137 lines
3.1 KiB
Nix
137 lines
3.1 KiB
Nix
{
|
|
nixhelm,
|
|
system,
|
|
config,
|
|
lib,
|
|
...
|
|
}: {
|
|
options.authelia.enable = lib.mkEnableOption "authelia";
|
|
|
|
config = lib.mkIf config.authelia.enable {
|
|
kubernetes = {
|
|
helm.releases.authelia = {
|
|
chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
|
|
includeCRDs = true;
|
|
namespace = "authelia";
|
|
|
|
values = {
|
|
pod = {
|
|
kind = "Deployment";
|
|
replicas = 1;
|
|
|
|
extraVolumes = [
|
|
{
|
|
name = "data";
|
|
persistentVolumeClaim.claimName = "data";
|
|
}
|
|
];
|
|
|
|
extraVolumeMounts = [
|
|
{
|
|
name = "data";
|
|
mountPath = "/storage";
|
|
}
|
|
];
|
|
};
|
|
|
|
secret.additionalSecrets.authelia.items = [
|
|
{
|
|
key = "storage";
|
|
path = "storage";
|
|
}
|
|
{
|
|
key = "session";
|
|
path = "session";
|
|
}
|
|
{
|
|
key = "users";
|
|
path = "users";
|
|
}
|
|
];
|
|
|
|
configMap = {
|
|
access_control.default_policy = "one_factor";
|
|
|
|
authentication_backend = {
|
|
password_reset.disable = true;
|
|
ldap.enabled = false;
|
|
|
|
file = {
|
|
enabled = true;
|
|
path = "/secrets/authelia/users";
|
|
search.email = true;
|
|
password.algorithm = "argon2";
|
|
};
|
|
};
|
|
|
|
storage = {
|
|
encryption_key = {
|
|
secret_name = "authelia";
|
|
path = "storage";
|
|
};
|
|
|
|
local = {
|
|
enabled = true;
|
|
path = "/storage/database.sqlite";
|
|
};
|
|
};
|
|
|
|
session = {
|
|
encryption_key = {
|
|
secret_name = "authelia";
|
|
path = "session";
|
|
};
|
|
|
|
cookies = [
|
|
{
|
|
domain = "kun.is";
|
|
subdomain = "auth";
|
|
}
|
|
];
|
|
};
|
|
|
|
notifier.filesystem = {
|
|
enabled = true;
|
|
filename = "/tmp/notifications.txt";
|
|
};
|
|
};
|
|
};
|
|
};
|
|
|
|
resources = {
|
|
deployments.authelia.spec = {
|
|
strategy = {
|
|
type = "RollingUpdate";
|
|
|
|
rollingUpdate = {
|
|
maxSurge = lib.mkForce 0;
|
|
maxUnavailable = lib.mkForce 1;
|
|
};
|
|
};
|
|
};
|
|
|
|
secrets.authelia.stringData = {
|
|
storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
|
|
session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
|
|
users = "ref+sops://secrets.yml#/authelia/users";
|
|
};
|
|
};
|
|
};
|
|
|
|
lab = {
|
|
ingresses.authelia = {
|
|
host = "auth.kun.is";
|
|
|
|
service = {
|
|
name = "authelia";
|
|
portName = "http";
|
|
};
|
|
};
|
|
|
|
longhorn.persistentVolumeClaim.data = {
|
|
volumeName = "authelia";
|
|
storage = "100Mi";
|
|
};
|
|
};
|
|
};
|
|
}
|