Add 'old-conf/' from commit '62a64a79a8'

git-subtree-dir: old-conf git-subtree-mainline: 4667974392 git-subtree-split: 62a64a79a8
2025-11-21 13:33:06 +01:00 · 2025-11-21 13:33:06 +01:00 · 83de52d5db
commit 83de52d5db
parent 4667974392 62a64a79a8
195 changed files with 13408 additions and 0 deletions
--- a/old-conf/nixos-modules/services/authelia.nix
+++ b/old-conf/nixos-modules/services/authelia.nix
@ -0,0 +1,76 @@
+{ config, lib, pkgs, ... }:
+let
+  cfg = config.ragon.services.authelia;
+  instanceName = "main";
+  stateDir = "/var/lib/authelia-${instanceName}";
+in
+{
+  options.ragon.services.authelia.enable = lib.mkEnableOption "Enables the authelia SSO Server";
+  options.ragon.services.authelia.domain =
+    lib.mkOption {
+      type = lib.types.str;
+      default = "sso.xyno.systems";
+    };
+  config = lib.mkIf cfg.enable {
+
+    ragon.agenix.secrets.autheliaStorageEncryption = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaSessionSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcIssuerPrivateKey = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaOidcHmacSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaJwtSecret = { owner = "authelia-main"; };
+    ragon.agenix.secrets.autheliaEmail = { owner = "authelia-main"; };
+    services.authelia.instances.${instanceName} = {
+      enable = true;
+      secrets = {
+        storageEncryptionKeyFile = config.age.secrets.autheliaStorageEncryption.path;
+        sessionSecretFile = config.age.secrets.autheliaSessionSecret.path;
+        oidcIssuerPrivateKeyFile = config.age.secrets.autheliaOidcIssuerPrivateKey.path;
+        oidcHmacSecretFile = config.age.secrets.autheliaOidcHmacSecret.path;
+        jwtSecretFile = config.age.secrets.autheliaJwtSecret.path;
+      };
+      settingsFiles = [
+        config.age.secrets.autheliaEmail.path
+      ];
+      settings = {
+        theme = "auto";
+        default_2fa_method = "webauthn";
+        access_control = {
+          default_policy = "one_factor";
+        };
+        authentication_backend = {
+          file = {
+            path = "${stateDir}/users.yml";
+          };
+        };
+        session = {
+          domain = cfg.domain;
+        };
+        storage = {
+          postgres = {
+            host = "/run/postgresql";
+            port = "5432";
+            database = "authelia";
+            username = "authelia-main";
+            password = "dosentmatter";
+          };
+        };
+
+      };
+    };
+    services.postgresql = {
+      enable = true;
+
+      # Ensure the database, user, and permissions always exist
+      ensureDatabases = [ "authelia" ];
+      ensureUsers = [
+        {
+          name = "authelia-main";
+          #ensureDBOwnership = true;
+        }
+      ];
+    };
+    ragon.persist.extraDirectories = [
+      "${stateDir}"
+    ];
+  };
+}