2026-06-11 10:00:02 +01:00
|
|
|
# services/authelia.nix — Native Authelia SSO
|
|
|
|
|
# Secrets live in /var/secrets/authelia (root:authelia-main, 640) — see readme.
|
2026-04-07 15:47:56 +01:00
|
|
|
{ config, lib, pkgs, ... }:
|
|
|
|
|
{
|
|
|
|
|
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
|
|
|
|
|
|
|
|
|
|
services.authelia.instances.main = {
|
|
|
|
|
enable = true;
|
|
|
|
|
|
|
|
|
|
secrets = {
|
|
|
|
|
jwtSecretFile = "/var/secrets/authelia/jwt_secret";
|
|
|
|
|
storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key";
|
|
|
|
|
sessionSecretFile = "/var/secrets/authelia/session_secret";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
settings = {
|
|
|
|
|
theme = "dark";
|
|
|
|
|
server.address = "tcp://127.0.0.1:9091/";
|
|
|
|
|
|
|
|
|
|
log = {
|
|
|
|
|
level = "info";
|
|
|
|
|
format = "text";
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml";
|
|
|
|
|
|
|
|
|
|
access_control = {
|
|
|
|
|
default_policy = "deny";
|
|
|
|
|
rules = [
|
2026-05-22 21:31:32 +01:00
|
|
|
{ domain = "frigate.nordhammer.it"; policy = "one_factor"; }
|
2026-04-07 15:47:56 +01:00
|
|
|
{ domain = "camera.nordhammer.it"; policy = "one_factor"; }
|
2026-04-18 23:23:48 +01:00
|
|
|
{ domain = "homepage.nordhammer.it"; policy = "one_factor"; }
|
|
|
|
|
{ domain = "7dtd.nordhammer.it"; policy = "one_factor"; }
|
2026-04-22 14:15:57 +01:00
|
|
|
{ domain = "adguard.nordhammer.it"; policy = "one_factor"; }
|
Put Servarr + qBit + games + search behind Authelia
Only Jellyfin and the Authelia portal itself stay unprotected externally
(Jellyfin because it's streamed to remote clients; Authelia because it
is the login gate). Everything else (sonarr, radarr, bazarr, prowlarr,
torrent/qBittorrent, games, search) now goes through Authelia forward auth.
Internal integrations (Homepage widgets, Prowlarr → Sonarr/Radarr,
Bazarr → Sonarr/Radarr, transcode-hevc qBit queries) use 127.0.0.1:PORT
directly, so they are unaffected.
Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-04-24 11:21:28 +01:00
|
|
|
{ domain = "sonarr.nordhammer.it"; policy = "one_factor"; }
|
|
|
|
|
{ domain = "radarr.nordhammer.it"; policy = "one_factor"; }
|
|
|
|
|
{ domain = "bazarr.nordhammer.it"; policy = "one_factor"; }
|
|
|
|
|
{ domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }
|
|
|
|
|
{ domain = "torrent.nordhammer.it"; policy = "one_factor"; }
|
2026-04-30 20:00:33 +01:00
|
|
|
{ domain = "profilarr.nordhammer.it"; policy = "one_factor"; }
|
2026-05-04 01:46:41 -07:00
|
|
|
{ domain = "sabnzbd.nordhammer.it"; policy = "one_factor"; }
|
2026-05-16 10:59:35 +01:00
|
|
|
{ domain = "code.nordhammer.it"; policy = "one_factor"; }
|
2026-05-17 14:19:52 +01:00
|
|
|
{ domain = "notes.nordhammer.it"; policy = "one_factor"; }
|
2026-06-25 10:27:49 +01:00
|
|
|
{ domain = "neko.nordhammer.it"; policy = "one_factor"; }
|
2026-04-07 15:47:56 +01:00
|
|
|
];
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
session = {
|
|
|
|
|
cookies = [{
|
|
|
|
|
domain = "nordhammer.it";
|
|
|
|
|
authelia_url = "https://auth.nordhammer.it";
|
|
|
|
|
}];
|
2026-05-16 12:42:17 +01:00
|
|
|
expiration = "12h";
|
|
|
|
|
inactivity = "2h";
|
2026-04-07 15:47:56 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
storage.local.path = "/var/lib/authelia-main/db.sqlite3";
|
|
|
|
|
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
};
|
|
|
|
|
}
|