From 90e2e3e9bb503956bace3537c3daf47be5449c54 Mon Sep 17 00:00:00 2001
From: Julien Malka <julien.malka@me.com>
Date: Thu, 10 Mar 2022 15:22:54 +0100
Subject: [PATCH] Updated authelia : still not in prod

---
 ...{configuration.yml => authelia-config.nix} |  30 +++--
 modules/authelia/{ => config}/users.yml       |   0
 modules/authelia/default.nix                  | 126 ++++++++++--------
 3 files changed, 92 insertions(+), 64 deletions(-)
 rename modules/authelia/{configuration.yml => authelia-config.nix} (59%)
 rename modules/authelia/{ => config}/users.yml (100%)

diff --git a/modules/authelia/configuration.yml b/modules/authelia/authelia-config.nix
similarity index 59%
rename from modules/authelia/configuration.yml
rename to modules/authelia/authelia-config.nix
index 8b9a623..f49130e 100644
--- a/modules/authelia/configuration.yml
+++ b/modules/authelia/authelia-config.nix
@@ -1,16 +1,21 @@
-host: 0.0.0.0
-port: 9091
+# Taken from 'config.template.yml' for Authelia v4.32.2.
+# Update along with 'pkgs/authelia.nix'.
+
+{ cfg }:
+''
 server:
+  host: 0.0.0.0
+  port: 9091
   read_buffer_size: 4096
   write_buffer_size: 4096
   path: "authelia"
-log_level: debug
+log.level: debug
 jwt_secret: somethingsomethingrandomrecret
-default_redirection_url: https://auth.julienmalka.me
+default_redirection_url: https://autheliafailed.julienmalka.me
 authentication_backend:
   disable_reset_password: false
   file:
-    path: /config/users_database.yml
+    path: ${./config/users.yml}
     password:
       algorithm: argon2id
       iterations: 1
@@ -18,19 +23,24 @@ authentication_backend:
       salt_length: 16
       memory: 512
       parallelism: 8
+      
 access_control:
   default_policy: deny
   rules:
     - domain:
-      - series.julienmalka.me
+        - "auth.julienmalka.me"
+      policy: bypass
+    - domain:
+        - "series.julienmalka.me"
       policy: one_factor
+ 
 session:
   name: authelia_session
   secret: somerandomsecret
   expiration: 1h
   inactivity: 5m
   remember_me_duration: 1M
-  domain: series.julienmalka.me
+  domain: julienmalka.me
 regulation:
   max_retries: 3
   find_time: 2m
@@ -38,8 +48,10 @@ regulation:
 storage:
   encryption_key: a_very_important_secret
   local:
-    path: /config/db.sqlite3
+    path: /var/lib/authelia/storage.db
 notifier:
   disable_startup_check: false
   filesystem:
-    filename: /config/notification.txt
+    filename: /var/lib/authelia/notification.txt
+''
+
diff --git a/modules/authelia/users.yml b/modules/authelia/config/users.yml
similarity index 100%
rename from modules/authelia/users.yml
rename to modules/authelia/config/users.yml
diff --git a/modules/authelia/default.nix b/modules/authelia/default.nix
index a778f81..16fd262 100644
--- a/modules/authelia/default.nix
+++ b/modules/authelia/default.nix
@@ -1,6 +1,8 @@
 { pkgs, lib, config, ... }:
 with lib; let
   cfg = config.luj.authelia;
+  autheliaConfig = pkgs.writeText "authelia-config.yml"
+    (import ./authelia-config.nix { inherit cfg; });
 in
 {
   options.luj.authelia = {
@@ -8,72 +10,86 @@ in
   };
   config = mkIf cfg.enable {
 
-    virtualisation.docker.enable = true;
-    virtualisation.oci-containers.containers."authelia" = {
-      image = "authelia/authelia";
-      environment = {
-        "TZ" = "Europe/Paris";
-      };
-      volumes = [
-        "/srv/authelia:/config/"
-      ];
+    systemd = {
+      services.authelia = {
 
