    settings = {
+      theme = "auto";
+      default_redirection_url = "https://auth.johannes-rothe.de";
+
+      server = {
+        host = "127.0.0.1";
+        port = 9091;
+      };
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        #file = {
+        #  path = "/var/lib/authelia-main/users_database.yml";
+        #};
+      };
+
+      access_control = {
+        default_policy = "one_factor";
+        rules = [
+          #{
+          #  domain = ["auth.example.com"];
+          #  policy = "bypass";
+          #}
+          #{
+          #  domain = ["*.example.com"];
+          #  policy = "one_factor";
+          #}
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me_duration = "1M";
+        domain = "example.com";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
   services.headscale = {
       enable = true;
       address = "0.0.0.0";
@@ -46,6 +125,9 @@
       "www.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:11112
       '';
+      "auth.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:9091
+      '';
       "cloud.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:5002
       '';
@@ -55,9 +137,9 @@
       "git.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:3001
       '';
-      #"headscale.johannes-rothe.de".extraConfig = ''
-      #  reverse_proxy base:5232
-      #'';
+      "headscale.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:8080
+      '';
       "radicale.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:5232
       '';