{ pkgs, lib, config, ... }: with lib; let cfg = config.luj.authelia; in { options.luj.authelia = { enable = mkEnableOption "enable authelia"; }; config = mkIf cfg.enable { virtualisation.docker.enable = true; virtualisation.oci-containers.containers."authelia" = { image = "authelia/authelia"; environment = { "TZ" = "Europe/Paris"; }; volumes = [ "/srv/authelia:/config/" ]; ports = [ "9091:9091" ]; }; services.nginx.appendHttpConfig = '' server { server_name auth.julienmalka.me; listen 80; return 301 https://$server_name$request_uri; } server { server_name auth.julienmalka.me; listen 443 ssl http2; location / { set $upstream_authelia http://127.0.0.1:9091; proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; } } ''; }; }