-      ports = [ "9091:9091" ];
+
+        serviceConfig = {
+          User = "authelia";
+
+          StateDirectory = "authelia";
+          RuntimeDirectory = "authelia";
+          StateDirectoryMode = "0700";
+          RuntimeDirectoryMode = "0700";
+
+        };
+
+        script = ''
+          exec ${pkgs.authelia}/bin/authelia --config ${autheliaConfig}  
+        '';
+      };
 
     };
 
-    services.nginx.appendHttpConfig = ''
-        server {
-            server_name auth.julienmalka.me;
-            listen 80;
-            return 301 https://$server_name$request_uri;
-        }
+    users = {
+      users.authelia = {
+        group = "authelia";
+        isSystemUser = true;
+      };
 
-        server {
-            server_name auth.julienmalka.me;
-            listen 443 ssl http2;
+      groups.authelia = {
+        members = [ "nginx" ];
+      };
+    };
 
-            location / {
-                set $upstream_authelia http://127.0.0.1:9091;
-                proxy_pass $upstream_authelia;
 
-                client_body_buffer_size 128k;
 
-                #Timeout if the real server is dead
-                proxy_next_upstream error timeout invalid_header http_500 http_502     http_503;
 
-                # Advanced Proxy Config
-                send_timeout 5m;
-                proxy_read_timeout 360;
-                proxy_send_timeout 360;
-                proxy_connect_timeout 360;
+    services.nginx.virtualHosts."auth.julienmalka.me" = {
+      enableACME = true;
+      forceSSL = true;
+      locations."/" = {
+        extraConfig = ''
+          set $upstream_authelia http://127.0.0.1:9091;
+          proxy_pass $upstream_authelia;
 
-                # Basic Proxy Config
-                proxy_set_header Host $host;
-                proxy_set_header X-Real-IP $remote_addr;
-                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-                proxy_set_header X-Forwarded-Proto $scheme;
-                proxy_set_header X-Forwarded-Host $http_host;
-                proxy_set_header X-Forwarded-Uri $request_uri;
-                proxy_set_header X-Forwarded-Ssl on;
-                proxy_redirect  http://  $scheme://;
-                proxy_http_version 1.1;
-                proxy_set_header Connection "";
-                proxy_cache_bypass $cookie_session;
-                proxy_no_cache $cookie_session;
-                proxy_buffers 64 256k;
+          client_body_buffer_size 128k;
 
-                # If behind reverse proxy, forwards the correct IP
-                set_real_ip_from 10.0.0.0/8;
-                set_real_ip_from 172.0.0.0/8;
-                set_real_ip_from 192.168.0.0/16;
-                set_real_ip_from fc00::/7;
-                real_ip_header X-Forwarded-For;
-                real_ip_recursive on;
-            }
-        }
-      '';
-    
+          #Timeout if the real server is dead
+          proxy_next_upstream error timeout invalid_header http_500 http_502     http_503;
+
+          # Advanced Proxy Config
+          send_timeout 5m;
+          proxy_read_timeout 360;
+          proxy_send_timeout 360;
+          proxy_connect_timeout 360;
+
+          # Basic Proxy Config
+          proxy_set_header Host $host;
+          proxy_set_header X-Real-IP $remote_addr;
+          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+          proxy_set_header X-Forwarded-Proto $scheme;
+          proxy_set_header X-Forwarded-Host $http_host;
+          proxy_set_header X-Forwarded-Uri $request_uri;
+          proxy_set_header X-Forwarded-Ssl on;
+          proxy_redirect  http://  $scheme://;
+          proxy_http_version 1.1;
+          proxy_set_header Connection "";
+          proxy_cache_bypass $cookie_session;
+          proxy_no_cache $cookie_session;
+          proxy_buffers 64 256k;
+
+          # If behind reverse proxy, forwards the correct IP
+          set_real_ip_from 10.0.0.0/8;
+          set_real_ip_from 172.0.0.0/8;
+          set_real_ip_from 192.168.0.0/16;
+          set_real_ip_from fc00::/7;
+          real_ip_header X-Forwarded-For;
+          real_ip_recursive on;
+
+        '';
+      };
+    };
 
   };
 }