diff --git a/flake.lock b/flake.lock index 22178b3..a9982ca 100644 --- a/flake.lock +++ b/flake.lock @@ -61,22 +61,6 @@ "type": "github" } }, - "authelia-438": { - "locked": { - "lastModified": 1714672681, - "narHash": "sha256-r/vqZTUi7TxLgZtkgq0YRlH+Hh9rtfjx93OwETrgO4I=", - "owner": "nicomem", - "repo": "nixpkgs", - "rev": "01b37b0465266d7a587546cece37960d7c962e31", - "type": "github" - }, - "original": { - "owner": "nicomem", - "ref": "authelia-4.38", - "repo": "nixpkgs", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -699,7 +683,6 @@ "inputs": { "adblock-unbound": "adblock-unbound", "agenix": "agenix", - "authelia-438": "authelia-438", "deno2nix": "deno2nix", "deploy-rs": "deploy-rs", "flake-compat": "flake-compat_2", diff --git a/flake.nix b/flake.nix index 1a7c088..175f677 100644 --- a/flake.nix +++ b/flake.nix @@ -24,8 +24,6 @@ deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.flake-compat.follows = "flake-compat"; - authelia-438.url = "github:nicomem/nixpkgs/authelia-4.38"; - agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/pie/authelia.nix b/hosts/pie/authelia.nix index cb17727..acb92d9 100644 --- a/hosts/pie/authelia.nix +++ b/hosts/pie/authelia.nix @@ -9,14 +9,6 @@ with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { - disabledModules = [ - "services/security/authelia.nix" - ]; - - imports = [ - "${flake.inputs.authelia-438}/nixos/modules/services/security/authelia.nix" - ]; - age.secrets."authelia-storage-encryption-key" = { file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; mode = "400"; @@ -35,6 +27,24 @@ in { owner = "authelia-b12f"; }; + age.secrets."authelia-oidc-issuer-private-key" = { + file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + + age.secrets."authelia-oidc-hmac-secret" = { + file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + + age.secrets."authelia-jwks-private-key" = { + file = "${flake.self}/secrets/authelia-jwks-private-key.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + age.secrets."authelia-users-file" = { file = "${flake.self}/secrets/authelia-users-file.age"; mode = "400"; @@ -69,6 +79,8 @@ in { storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path; sessionSecretFile = config.age.secrets."authelia-session-secret".path; jwtSecretFile = config.age.secrets."authelia-jwt-secret".path; + oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path; + oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path; }; settings = { @@ -81,7 +93,7 @@ in { }; authentication_backend = { refresh_interval = "disable"; - password_reset = {disable = true;}; + password_reset.disable = true; file = { path = config.age.secrets."authelia-users-file".path; watch = false; @@ -106,6 +118,45 @@ in { identifier = "auth@b12f.io"; subject = "[auth.b12f.io] {title}"; }; + identity_providers.oidc = { + jwks = [{ + key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}''; + }]; + authorization_policies = { + admins = { + default_policy = "deny"; + rules = [{ + policy = "two_factor"; + subject = "group:admins"; + }]; + }; + jellyfin = { + default_policy = "deny"; + rules = [{ + policy = "two_factor"; + subject = "group:jellyfin-users"; + }]; + }; + }; + clients = [ + { + client_id = "jellyfin"; + client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ"; + public = false; + authorization_policy = "jellyfin"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ]; + scopes = [ + "openid" + "profile" + "groups" + ]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + }; }; }; diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix index a769b7a..47d16d8 100644 --- a/hosts/pie/unbound.nix +++ b/hosts/pie/unbound.nix @@ -45,17 +45,17 @@ "::1" "192.168.178.2" - "2a02:908:5b1:e3c0:2::" + "fd00:b12f:acab:1312:acab:2::" ]; access-control = [ "127.0.0.1/32 allow" # Allow from local network "192.168.178.0/24 allow" - "2a02:908:5b1:e3c0::/64 allow" + "fd00:b12f:acab:1312:acab::/64 allow" # Allow from wireguard - "10.13.12.0/24 allow" + "192.168.178.0/24 allow" "fd00:b12f:acab:1312::/64 allow" ]; local-zone = [ @@ -66,7 +66,16 @@ "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\"" "\"pie.local. 10800 IN A 192.168.178.2\"" - "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\"" + "\"pie.local. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" + "\"pie.b12f.io. 10800 IN A 192.168.178.2\"" + "\"firefly.b12f.io. 10800 IN A 192.168.178.2\"" + "\"firefly-importer.b12f.io. 10800 IN A 192.168.178.2\"" + "\"paperless.b12f.io. 10800 IN A 192.168.178.2\"" + "\"invoicing.b12f.io. 10800 IN A 192.168.178.2\"" + "\"auth.b12f.io. 10800 IN A 192.168.178.2\"" + + "\"droppie.b12f.io. 10800 IN A 192.168.178.3\"" + "\"media.b12f.io. 10800 IN A 192.168.178.3\"" "\"fritz.box. 10800 IN A 192.168.178.1\"" "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\"" @@ -79,7 +88,7 @@ { name = "."; forward-addr = [ - "10.13.12.7" + "192.168.178.7" "fd00:b12f:acab:1312:acab:7::" ]; } diff --git a/overlays/default.nix b/overlays/default.nix index dd9e9fc..253f881 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -15,14 +15,12 @@ (final: prev: let unstable = import inputs.nixpkgs-unstable {system = prev.system;}; master = import inputs.nixpkgs-master {system = prev.system;}; - authelia-438 = import inputs.authelia-438 {system = prev.system;}; in { factorio-headless = master.factorio-headless; paperless-ngx = unstable.paperless-ngx; waybar = master.waybar; nix-inspect = unstable.nix-inspect; nix = unstable.lix; - authelia = authelia-438.authelia; adlist = inputs.adblock-unbound.packages.