Replace Authelia with pocket-id

hosts/spore/secrets/pocket-id-encryption-key.age

@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 stFZUQ aFqQX0Rpg18dsE3tTTcg3mxbyaskZwmeHmwRXTTAizc
+/Gwz5TQ7ladAcB3ED82VVIWndbImy2g3tTjF6HeWPnU
+-> ssh-ed25519 3EWhnQ vskXoOXSQeBFLf7AV7ojly2EVcElbuclX0fTvLk6Og8
+eyaqaKa7Bq5n/+0xVqsBwyx5Y5OeWOHDJEY7MIasHCU
+--- EFeE0j6r+vRDo3hf7AcB7ZtmXmwRK7wigxu5ucLPyhA
+��L%_,Rr�K_�#=���'f��I�<��H�7�U����fN��a\�M�@�!��3Įwث�rp[O� ��'���

hosts/spore/services/default.nix

@@ -4,7 +4,6 @@
   ...
 }: {
   imports = [
-    ./authelia.nix
     ./db.nix
     ./homepage-dashboard.nix
     ./mastodon.nix

hosts/spore/services/web/auth.nix

@@ -0,0 +1,34 @@
+{
+  config,
+  pkgs,
+  ...
+}: {
+  age.secrets.oauth2-proxy-env = {
+    file = ./../../secrets/oauth2-proxy-env.age;
+    mode = "440";
+    owner = "oauth2-proxy";
+    group = "oauth2-proxy";
+  };
+  age.secrets.pocket-id-encryption-key = {
+    file = ./../../secrets/pocket-id-encryption-key.age;
+    mode = "440";
+    owner = config.services.pocket-id.user;
+    group = config.services.pocket-id.group;
+  };
+
+  rc.web.auth = {
+    enable = true;
+    issuer = {
+      host = "id.zx.dev";
+      useACMEHost = "zx.dev";
+      encryptionKeyFile = config.age.secrets.pocket-id-encryption-key.path;
+    };
+    authProxy = {
+      host = "oauth.zx.dev";
+      domain = ".zx.dev";
+      clientID = "shared-sso";
+      useACMEHost = "zx.dev";
+      keyFile = config.age.secrets.oauth2-proxy-env.path;
+    };
+  };
+}

hosts/spore/services/web/default.nix

@@ -1,7 +1,7 @@
 # Web services and nginx configuration
 {
   imports = [
-    ./nginx-options.nix
+    ./auth.nix
     ./ssl-acme.nix
     ./nginx-config.nix
     ./srv.nix

hosts/spore/services/web/virtual-hosts.nix

@@ -33,17 +33,10 @@
         "/pgp".return = "302 https://keyoxide.org/hkp/413d1a0152bcb08d2e3ddacaf88c08579051ab48";
       };
     };
-    "auth.zx.dev" = {
-      forceSSL = true;
-      useACMEHost = "zx.dev";
-      useAutheliaProxyConf = true;
-      locations."/".proxyPass = "http://127.0.0.1:9091";
-      locations."/api/verify".proxyPass = "http://127.0.0.1:9091";
-    };
     "torrents.zx.dev" = {
       forceSSL = true;
       useACMEHost = "zx.dev";
-      enableAutheliaAuth = true;
+      requireAuth = true;
       locations."/".proxyPass = "http://glyph.rove-duck.ts.net:9091";
       locations."~ (/transmission)?/rpc".proxyPass = "http://glyph.rove-duck.ts.net:9091";
     };
@@ -60,13 +53,13 @@
     "files.zx.dev" = {
       forceSSL = true;
       useACMEHost = "zx.dev";
-      enableAutheliaAuth = true;
+      requireAuth = true;
       locations."/".proxyPass = "http://glyph.rove-duck.ts.net:8080";
     };
     "home.zx.dev" = {
       forceSSL = true;
       useACMEHost = "zx.dev";
-      enableAutheliaAuth = true;
+      requireAuth = true;
       locations."/".proxyPass = "http://127.0.0.1:8082";
     };
   };

justfile

@@ -55,7 +55,7 @@ build-host host:
 # Check specific service configurations
 check-services:
   @echo "🔍 Checking individual service configurations..."
-  nix flake check --print-build-logs | grep -E "(spore|glyph)-(nginx|authelia|postgresql|samba|transmission)" || echo "Service checks completed"
+  nix flake check --print-build-logs | grep -E "(spore|glyph)-(nginx|postgresql|samba|transmission)" || echo "Service checks completed"
 
 # List all available hosts
 list-hosts: