home/kubernetes-deployments
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions
kubernetes-deployments/modules/authelia.nix

210 lines
5.6 KiB
Nix
Raw Blame History

{
nixhelm,
system,
config,
lib,
...
}: {
options.authelia.enable = lib.mkEnableOption "authelia";
config = lib.mkIf config.authelia.enable {
kubernetes = {
helm.releases.authelia = {
chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
includeCRDs = true;
namespace = "authelia";
values = {
pod = {
kind = "Deployment";
replicas = 1;
extraVolumes = [
{
name = "data";
persistentVolumeClaim.claimName = "data";
}
];
extraVolumeMounts = [
{
name = "data";
mountPath = "/storage";
}
];
};
secret.additionalSecrets.authelia.items = [
{
key = "storage";
path = "storage";
}
{
key = "session";
path = "session";
}
{
key = "users";
path = "users";
}
{
key = "smtpPassword";
path = "smtpPassword";
}
{
key = "oidc_hmac_secret";
path = "oidc_hmac_secret";
}
{
key = "oidc_jwk_rs256_private";
path = "oidc.jwk.RS256.pem";
}
{
key = "freshrss_client_secret";
path = "freshrss_client_secret";
}
];
configMap = {
identity_providers.oidc = {
enabled = true;
hmac_secret = {
secret_name = "authelia";
path = "oidc_hmac_secret";
};
jwks = [
{
algorithm = "RS256";
key.path = "/secrets/authelia/oidc.jwk.RS256.pem";
}
];
clients = [
{
client_id = "HDp48U5TaX-3gWKNEfHx5ea2C7gfaQm-OsSWREq4WTzln56IBGy.rT61lq9rF-LTZFlWOd44";
client_name = "FreshRSS";
client_secret.path = "/secrets/authelia/freshrss_client_secret";
public = false;
authorization_policy = "two_factor";
redirect_uris = ["https://freshrss.griffin-mermaid.ts.net/i/oidc/"];
scopes = ["openid" "groups" "email" "profile"];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
consent_mode = "implicit";
}
];
};
access_control = {
default_policy = "one_factor";
rules = [
{
domain = "cyberchef.kun.is";
policy = "two_factor";
}
];
};
authentication_backend = {
password_reset.disable = true;
ldap.enabled = false;
file = {
enabled = true;
path = "/secrets/authelia/users";
search.email = true;
password.algorithm = "argon2";
};
};
storage = {
encryption_key = {
secret_name = "authelia";
path = "storage";
};
local = {
enabled = true;
path = "/storage/database.sqlite";
};
};
session = {
encryption_key = {
secret_name = "authelia";
path = "session";
};
cookies = [
{
domain = "kun.is";
subdomain = "auth";
}
];
};
notifier = {
filesystem.enabled = false;
smtp = {
enabled = true;
address = "submission://mail.smtp2go.com:2525";
identifier = "auth.kun.is";
sender = "Authelia <authelia@kun.is>";
username = "uxY88HYzbBTAoWYm4PUxpT76u";
password = {
secret_name = "authelia";
path = "smtpPassword";
};
};
};
};
};
};
resources = {
deployments.authelia.spec = {
strategy = {
type = "RollingUpdate";
rollingUpdate = {
maxSurge = lib.mkForce 0;
maxUnavailable = lib.mkForce 1;
};
};
};
secrets.authelia.stringData = {
storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
smtpPassword = "ref+sops://secrets.yml#/authelia/smtpPassword";
users = "ref+sops://secrets.yml#/authelia/users";
oidc_hmac_secret = "ref+sops://secrets.yml#/authelia/oidc/hmac_secret";
oidc_jwk_rs256_private = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/private";
oidc_jwk_rs256_public = "ref+sops://secrets.yml#/authelia/oidc/jwk_rs256/public";
freshrss_client_secret = "ref+sops://secrets.yml#/authelia/oidc/freshrss_client_secret";
};
};
};
lab = {
ingresses.authelia = {
host = "auth.kun.is";
service = {
name = "authelia";
portName = "http";
};
};
longhorn.persistentVolumeClaim.data = {
volumeName = "authelia";
storage = "100Mi";
};
};
};
}
Reference in a new issue View git blame Copy permalink