Table of Contents
Defined in /modules/blocks/authelia.nix.
This block sets up an Authelia service for Single-Sign On integration.
Compared to the upstream nixpkgs module, this module is tightly integrated with SHB which allows easy configuration of SSO with OIDC integration or with forward auth integration as well as some extensive troubleshooting features.
Authelia cannot work without SSL and LDAP. So setting up the Authelia block requires to setup the SSL block first and the LLDAP block first.
SSL is required to encrypt the communication and LDAP is used to handle users and group assignments. Authelia will allow access to a given resource only if the user that is authenticated is a member of the corresponding LDAP group.
Afterwards, assuming the LDAP service runs on the same machine, the Authelia configuration can be done with:
shb.authelia = {
enable = true;
domain = "example.com";
subdomain = "auth";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapHostname = "127.0.0.1";
ldapPort = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
smtp = {
host = "smtp.eu.mailgun.org";
port = 587;
username = "postmaster@mg.example.com";
from_address = "authelia@example.com";
password.result = config.shb.sops.secrets."authelia/smtp_password".result;
};
secrets = {
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
};
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
shb.sops.secrets."authelia/ldap_admin_password" = {
request = config.shb.authelia.secrets.ldapAdminPassword.request;
settings.key = "lldap/user_password";
};
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
This assumes secrets are setup with SOPS
as mentioned in the secrets setup section of the manual.
It’s a bit annoying to setup all those secrets but it’s only necessary once.
Use nix run nixpkgs#openssl -- rand -hex 64 to generate them.
Crucially, the shb.authelia.secrets.ldapAdminPasswordFile must be the same
as the shb.lldap.ldapUserPassword defined for the LLDAP block.
This is done using Sops’ key option.
For services provided by SelfHostBlocks that handle OIDC integration,
integrating with this block is done by configuring the service itself
and linking it to this Authelia block through the endpoint option
and by sharing a secret:
shb.<service>.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
secret.result = config.shb.sops.secrets."<service>/sso/secret".result;
secretForAuthelia.result = config.shb.sops.secrets."<service>/sso/secretForAuthelia".result;
};
shb.sops.secret."<service>/sso/secret".request = config.shb.<service>.sso.secret.request;
shb.sops.secret."<service>/sso/secretForAuthelia" = {
request = config.shb.<service>.sso.secretForAuthelia.request;
settings.key = "<service>/sso/secret";
};
To share a secret between the service and Authelia,
we generate a secret with nix run nixpkgs#openssl -- rand -hex 64 under <service>/sso/secret
then we ask Sops to use the same password for <service>/sso/secretForAuthelia
thanks to the settings.key option.
The difference between both secrets is one if owned by the authelia user
while the other is owned by the user of the <service> we are configuring.
To integrate a service handling OIDC integration not provided by SelfHostBlocks with this Authelia block, the necessary configuration is:
shb.authelia.oidcClients = [
{
client_id = "<service>";
client_secret.source = shb.sops.secret."<service>/sso/secretForAuthelia".response.path;
scopes = [ "openid" "email" "profile" ];
redirect_uris = [
"<provided by service documentation>"
];
}
];
shb.sops.secret."<service>/sso/secret".request = {
owner = "<service_user>";
};
shb.sops.secret."<service>/sso/secretForAuthelia" = {
request.owner = "authelia";
settings.key = "<service>/sso/secret";
};
As in the previous section, we create a shared secret using Sops’
settings.key option.
