nixos/services/authelia.nix
2026-06-25 11:42:45 +01:00

62 lines
2.4 KiB
Nix

# services/authelia.nix — Native Authelia SSO
# Secrets live in /var/secrets/authelia (root:authelia-main, 640) — see readme.
{ config, lib, pkgs, ... }:
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = "/var/secrets/authelia/jwt_secret";
storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key";
sessionSecretFile = "/var/secrets/authelia/session_secret";
};
settings = {
theme = "dark";
server.address = "tcp://127.0.0.1:9091/";
log = {
level = "info";
format = "text";
};
authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{ domain = "frigate.nordhammer.it"; policy = "one_factor"; }
{ domain = "camera.nordhammer.it"; policy = "one_factor"; }
{ domain = "homepage.nordhammer.it"; policy = "one_factor"; }
{ domain = "7dtd.nordhammer.it"; policy = "one_factor"; }
{ domain = "adguard.nordhammer.it"; policy = "one_factor"; }
{ domain = "sonarr.nordhammer.it"; policy = "one_factor"; }
{ domain = "radarr.nordhammer.it"; policy = "one_factor"; }
{ domain = "bazarr.nordhammer.it"; policy = "one_factor"; }
{ domain = "prowlarr.nordhammer.it"; policy = "one_factor"; }
{ domain = "torrent.nordhammer.it"; policy = "one_factor"; }
{ domain = "profilarr.nordhammer.it"; policy = "one_factor"; }
{ domain = "sabnzbd.nordhammer.it"; policy = "one_factor"; }
{ domain = "code.nordhammer.it"; policy = "one_factor"; }
{ domain = "notes.nordhammer.it"; policy = "one_factor"; }
{ domain = "selkies.nordhammer.it"; policy = "one_factor"; }
];
};
session = {
cookies = [{
domain = "nordhammer.it";
authelia_url = "https://auth.nordhammer.it";
}];
expiration = "12h";
inactivity = "2h";
};
storage.local.path = "/var/lib/authelia-main/db.sqlite3";
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
};
};
};
}