diff options
| author |  Alexander Foremny <aforemny@posteo.de> | 2024-02-23 08:07:11 +0100 |
|---|---|---|
| committer | Alexander Foremny <aforemny@posteo.de> | 2024-02-26 04:36:24 +0100 |
| commit | 597ec76b7cb1527b1df215548a8f50bddccd8606 (patch) | |
| tree | 9ea88686f3b15689e222a1d286a6726f6ce59ace /apps/authelia/module.nix | |
| parent | d2873fe0f6a117d7157c2a6f204a864f9edeb668 (diff) | |
apps/authelia: init
Diffstat (limited to 'apps/authelia/module.nix')
| -rw-r--r-- | apps/authelia/module.nix | 61 |
1 files changed, 61 insertions, 0 deletions
diff --git a/apps/authelia/module.nix b/apps/authelia/module.nix new file mode 100644 index 0000000..fa4d35d --- /dev/null +++ b/apps/authelia/module.nix @@ -0,0 +1,61 @@ +{ appConfig, lib, pkgs, ... }: lib.mkMerge [ + # authelia + { + services.authelia.instances.default.enable = true; + services.authelia.instances.default.settings.access_control.default_policy = "one_factor"; + services.authelia.instances.default.settings.log.format = "text"; + services.authelia.instances.default.settings.log.level = "info"; + services.authelia.instances.default.settings.notifier.filesystem.filename = "/var/lib/authelia-default/notifier.txt"; + services.authelia.instances.default.settings.server.host = "0.0.0.0"; + services.authelia.instances.default.settings.server.port = 9091; + services.authelia.instances.default.settings.session.domain = appConfig.domain; + services.authelia.instances.default.settings.storage.local.path = "/var/lib/authelia-default/storage.sqlite3"; + } + # configure secrets + { + services.authelia.instances.default.secrets.manual = true; + systemd.services.authelia-default.environment.AUTHELIA_JWT_SECRET_FILE = "%d/jwtSecret"; + systemd.services.authelia-default.environment.AUTHELIA_SESSION_SECRET_FILE = "%d/sessionSecret"; + systemd.services.authelia-default.environment.AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "%d/storageEncryptionKey"; + systemd.services.authelia-default.serviceConfig.LoadCredential = [ + "jwtSecret:jwtSecret" + "sessionSecret:sessionSecret" + "storageEncryptionKey:storageEncryptionKey" + ]; + } + # configure users + { + services.authelia.instances.default.settings.authentication_backend.file.path = "/var/lib/authelia-default/users.yaml"; + services.authelia.instances.default.settings.authentication_backend.file.watch = true; + + systemd.services.authelia-default-users.before = [ "authelia-default.service" ]; + systemd.services.authelia-default-users.environment.CREDENTIALS_DIRECTORY = "%d"; + systemd.services.authelia-default-users.serviceConfig.Group = "authelia-default"; + systemd.services.authelia-default-users.serviceConfig.LoadCredential = lib.mapAttrsToList (username: attrs: "${username}:${username}.password") appConfig.users; + systemd.services.authelia-default-users.serviceConfig.User = "authelia-default"; + systemd.services.authelia-default-users.wantedBy = [ "authelia-default.service" ]; + + # TODO password is used on command line + # + # @topic apps/authelia + systemd.services.authelia-default-users.script = "${pkgs.writers.writeDashBin "script" '' + set -efu + umask 0177 + PATH=${lib.makeBinPath [ pkgs.authelia pkgs.coreutils pkgs.jq pkgs.json2yaml ]} + users=$( + echo ${lib.escapeShellArg (lib.generators.toJSON {} (lib.attrValues appConfig.users))} | jq -c .[] | while read -r account; do + username=$(echo "$account" | jq -r .username) + passwordFile=$(echo "$account" | jq -r .passwordFile) + hashedPassword=$(authelia crypto hash generate argon2 --password "$(cat "$CREDENTIALS_DIRECTORY"/"$username")" | cut -d' ' -f2-) + jq -cn \ + --arg username "$username" \ + --arg password "$hashedPassword" \ + '{ key: $username, value: { displayname: $username, $password } }' + done | + jq -s from_entries + ) + jq -cn --argjson users "$users" '{ $users }' | + json2yaml > /var/lib/authelia-default/users.yaml + ''}/bin/script"; + } +] |