The configuration for the service itself is much dependent on the service itself. For example for open-webui, the configuration looks like so:
services.open-webui.environment = {
ENABLE_SIGNUP = "False";
WEBUI_AUTH = "True";
ENABLE_FORWARD_USER_INFO_HEADERS = "True";
ENABLE_OAUTH_SIGNUP = "True";
OAUTH_UPDATE_PICTURE_ON_LOGIN = "True";
OAUTH_CLIENT_ID = "open-webui";
OAUTH_CLIENT_SECRET = "<raw secret>";
OPENID_PROVIDER_URL = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "Single Sign-On";
OAUTH_SCOPES = "openid email profile";
OAUTH_ALLOWED_ROLES = "open-webui_user";
OAUTH_ADMIN_ROLES = "open-webui_admin";
ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
};
shb.authelia.oidcClients = [
{
client_id = "open-webui";
client_secret.source = shb.sops.secret."open-webui/sso/secretForAuthelia".response.path;
scopes = [ "openid" "email" "profile" ];
redirect_uris = [
"<provided by service documentation>"
];
}
];
shb.sops.secret."open-webui/sso/secret".request = {
owner = "open-webui";
};
shb.sops.secret."open-webui/sso/secretForAuthelia" = {
request.owner = "authelia";
settings.key = "open-webui/sso/secret";
};
Here, there is no way to give a path for the OAUTH_CLIENT_SECRET,
we are obligated to pass the raw secret which is a very bad idea.
There are ways around this but they are out of scope for this section.
Inspiration can be taken from SelfHostBlocks’ source code.
To access the UI, we will need to create an open-webui_user and
open-webui_admin LDAP group and assign our user to it.
For services provided by SelfHostBlocks that do not handle OIDC integration, this block can provide forward authentication which still allows the service to be protected by Authelia.
The user could still be required to authenticate to the service itself, although some services can automatically users authorized by Authelia.
Integrating with this block is done with the following code:
shb.<services>.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
To integrate a service that does not handle OIDC integration and which is not provided by SelfHostBlocks with this Authelia block, the necessary configuration is:
shb.nginx.vhosts = [
{
subdomain = "<service>";
domain = "example.com";
ssl = config.shb.certs.certs.letsencrypt."example.com";
upstream = "http://127.0.0.1:${toString config.services.<service>.port}/";
}
];
This configuration assumes usage of the SSL block.
Set the debug option to true to:
Set logging level to "debug".
Add an shb.mitmdump instance in front of Authelia
which prints all requests and responses headers and body
to the systemd service mitmdump-authelia-${config.shb.authelia.subdomain}.${config.shb.authelia.domain}.service.
Specific integration tests are defined in /test/blocks/authelia.nix.
shb.authelia.enable
Whether to enable selfhostblocks.authelia.
Type: boolean
Default:
false
Example:
true
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.autheliaUser
System user for this Authelia instance.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.dcdomain
dc domain for ldap.
Type: string
Example:
"dc=mydomain,dc=com"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.debug
Set logging level to debug and add a mitmdump instance to see exactly what Authelia receives and sends back.
Type: boolean
Default:
false
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.domain
domain under which Authelia will be served.
Type: string
Example:
"mydomain.com"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.extraDefinitions
Extra definitions.
Type: attribute set of (attribute set)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.extraOidcAuthorizationPolicies
Extra OIDC authorization policies.
Type: attribute set of (attribute set)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.extraOidcClaimsPolicies
Extra OIDC claims policies.
Type: attribute set of (attribute set)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.extraOidcScopes
Extra OIDC scopes.
Type: attribute set of (attribute set)
Default:
{ }
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ldapHostname
Hostname of the LDAP authentication backend.
Type: string
Example:
"ldap.example.com"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ldapPort
Port of the LDAP authentication backend.
Type: 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Example:
"389"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.mount
Mount configuration. This is an output option.
Use it to initialize a block implementing the “mount” contract. For example, with a zfs dataset:
shb.zfs.datasets."authelia" = {
poolName = "root";
} // config.shb.authelia.mount;
Type: open submodule of anything (read only)
Default:
{
path = "/var/lib/authelia-authelia.example.com";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.mount.path
Path to be mounted.
Type: string
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.mountRedis
Mount configuration for Redis. This is an output option.
Use it to initialize a block implementing the “mount” contract. For example, with a zfs dataset:
shb.zfs.datasets."redis-authelia" = {
poolName = "root";
} // config.shb.authelia.mountRedis;
Type: open submodule of anything (read only)
Default:
{
path = "/var/lib/redis-authelia";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.mountRedis.path
Path to be mounted.
