authelia: init

2024-03-25 21:06:08 +01:00 · 2024-03-25 21:06:08 +01:00 · 547bd4ca27
parent 09d6f74e1a
commit 547bd4ca27
6 changed files with 172 additions and 3 deletions
--- a/hosts/pie/authelia.nix
+++ b/hosts/pie/authelia.nix
@ -0,0 +1,118 @@
+{
+  flake,
+  lib,
+  config,
+  pkgs,
+  ...
+}:
+with lib; let
+  psCfg = config.pub-solar;
+  xdg = config.home-manager.users."${psCfg.user.name}".xdg;
+in {
+  age.secrets."authelia-storage-encryption-key" = {
+    file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  age.secrets."authelia-session-secret" = {
+    file = "${flake.self}/secrets/authelia-session-secret.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  age.secrets."authelia-oidc-issuer-private-key" = {
+    file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  age.secrets."authelia-oidc-hmac-secret" = {
+    file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  age.secrets."authelia-jwt-secret" = {
+    file = "${flake.self}/secrets/authelia-jwt-secret.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  age.secrets."authelia-users-file" = {
+    file = "${flake.self}/secrets/authelia-users-file.age";
+    mode = "400";
+    owner = "authelia-b12f";
+  };
+
+  security.acme.certs = {
+    "auth.b12f.io" = {};
+  };
+
+  services.nginx.virtualHosts = {
+    "auth.b12f.io" = {
+      forceSSL = true;
+      useACMEHost = "auth.b12f.io";
+      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.authelia.instances.b12f.settings.server.port}";
+      listenAdresses = [
+        "127.0.0.1"
+        "::1"
+        "10.13.12.2"
+        "fd00:b12f:acab:1312:acab:2::"
+      ];
+    };
+  };
+
+  services.authelia.instances.b12f = {
+    enable = true;
+
+    secrets = {
+      storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
+      sessionSecretFile = config.age.secrets."authelia-session-secret".path;
+      oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
+      oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
+      jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
+    };
+
+    settings = {
+      theme = "light";
+      default_2fa_method = "totp";
+      log.level = "debug";
+      server.disable_healthcheck = true;
+      authentication_backend = {
+        refresh_interval = "disable";
+        password_reset = { disable = true; };
+        file = {
+          path = config.age.secrets."authelia-users-file".path;
+          watch = false;
+        };
+      };
+      duo_api.disable = true;
+      webauthn.user_verification = "required";
+      totp.issuer: "auth.b12f.io";
+      storage.local.path = "/var/lib/authelia/db.sqlite3";
+      identity_providers.oidc = {
+        authorization_policies.policy_name = {
+          default_policy = "two_factor";
+          rules = [
+            {
+              policy = "deny";
+              subject = "group:services";
+            }
+          ];
+        };
+      };
+    };
+  };
+
+  services.restic.backups = {
+    authelia = {
+      paths = [ "/var/lib/authelia" ];
+      initialize = true;
+      passwordFile = config.age.secrets."restic-password".path;
+      # See https://www.hosting.de/blog/verschluesselte-backups-mit-rclone-und-restic-in-nextcloud/
+      repository = "rclone:cloud.pub.solar:/backups/Authelia";
+      rcloneConfigFile = config.age.secrets."rclone-pie.conf".path;
+    };
+  };
+}
--- a/hosts/pie/default.nix
+++ b/hosts/pie/default.nix
@ -9,6 +9,7 @@
    ./unbound.nix
    ./dhcpd.nix
    # ./wake-droppie.nix
+    ./authelia.nix
    ./paperless.nix
    ./firefly.nix
    ./invoiceplane.nix
--- a/hosts/pie/firefly.nix
+++ b/hosts/pie/firefly.nix
@ -39,11 +39,23 @@ in {
      forceSSL = true;
      useACMEHost = "firefly.b12f.io";
      locations."/".proxyPass = "http://127.0.0.1:8080";
+      listenAdresses = [
+        "127.0.0.1"
+        "::1"
+        "10.13.12.2"
+        "fd00:b12f:acab:1312:acab:2::"
+      ];
    };
    "firefly-importer.b12f.io" = {
      forceSSL = true;
      useACMEHost = "firefly-importer.b12f.io";
      locations."/".proxyPass = "http://127.0.0.1:8081";
+      listenAdresses = [
+        "127.0.0.1"
+        "::1"
+        "10.13.12.2"
+        "fd00:b12f:acab:1312:acab:2::"
+      ];
    };
  };

