From 597ec76b7cb1527b1df215548a8f50bddccd8606 Mon Sep 17 00:00:00 2001
From: Alexander Foremny <aforemny@posteo.de>
Date: Fri, 23 Feb 2024 08:07:11 +0100
Subject: apps/authelia: init

---
 apps/authelia/module.nix | 61 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 61 insertions(+)
 create mode 100644 apps/authelia/module.nix

(limited to 'apps/authelia/module.nix')

diff --git a/apps/authelia/module.nix b/apps/authelia/module.nix
new file mode 100644
index 0000000..fa4d35d
--- /dev/null
+++ b/apps/authelia/module.nix
@@ -0,0 +1,61 @@
+{ appConfig, lib, pkgs, ... }: lib.mkMerge [
+  # authelia
+  {
+    services.authelia.instances.default.enable = true;
+    services.authelia.instances.default.settings.access_control.default_policy = "one_factor";
+    services.authelia.instances.default.settings.log.format = "text";
+    services.authelia.instances.default.settings.log.level = "info";
+    services.authelia.instances.default.settings.notifier.filesystem.filename = "/var/lib/authelia-default/notifier.txt";
+    services.authelia.instances.default.settings.server.host = "0.0.0.0";
+    services.authelia.instances.default.settings.server.port = 9091;
+    services.authelia.instances.default.settings.session.domain = appConfig.domain;
+    services.authelia.instances.default.settings.storage.local.path = "/var/lib/authelia-default/storage.sqlite3";
+  }
+  # configure secrets
+  {
+    services.authelia.instances.default.secrets.manual = true;
+    systemd.services.authelia-default.environment.AUTHELIA_JWT_SECRET_FILE = "%d/jwtSecret";
+    systemd.services.authelia-default.environment.AUTHELIA_SESSION_SECRET_FILE = "%d/sessionSecret";
+    systemd.services.authelia-default.environment.AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "%d/storageEncryptionKey";
+    systemd.services.authelia-default.serviceConfig.LoadCredential = [
+      "jwtSecret:jwtSecret"
+      "sessionSecret:sessionSecret"
+      "storageEncryptionKey:storageEncryptionKey"
+    ];
+  }
+  # configure users
+  {
+    services.authelia.instances.default.settings.authentication_backend.file.path = "/var/lib/authelia-default/users.yaml";
+    services.authelia.instances.default.settings.authentication_backend.file.watch = true;
+
+    systemd.services.authelia-default-users.before = [ "authelia-default.service" ];
+    systemd.services.authelia-default-users.environment.CREDENTIALS_DIRECTORY = "%d";
+    systemd.services.authelia-default-users.serviceConfig.Group = "authelia-default";
+    systemd.services.authelia-default-users.serviceConfig.LoadCredential = lib.mapAttrsToList (username: attrs: "${username}:${username}.password") appConfig.users;
+    systemd.services.authelia-default-users.serviceConfig.User = "authelia-default";
+    systemd.services.authelia-default-users.wantedBy = [ "authelia-default.service" ];
+
+    # TODO password is used on command line
+    #
+    # @topic apps/authelia
+    systemd.services.authelia-default-users.script = "${pkgs.writers.writeDashBin "script" ''
+      set -efu
+      umask 0177
+      PATH=${lib.makeBinPath [ pkgs.authelia pkgs.coreutils pkgs.jq pkgs.json2yaml ]}
+      users=$(
+        echo ${lib.escapeShellArg (lib.generators.toJSON {} (lib.attrValues appConfig.users))} | jq -c .[] | while read -r account; do
+        username=$(echo "$account" | jq -r .username)
+        passwordFile=$(echo "$account" | jq -r .passwordFile)
+        hashedPassword=$(authelia crypto hash generate argon2 --password "$(cat "$CREDENTIALS_DIRECTORY"/"$username")" | cut -d' ' -f2-)
+        jq -cn \
+          --arg username "$username" \
+          --arg password "$hashedPassword" \
+          '{ key: $username, value: { displayname: $username, $password } }'
+        done |
+        jq -s from_entries
+      )
+      jq -cn --argjson users "$users" '{ $users }' |
+      json2yaml > /var/lib/authelia-default/users.yaml
+    ''}/bin/script";
+  }
+]
-- 
cgit v1.2.3