Type: string
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients
OIDC clients
Type: list of (open submodule of attribute set of anything)
Default:
[
{
authorization_policy = "one_factor";
client_id = "dummy_client";
client_name = "Dummy Client so Authelia can start";
client_secret = {
source = <derivation dummy.secret>;
};
public = false;
redirect_uris = [ ];
}
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.authorization_policy
Require one factor (password) or two factor (device) authentication.
Type: one of “one_factor”, “two_factor”
Default:
"one_factor"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.claims_policy
Claim policy.
Defaults to ‘default’ to provide a backwards compatible experience. Read this document for more information.
Type: null or string
Default:
"default"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.client_id
Unique identifier of the OIDC client.
Type: string
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.client_name
Human readable description of the OIDC client.
Type: null or string
Default:
null
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.client_secret
File containing the shared secret with the OIDC client.
Generate with:
nix run nixpkgs#authelia -- \
crypto hash generate pbkdf2 \
--variant sha512 \
--random \
--random.length 72 \
--random.charset rfc3986
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.client_secret.source
File containing the value.
Type: absolute path
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.client_secret.transform
An optional function to transform the secret.
Type: raw value
Default:
null
Example:
v: "prefix-$${v}-suffix"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.public
If the OIDC client is public or not.
Type: boolean
Default:
false
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.redirect_uris
List of uris that are allowed to be redirected to.
Type: list of string
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.oidcClients.*.scopes
Scopes to ask for. See https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims
Type: list of string
Default:
[ ]
Example:
[
"openid"
"profile"
"email"
"groups"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.port
If given, adds a port to the <subdomain>.<domain> endpoint.
Type: null or 16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default:
null
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.rules
Rule based clients
Type: list of anything
Default:
[ ]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets
Secrets needed by Authelia
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret
Identity provider OIDC HMAC secret.
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey
Identity provider OIDC issuer private key.
Generate one with nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret
JWT secret.
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.jwtSecret.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword
LDAP admin user password.
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.ldapAdminPassword.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret
Session secret.
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.sessionSecret.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey
Storage encryption key.
Type: submodule
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.request
Request part of the secret contract.
Options set by the requester module enforcing some properties the secret should have.
Type: submodule
Default:
""
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.request.group
Linux group owning the secret file.
Type: string
Default:
"root"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.request.mode
Mode of the secret file.
Type: string
Default:
"0400"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.request.owner
Linux user owning the secret file.
Type: string
Default:
"authelia"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.request.restartUnits
Systemd units to restart after the secret is updated.
Type: list of string
Default:
[
"authelia-shb.authelia.subdomain.shb.authelia.domain"
]
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.result
Result part of the secret contract.
Options set by the provider module that indicates where the secret can be found.
Type: submodule
Default:
{
path = "/run/secrets/secret";
}
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.secrets.storageEncryptionKey.result.path
Path to the file containing the secret generated out of band.
This path will exist after deploying to a target host, it is not available through the nix store.
Type: absolute path
Default:
"/run/secrets/secret"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.smtp
If a string is given, writes notifications to the given path.Otherwise, send notifications by smtp.
https://www.authelia.com/configuration/notifications/introduction/
Type: string or null or (submodule)
Default:
"/tmp/authelia-notifications"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ssl
Path to SSL files
Type: null or (open submodule of anything)
Default:
null
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ssl.paths
Paths where the files for the certificate will be located.
This option is the contract output of the shb.certs.certs SSL block.
Type: open submodule of anything
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ssl.paths.cert
Path to the cert file.
Type: absolute path
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ssl.paths.key
Path to the key file.
Type: absolute path
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.ssl.systemdService
Systemd oneshot service used to generate the certificate. Ends with the .service suffix.
Use this if downstream services must wait for the certificates to be generated before starting.
Type: string
Example:
"cert-generator.service"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|
shb.authelia.subdomain
Subdomain under which Authelia will be served.
Type: string
Example:
"auth"
Declared by:
<selfhostblocks/modules/blocks/authelia.nix>
|