{ nixhelm, system, config, lib, ... }: { options.authelia.enable = lib.mkEnableOption "authelia"; config = lib.mkIf config.authelia.enable { kubernetes = { helm.releases.authelia = { chart = nixhelm.chartsDerivations.${system}.authelia.authelia; includeCRDs = true; namespace = "authelia"; values = { pod = { kind = "Deployment"; replicas = 1; extraVolumes = [ { name = "data"; persistentVolumeClaim.claimName = "data"; } ]; extraVolumeMounts = [ { name = "data"; mountPath = "/storage"; } ]; }; secret.additionalSecrets.authelia.items = [ { key = "storage"; path = "storage"; } { key = "session"; path = "session"; } { key = "users"; path = "users"; } { key = "smtpPassword"; path = "smtpPassword"; } { key = "oidc_hmac_secret"; path = "oidc_hmac_secret"; } { key = "oidc_jwk_rs256_private"; path = "oidc.jwk.RS256.pem"; } { key = "freshrss_client_secret"; path = "freshrss_client_secret"; } ]; configMap = { identity_providers.oidc = { enabled = true; hmac_secret = { secret_name = "authelia"; path = "oidc_hmac_secret"; }; jwks = [ { algorithm = "RS256"; key.path = "/secrets/authelia/oidc.jwk.RS256.pem"; } ]; clients = [ { client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44"; client_name = "FreshRSS"; client_secret.path = "/secrets/authelia/freshrss_client_secret"; public = false; authorization_policy = "two_factor"; redirect_uris = ["https://rss.kun.is:443/i/oidc/"]; scopes = ["openid" "groups" "email" "profile"]; userinfo_signed_response_alg = "none"; token_endpoint_auth_method = "client_secret_basic"; consent_mode = "implicit"; } ]; }; access_control = { default_policy = "one_factor"; rules = [ { domain = "cyberchef.kun.is"; policy = "two_factor"; } ]; }; authentication_backend = { password_reset.disable = true; ldap.enabled = false; file = { enabled = true; path = "/secrets/authelia/users"; search.email = true; password.algorithm = "argon2"; }; }; storage = { encryption_key = { secret_name = "authelia"; path = "storage"; }; local = { enabled = true; path = "/storage/database.sqlite"; }; }; session = { encryption_key = { secret_name = "authelia"; path = "session"; }; cookies = [ { domain = "kun.is"; subdomain = "auth"; } ]; }; notifier = { filesystem.enabled = false; smtp = { enabled = true; address = "submission://mail.smtp2go.com:2525"; identifier = "auth.kun.is"; sender = "Authelia "; username = "uxY88HYzbBTAoWYm4PUxpT76u"; password = { secret_name = "authelia"; path = "smtpPassword"; }; }; }; }; }; }; resources = { deployments.authelia.spec = { strategy = { type = "RollingUpdate"; rollingUpdate = { maxSurge = lib.mkForce 0; maxUnavailable = lib.mkForce 1; }; }; }; secrets.authelia.stringData = { storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword"; users = "ref+sops://secrets.yml#/authelia/users"; oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret"; oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private"; oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public"; freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret"; }; }; }; lab = { ingresses.authelia = { host = "auth.kun.is"; service = { name = "authelia"; portName = "http"; }; }; longhorn.persistentVolumeClaim.data = { volumeName = "authelia"; storage = "100Mi"; }; }; }; }