From 197f343bd51b89e13895349331be37abed2097f0 Mon Sep 17 00:00:00 2001 From: b12f Date: Thu, 12 Sep 2024 13:58:32 +0200 Subject: [PATCH] hosts/pie: update authelia, firefly, invoiceplane --- flake.lock | 18 +++++------ hosts/pie/.env.firefly | 4 +-- hosts/pie/authelia.nix | 31 ++++++++++--------- hosts/pie/backup.nix | 4 +-- hosts/pie/firefly.nix | 2 +- hosts/pie/invoiceplane.nix | 2 +- overlays/default.nix | 6 +++- secrets/authelia-oidc-issuer-private-key.age | Bin 1268 -> 2843 bytes 8 files changed, 36 insertions(+), 31 deletions(-) diff --git a/flake.lock b/flake.lock index a9982ca..c88c337 100644 --- a/flake.lock +++ b/flake.lock @@ -581,11 +581,11 @@ }, "nixpkgs-master": { "locked": { - "lastModified": 1724505469, - "narHash": "sha256-U0KAINJreo0RbZ2QbA4Y5EhWO7XERFRlkJdrRIncjn8=", + "lastModified": 1726071952, + "narHash": "sha256-HBTpIZFHQ2rgMdLOquGk4GbAU1lnyzukRYLj4dHWxTg=", "owner": "nixos", "repo": "nixpkgs", - "rev": "59fbe04a3baa1011fe9f6eb00a1afb7db5179933", + "rev": "182ffe0f2da71206de247c535ace12659a0a62b5", "type": "github" }, "original": { @@ -597,11 +597,11 @@ }, "nixpkgs-unstable": { "locked": { - "lastModified": 1724224976, - "narHash": "sha256-Z/ELQhrSd7bMzTO8r7NZgi9g5emh+aRKoCdaAv5fiO0=", + "lastModified": 1725983898, + "narHash": "sha256-4b3A9zPpxAxLnkF9MawJNHDtOOl6ruL0r6Og1TEDGCE=", "owner": "nixos", "repo": "nixpkgs", - "rev": "c374d94f1536013ca8e92341b540eba4c22f9c62", + "rev": "1355a0cbfeac61d785b7183c0caaec1f97361b43", "type": "github" }, "original": { @@ -645,11 +645,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1724316499, - "narHash": "sha256-Qb9MhKBUTCfWg/wqqaxt89Xfi6qTD3XpTzQ9eXi3JmE=", + "lastModified": 1725930920, + "narHash": "sha256-RVhD9hnlTT2nJzPHlAqrWqCkA7T6CYrP41IoVRkciZM=", "owner": "nixos", "repo": "nixpkgs", - "rev": "797f7dc49e0bc7fab4b57c021cdf68f595e47841", + "rev": "44a71ff39c182edaf25a7ace5c9454e7cba2c658", "type": "github" }, "original": { diff --git a/hosts/pie/.env.firefly b/hosts/pie/.env.firefly index be16ce7..d74c104 100644 --- a/hosts/pie/.env.firefly +++ b/hosts/pie/.env.firefly @@ -149,13 +149,13 @@ MAP_DEFAULT_ZOOM=6 # # LDAP is no longer supported :( # -AUTHENTICATION_GUARD=web +AUTHENTICATION_GUARD=remote_user_guard # # Remote user guard settings # AUTHENTICATION_GUARD_HEADER=REMOTE_USER -AUTHENTICATION_GUARD_EMAIL= +AUTHENTICATION_GUARD_EMAIL=REMOTE_EMAIL # # Firefly III supports webhooks. These are security sensitive and must be enabled manually first. diff --git a/hosts/pie/authelia.nix b/hosts/pie/authelia.nix index acb92d9..ce1e53e 100644 --- a/hosts/pie/authelia.nix +++ b/hosts/pie/authelia.nix @@ -9,6 +9,14 @@ with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { + disabledModules = [ + "services/security/authelia.nix" + ]; + + imports = [ + "${flake.inputs.nixpkgs-master}/nixos/modules/services/security/authelia.nix" + ]; + age.secrets."authelia-storage-encryption-key" = { file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; mode = "400"; @@ -83,6 +91,10 @@ in { oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path; }; + environmentVariables = { + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path; + }; + settings = { theme = "light"; default_2fa_method = "webauthn"; @@ -111,17 +123,13 @@ in { } ]; notifier.smtp = { - host = "mail.b12f.io"; - port = 587; + address = "submission://mail.b12f.io:587"; username = "mail@b12f.io"; sender = "auth.b12f.io "; identifier = "auth@b12f.io"; subject = "[auth.b12f.io] {title}"; }; identity_providers.oidc = { - jwks = [{ - key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}''; - }]; authorization_policies = { admins = { default_policy = "deny"; @@ -130,20 +138,13 @@ in { subject = "group:admins"; }]; }; - jellyfin = { - default_policy = "deny"; - rules = [{ - policy = "two_factor"; - subject = "group:jellyfin-users"; - }]; - }; }; clients = [ { client_id = "jellyfin"; client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ"; public = false; - authorization_policy = "jellyfin"; + authorization_policy = "admins"; require_pkce = true; pkce_challenge_method = "S256"; redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ]; @@ -160,7 +161,7 @@ in { }; }; - systemd.services.authelia-b12f.environment.AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets."mail@b12f.io-password".path; + systemd.services.authelia-b12f.preStart = "env"; services.restic.backups = { authelia = { @@ -169,7 +170,7 @@ in { passwordFile = config.age.secrets."restic-password".path; # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/ repository = "rclone:cloud.pub.solar:/backups/Authelia"; - rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; } diff --git a/hosts/pie/backup.nix b/hosts/pie/backup.nix index b962929..fe932e6 100644 --- a/hosts/pie/backup.nix +++ b/hosts/pie/backup.nix @@ -8,8 +8,8 @@ psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { - age.secrets."rclone-pie.conf" = { - file = "${flake.self}/secrets/rclone-pie.conf.age"; + age.secrets."rclone-pubsolar.conf" = { + file = "${flake.self}/secrets/rclone-pubsolar.conf.age"; path = "/root/.config/rclone/rclone.conf"; mode = "400"; }; diff --git a/hosts/pie/firefly.nix b/hosts/pie/firefly.nix index 3fc3238..0bbe7f6 100644 --- a/hosts/pie/firefly.nix +++ b/hosts/pie/firefly.nix @@ -150,7 +150,7 @@ in { backupPrepareCommand = '' ${pkgs.docker-client}/bin/docker exec -t firefly-db pg_dumpall -c -U firefly > "${backupDir}/postgres.sql" ''; - rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; } diff --git a/hosts/pie/invoiceplane.nix b/hosts/pie/invoiceplane.nix index 96e5dd5..5da77e8 100644 --- a/hosts/pie/invoiceplane.nix +++ b/hosts/pie/invoiceplane.nix @@ -101,7 +101,7 @@ in { PW=$(cat ${config.age.secrets."invoiceplane-db-password".path}) ${pkgs.docker-client}/bin/docker exec -t invoiceplane-db mariadb-dump --all-databases --password=$PW --user=invoiceplane > "${backupDir}/postgres.sql" ''; - rcloneConfigFile = config.age.secrets."rclone-pie.conf".path; + rcloneConfigFile = config.age.secrets."rclone-pubsolar.conf".path; }; }; } diff --git a/overlays/default.nix b/overlays/default.nix index 4f17cf9..2028db8 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -19,7 +19,11 @@ master = import inputs.nixpkgs-master {system = prev.system;}; in { factorio-headless = master.factorio-headless; - paperless-ngx = unstable.paperless-ngx; + authelia = master.authelia; + paperless-ngx = master.paperless-ngx.overrideAttrs (oa: { + doCheck = false; + doInstallCheck = false; + }); waybar = master.waybar; nix-inspect = unstable.nix-inspect; nix = unstable.lix; diff --git a/secrets/authelia-oidc-issuer-private-key.age b/secrets/authelia-oidc-issuer-private-key.age index 4ab985f94431a0b6374afa2265ccf3da333b7998..ab94113d5814bf5d5529f1cfb59aadb4d3902a7a 100644 GIT binary patch literal 2843 zcmY+?