diff --git a/hosts/rpi4/services.nix b/hosts/rpi4/services.nix index 446793a..45fe636 100644 --- a/hosts/rpi4/services.nix +++ b/hosts/rpi4/services.nix @@ -81,7 +81,7 @@ 8123 ]; - services.authelia.instances.main = { + services.authelia.instances = lib.mapAttrs (inst: opts: { enable = true; secrets = { jwtSecretFile = config.age.secrets.authelia-jwt.path; @@ -89,11 +89,15 @@ }; settings = { access_control.default_policy = "one_factor"; - storage.local.path = "/var/lib/authelia-main/db.sqlite"; - session.domain = "protogen.io"; - notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt"; + storage.local.path = "/var/lib/authelia-${inst}/db.sqlite"; + session.domain = "${opts.domain}"; + notifier.filesystem.filename = "/var/lib/authelia-${inst}/notification.txt"; authentication_backend.file.path = config.age.secrets.authelia-users.path; }; + }) { + main.domain = "protogen.io"; + nbt-sh.domain = "nbt.sh"; + proot-link.domain = "proot.link"; }; services.nginx = { @@ -122,8 +126,8 @@ basicAuthFile = config.age.secrets.htpasswd.path; }) (lib.mkIf authelia { - authelia.instance = "main"; - authelia.endpointURL = "https://auth.protogen.io"; + authelia.instance = lib.mkDefault "main"; + authelia.endpointURL = lib.mkDefault "https://auth.protogen.io"; }) extraConfig ]; @@ -197,9 +201,18 @@ # URL shortener "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; }; + "admin.nbt.sh" = mkProxy { authelia = true; port = 8091; extraConfig = { - # authelia version in NixOS does not support multiple domains, use basic - authelia.method = "basic"; serverAliases = [ "admin.proot.link" ]; + authelia = { + instance = "nbt-sh"; + endpointURL = "https://auth.nbt.sh"; + }; + };}; + "admin.proot.link" = mkProxy { authelia = true; port = 8091; extraConfig = { + authelia = { + instance = "proot-link"; + endpointURL = "https://auth.proot.link"; + }; };}; # uptime