{ nixhelm, system, config, lib, ... }: { options.authelia.enable = lib.mkEnableOption "authelia"; config = lib.mkIf config.authelia.enable { kubernetes = { helm.releases.authelia = { chart = nixhelm.chartsDerivations.${system}.authelia.authelia; includeCRDs = true; namespace = "authelia"; values = { pod = { kind = "Deployment"; replicas = 1; }; configMap = { authentication_backend = { password_reset.disable = true; ldap.enabled = false; file = { enabled = true; # TODO: use better path path = "/tmp/users.yml"; search.email = true; password.algorithm = "argon2"; }; }; access_control = { default_policy = "one_factor"; }; storage = { # TODO: dummy secret, replace with real one encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; local = { enabled = true; path = "/tmp/storage"; # TODO }; }; session = { # TODO: dummy secret, replace with real one encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; cookies = [ { domain = "kun.is"; subdomain = "auth"; } ]; }; notifier = { filesystem = { enabled = true; # TODO: switch to SMTP filename = "/tmp/notifications.txt"; }; }; }; }; }; resources = { # TODO: replace with secret and encrypt it configMaps.users.data.users = lib.generators.toYAML {} { users = { pim = { disabled = false; displayname = "Pim Kunis"; password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI"; groups = ["admins"]; }; }; }; deployments.authelia.spec.template.spec = { volumes.users.configMap.name = "users"; containers.authelia.volumeMounts = [ { name = "users"; mountPath = "/tmp/users.yml"; subPath = "users"; } ]; }; }; }; lab = { ingresses.authelia = { host = "auth.kun.is"; service = { name = "authelia"; portName = "http"; }; }; longhorn.persistentVolumeClaim.data = { volumeName = "authelia"; storage = "100Mi"; }; }; }; }