{ pkgs, lib, config, ... }: with lib; let cfg = config.luj.authelia; autheliaConfig = pkgs.writeText "authelia-config.yml" (import ./authelia-config.nix { inherit cfg; }); in { options.luj.authelia = { enable = mkEnableOption "enable authelia"; }; config = mkIf cfg.enable { systemd = { services.authelia = { serviceConfig = { User = "authelia"; StateDirectory = "authelia"; RuntimeDirectory = "authelia"; StateDirectoryMode = "0700"; RuntimeDirectoryMode = "0700"; }; script = '' exec ${pkgs.authelia}/bin/authelia --config ${autheliaConfig} ''; }; }; users = { users.authelia = { group = "authelia"; isSystemUser = true; }; groups.authelia = { members = [ "nginx" ]; }; }; services.nginx.virtualHosts."auth.julienmalka.me" = { enableACME = true; forceSSL = true; locations."/" = { extraConfig = '' set $upstream_authelia http://127.0.0.1:9091; proxy_pass $upstream_authelia; client_body_buffer_size 128k; #Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 360; proxy_send_timeout 360; proxy_connect_timeout 360; # Basic Proxy Config proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Uri $request_uri; proxy_set_header X-Forwarded-Ssl on; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 64 256k; # If behind reverse proxy, forwards the correct IP set_real_ip_from 10.0.0.0/8; set_real_ip_from 172.0.0.0/8; set_real_ip_from 192.168.0.0/16; set_real_ip_from fc00::/7; real_ip_header X-Forwarded-For; real_ip_recursive on; ''; }; }; }; }