# services/authelia.nix — Native Authelia SSO # Secrets live in /var/secrets/authelia (root:authelia-main, 640) — see readme. { config, lib, pkgs, ... }: { config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") { services.authelia.instances.main = { enable = true; secrets = { jwtSecretFile = "/var/secrets/authelia/jwt_secret"; storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key"; sessionSecretFile = "/var/secrets/authelia/session_secret"; }; settings = { theme = "dark"; server.address = "tcp://127.0.0.1:9091/"; log = { level = "info"; format = "text"; }; authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml"; access_control = { default_policy = "deny"; rules = [ { domain = "frigate.nordhammer.it"; policy = "one_factor"; } { domain = "camera.nordhammer.it"; policy = "one_factor"; } { domain = "homepage.nordhammer.it"; policy = "one_factor"; } { domain = "7dtd.nordhammer.it"; policy = "one_factor"; } { domain = "adguard.nordhammer.it"; policy = "one_factor"; } { domain = "sonarr.nordhammer.it"; policy = "one_factor"; } { domain = "radarr.nordhammer.it"; policy = "one_factor"; } { domain = "bazarr.nordhammer.it"; policy = "one_factor"; } { domain = "prowlarr.nordhammer.it"; policy = "one_factor"; } { domain = "torrent.nordhammer.it"; policy = "one_factor"; } { domain = "profilarr.nordhammer.it"; policy = "one_factor"; } { domain = "sabnzbd.nordhammer.it"; policy = "one_factor"; } { domain = "code.nordhammer.it"; policy = "one_factor"; } { domain = "notes.nordhammer.it"; policy = "one_factor"; } ]; }; session = { cookies = [{ domain = "nordhammer.it"; authelia_url = "https://auth.nordhammer.it"; }]; expiration = "12h"; inactivity = "2h"; }; storage.local.path = "/var/lib/authelia-main/db.sqlite3"; notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt"; }; }; }; }