@ -58,6 +70,13 @@ in {
    '';
  };

+  services.authelia.instances.b12f.settings.clients = [{
+    client_id = "firefly";
+    client_name = "Firefly";
+    client_secret = "";
+    consent_mode = "implicit";
+  }];
+
  virtualisation = {
    oci-containers = {
      backend = "docker";
--- a/hosts/pie/paperless.nix
+++ b/hosts/pie/paperless.nix
@ -54,9 +54,22 @@ in {
      forceSSL = true;
      useACMEHost = "paperless.b12f.io";
      locations."/".proxyPass = "http://127.0.0.1:${builtins.toString config.services.paperless.port}";
+      listenAdresses = [
+        "127.0.0.1"
+        "::1"
+        "10.13.12.2"
+        "fd00:b12f:acab:1312:acab:2::"
+      ];
    };
  };

+  services.authelia.instances.b12f.settings.clients = [{
+    client_id = "paperless";
+    client_name = "Paperless";
+    client_secret = "";
+    consent_mode = "implicit";
+  }];
+
  services.paperless = {
    enable = true;
    user = psCfg.user.name;
@ -65,9 +78,20 @@ in {
    address = "127.0.0.1";
    extraConfig = {
      PAPERLESS_OCR_LANGUAGE = "nld+deu";
-      PAPERLESS_ADMIN_USER = psCfg.user.name;
-      PAPERLESS_AUTO_LOGIN_USERNAME = psCfg.user.name;
      PAPERLESS_URL = "https://paperless.b12f.io";
+      PAPERLESS_SOCIALACCOUNT_PROVIDERS = (builtins.toJSON {
+        openid_connect = {
+          APPS = [
+            {
+              provider_id = "keycloak";
+              name = "Keycloak";
+              client_id = "<insert-id>";
+              secret = "<insert-secret>";
+              settings.server_url = "http://keycloak:8080/realms/master/.well-known/openid-configuration";
+            }
+          ];
+        };
+      });
    };
  };

@ -120,7 +144,7 @@ in {
    "d /tmp/paperless 0700 ${psCfg.user.name} users - -"
  ];

-  age.secrets."rclone-pie.conf" = {
+  age.secrets."rclone-pie.conMoK~Ih_gjsd4Yo0U7eYcyZ5WHFy1n_a3BGwy_E5TVb8z2FaFzGnQS08TpTf~4ilPG5r5hytf" = {
    file = "${flake.self}/secrets/rclone-pie.conf.age";
    path = "/root/.config/rclone/rclone.conf";
    mode = "400";
--- a/secrets/authelia-users-file.age
+++ b/secrets/authelia-users-file.age
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -71,6 +71,13 @@ in {
  "firefly-importer-secrets.env.age".publicKeys = pieKeys ++ baseKeys;
  "firefly-cron-secrets.env.age".publicKeys = pieKeys ++ baseKeys;

+  "authelia-storage-encryption-key.age".publicKeys = pieKeys ++ baseKeys;
+  "authelia-session-secret.age".publicKeys = pieKeys ++ baseKeys;
+  "authelia-oidc-issuer-private-key.age".publicKeys = pieKeys ++ baseKeys;
+  "authelia-oidc-hmac-secret.age".publicKeys = pieKeys ++ baseKeys;
+  "authelia-jwt-secret.age".publicKeys = pieKeys ++ baseKeys;
+  "authelia-users-file.age".publicKeys = pieKeys ++ baseKeys;
+
  "rclone-pie.conf.age".publicKeys = pieKeys ++ baseKeys;
  "restic-password.age".publicKeys = pieKeys ++ baseKeys;