nix-dotfiles-v2/modules/authelia.nix

{
  config,
  pkgs,
  lib,
  ...
}:
{
  sops.secrets."authelia/usersFile" = {
    owner = "authelia-main";
    group = "authelia-main";
    mode = "0400";
  };
  sops.secrets."authelia/jwtSecretFile" = {
    owner = "authelia-main";
    group = "authelia-main";
    mode = "0400";
  };
  sops.secrets."authelia/storageEncryptionKeyFile" = {
    owner = "authelia-main";
    group = "authelia-main";
    mode = "0400";
  };
  sops.secrets."authelia/sessionSecretFile" = {
    owner = "authelia-main";
    group = "authelia-main";
    mode = "0400";
  };

  services.authelia.instances.main = {
    enable = true;
    secrets.storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKeyFile".path;
    secrets.jwtSecretFile = config.sops.secrets."authelia/jwtSecretFile".path;
    secrets.sessionSecretFile = config.sops.secrets."authelia/sessionSecretFile".path;

    settings = {
      theme = "dark";
      default_2fa_method = "totp";
      log.level = "warn";
      server.disable_healthcheck = false;
      server.address = "tcp://0.0.0.0:9091/";

      authentication_backend = {
        file = {
          path = lib.mkDefault config.sops.secrets."authelia/usersFile".path;
        };
      };
      session = {
        cookies = [
          {
            domain = "lauterer.it";
            authelia_url = "https://authelia.lauterer.it";
          }
        ];
      };
      access_control = {
        default_policy = "one_factor";
      };
      storage = {
        local = {
          path = lib.mkDefault "/var/lib/authelia/main/db.sqlite3";
        };
      };
      notifier = {
        filesystem = {
          filename = lib.mkDefault "/var/lib/authelia/main/notification.txt";
        };
      };
    };
  };
}