`9sW!0swF%GGRla$j*A$G-~e4v+~Wq=KtUY?0ghm;bA4o(bkd5(-sIwlEZBxA5-laXLD zBLr-rPc6a1AYfN$15}-d2TL#_azL$BCbRV>ir$71*=-`XnXLbx=FC(f%`Ao#10c)_ zjYF>i1XQd~s*_M)iPe+DM8k9*iGrpv2x=$8C=%d_exDRFnG8DENH>%HLQvpSS^O}} zMI+=?NQCvk`V2L}Xu%OF4v)YGdL&+!4W+X39WDZ((2ET`j^1i!Is7y*!{ia#lys&B zjproG&?p3*MHGQd8jU6=`YbN3#$rv%WRQrYWS2rC0s|(skP2|D76+)IB?1nG-_!E}PV|!i zx5VfbqiGNU4~i8@dYz7h3cwPYL=FHT!tG=FK)K4EL4q7gy@d^d$wHPv%{7`-BAg%t zk1-pP(E*{?2D&q7Y^~H!BCGs5p%`P5dsRxh1fgdt1vIJv=2I}qJe89~5OZ(}4bNdw zt2kntQS1VV3Y3aO&QvpT0>8vYV;BIcKbb3cbHunL4;#VICNgDGIZXiGu#m@<;+=;eRZw+pgd-6>M$>R%oL+@fIBh52;8l0c2xj z+RP}Hn1&(47!(=eAS5g;2x3GyHt6>m6+n^_EsZL zi;F{21GGe(3=R3D907~tVA%)UPN78T%Ln{so?ik2$PVDIe&T7UV%!1k67Q&!#AnJc%?996+#n0h+Tl|EcG znONL?LbIu_?$Dwy{nZsmtExYw=f@5g>%3h42E)QJ({J>!md9FG4!!dc1{`k_BI~%Ha6+w{pK;_&W1u@w(km$A_NDjk&`r>$YBd(Yd`kvwW+l{Ql75f0gV`)dq}He`pYFs-72G zav(i@FZ&DeTuRf<>EG68eO%%^yGQ=3KU%`G#xXs1yySY<9qy`$fBv&$B=QGw;B#9u z@y>Sz=)w3oQDKO5g^s_G*x#gV8fa7p!V$-jk1oBxg8JbfA48WiN58|oEc?03Gi*}* z)6ivGO-$td4xvQXAwYvRGgGh0vBcZla^wM{-mS6K% z#~80LYWS@Y#e}h2OeQ(CKH<>xv%~W4GaL!;2m8Ryx=yHkM@viKFmcMpwH0}sE4vIRp4RygDlBZgbw)PB6HC__*B^~DH23^bQjX3r44 z3#}-fOET1+e6i~peFhR9IrbR^cO)H=i@v$+Q&(#AA4$^|6`NlLPusH^{^{Ak(OSST0^_>($9q^^myhk*9-nrwzC3!=_f^Ki1ZtLb-HRasz3*J8eB1v&-KYS~Hy0PbZVZ)8%v&!}ibCnc)zItyr@!|OxvAx_L zV*5_n+rG=d*|)0u(~PDv+HEX%@Wd*cd+F434GppAwfP^~rf(d^%?Ue&jck)SzIDtF zrH8_Is-i=N)QA!XW;G^nR%@MR|Jht<{^E9ELiqDiWNXgZiqXj5kHkKXNQ{1%dUw{Q z79yoa>Qc3?ncdMujY~Q8d%UBqb!(BS!4`~J)cR%s7kveHV4NEm>{ixtX61eA@M$R;BoUXTTzdT5{I$=G-7k^FM37^XC6)UbJ=&amC!~ zrO#qgV%#Nr=Nw$10a}hA;|dp4aV9A@$5rlmIV8C;FY%4uR$D04mb|$>m!zo)7M;65@)(8pS_hi$!#Gl)}m{v>X>oc zEciYAyMn(jzr|eH5NVGV7`u3*OK}&iB4u6kbaY|6E9Nzw`XPJd&aX0A&-@9acY z;OPZERCvpk8@sxu9!&)IpUeaz`a8-culoysnu_ZhsztS&Z;C!5xYHfXcr<>&y8R1H zCwl7=<|`*3YC}XaTVB_om%qGJJan_S_i#wjwarB#`}bE+>3OovYf66_-fCYXJvwWp zVaF$QYfeGWF)08$CeCRz{FSf9bXF(qsT+C*ObK%ezm(MUlVXBRtePnWuOEjyrcMQS zJe|L^V*RW+KK$#e&C5nDTrn~zc5J>it8)3>YrnzC*co!C=YvQp^2lkyw4kZ3H2w9J=GBwF5^K|<(o=u=am3gGK;qq!9#Mto z?WwOS*!QWzT^@KBQ}*2yjw|TUge&JX+@1F})6JEoFKC63SfDowCi#MEsoG!sA~Xzc0w$GH~|`cw=t$CfIwmHK($hrr7qhzVV#( zRvfV5gqivdc+Vc-?GGzY-}yScT3bCB@@nRW3-P_L=1f@EWVt^(34CA5f9>Yq6ZmHm^&#bOmPP9o7&|euYxRnDl0v( zhJgOlN4uThcO4kRpy3g@8Fz$tG=}HW9xb3LrWYYHmR2Up@JKLY6`h=GEJrxJv#+wa1oZN{hwCutfPoyl>r6la4mo< z$DhSbZ;*J}I8an#curwlEJnOPPiGerY;3V1n^{AmhlM zqURK!5S6qRtGp9<4E3B?Xo60v;Q6XxghA%CJ5quzVKhSQ$w;-@D3}6=^{Pj!K2h?Z zs?Na;ACEeao;tuhH#68*V0%vJ6 zp%zu$&fXD=ZpMi+NHC4b7{e6Ksx?OPQtPapaW;)WZnzh`yjfBa5TX%=aW*H(XB4)ssp$Z*| zXg+Ysv0ks0%`DaznCOEosF<2gL^H;8IS#8_#j>U1`KG6ZCc#u#OD~ovdJVNHQD+mVPp7Xn!y=4m_6HrfT6hC2P46XU6}mTJ9wA zAFH%o7z{YO4hhVL!_=6Djsn^|MX#|E8!nr8$-0I(jj99)VOh$BZ0a#y=9hWCB@n*c z(rb8@8+u`XG$LyPzE`M<0?9sA+Oix+-<=K68r^}DAZQh%Pmw5OlEed?7v*UC4yr#`d#k8&*a Z;Pa0yZv6i2nfCMZ=T9ln?W^w`{~HB!yQBaB