${prev.system}; diff --git a/secrets/authelia-jwks-private-key.age b/secrets/authelia-jwks-private-key.age new file mode 100644 index 0000000..9c9fad0 Binary files /dev/null and b/secrets/authelia-jwks-private-key.age differ diff --git a/secrets/authelia-oidc-hmac-secret.age b/secrets/authelia-oidc-hmac-secret.age new file mode 100644 index 0000000..5246522 Binary files /dev/null and b/secrets/authelia-oidc-hmac-secret.age differ diff --git a/secrets/authelia-oidc-issuer-private-key.age b/secrets/authelia-oidc-issuer-private-key.age new file mode 100644 index 0000000..4ab985f --- /dev/null +++ b/secrets/authelia-oidc-issuer-private-key.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g H2MPu4q1K5Wqj3HPTZ4CG3iLDSW8MVDF7dGduvfEuU8 +OezMmd+UxTPY+GU5bRRtIW35NIptZDYnI7qMW2qjrnc +-> ssh-rsa kFDS0A +W2vJ/TdhLlw+0mgVHiSU7EhV7KR9ivf/CLklqN1xv6zRPBVZhtzZ24fugFn77at4 ++UgSQJb67Wq6wTOlIphe4fEhsScjaJR8lGdxP3HdxSpS1UE0ZVOZysaSLjWuQZdc +Z/lM0R63uABMAGm7tPXNtpzJG54gdlJwizPt2MTqCJ0odxs8P2aJEE3cIEUaxkiK +yXT+BUh7rG/UUM/bGlEz/BKdqygnPd9/g6Mnz3vWMpd1DRImkpl0+EH91VCkJNBq +P27l+RezidQcCjVktzscs7OzLFNR/7CwZCY9n2otX58GPxdXdHoKk/F9uJgpwQAk +j4k55FcAU+6mBD3M8aRxeSAe6rebyUnmIaUmk2RqZoGVy7JmWBwKW88g2DbEwA3o +ednGd9h/WVhrXYH+tp+jDrwqclYCemUik0NJz2UejuZ1YgBYSit2B0/L86hT8ob3 +kVSGCDB1d0JoO4my8LZK4CkOGyVuyKuTEg7usZQw33iixD4wCO9tj8A5hG/gAVVP +osThDXYSFcwxUIk5L03F/zbsS6JuzImJDfNj4VvTagX3V0Rg/IqINY6NQtevACYm +Y1v2vZSwWazozty/bYNiNWk1M0e8HWvXSbLlWO5Nh/x/SZVW7kLCZeFF5teSaaKU +sYVm6zimnnZYifdQUxoHzPCF5bHF3r3TJxilQVbLK4w +-> piv-p256 zqq/iw AgOo+pIZ5Q4Nc43jjLHNCaNA8kpnNH4gfRw+fOCwi+sa +XlY14IT2498CFA/rhmEwBh0EYyG5ncZUa66ARVpYloY +-> piv-p256 vRzPNw Arce2/iFcvj75c2jnYKjdS/cGABX5r59QwlQDeYNKktm +j2RPpJoKgCgohrppf73GrfBX2LmphttLcYZMn80FnmE +--- 35kxW61pqLlo/5f0eAyaVBMk9RDgXKkCiSRDZpBiKk4 +ůǑtB5ޏ`Ta ssh-ed25519 LVlqCg 3dIRzCAXM+OhZFouFtUUWjYT1NUht1Z5e+j8wUPUIBk +VKe/jEGVW96bF+WucYA12+LfBYGnQC5RCZ8uz+ax6so +-> ssh-rsa kFDS0A +gV0l6GhK03/a1A/n7l6AcnwqfREH3OvydpbneRiUVFiDXz+AIi42BO8LSqpnCTfZ +IsRK9VPfrRmdr39PQRqeMmOVTUQ4oYcQ8R/k560UupgQ0HIdA6UhWhJ0/Nj0CESF +gWpUbfYi0N30Dnw6EqAjOu2n685BfBSsbRonTPDZQCydY12IiUDCu4FEZ1yQOBvX +FYy8wOp5gT8L1KR2aXz2/XeAb/aGIFO3SMBL1KZzltL9tGxAQe8DH3HMAXq+Qyao +wvnoozz5h8wDzLZUGilYS35k8cQIV+BtAJbXq+PPgCyIlKw/rZVfNY19yIJv7y0e +1jZxL7C8HA+Q6hPoUSlLY35aHY3EYduw8uBSmDNMuDgZvXYC8F8oNPLr1Rtr52zi +5ET2hnKR1yq/PJVme62Xkgl2MKprvX5gxbYMn2sw4E6NX8X8jneKKEFcFjDFSSWL +MgnLdumE9s9AHqoaqspIO+y8ic/juHg4/4nEdQ9ExiF/EeTUAPoX1TqJNSy8NYz+ +k2xqKSBdGsR4xfyEGA9Z2FrF3XTvE59nzfHU0g7A82U9pRy8Tkhw0lFanR9T/2R8 +3ernZtj0k5B3HqYVaC5fduognoCJf5xzCedi+sCSCmkwBOczgOVMhzSMg1yLiyrz +OYNEyMa+IWFzwsP4BXsriNzdNMZGv9UwJzQC/pRBu4g +-> piv-p256 zqq/iw A9+TuOOX80CNXDp0XlVgQu7EUV9cjRqdu+PKrxKf1LQv +Ci3pOvlbaDJJ7nHd3m3EHpQpNIxZvXlzProLzrczPyA +-> piv-p256 vRzPNw AvhB0SZ9T54oujQP592HUpFuphMTA39BRhUajcO1sBOA +YG4iUO7Uvj3FmLTVj+LeElrIQTMpknVhfpsf98tGSMo +--- 50lcfhrBzcAuN+b6CARqOHA/Fr65DpUKKYKhq4UZ5VE +,ba+'yx0嶳{ѹgBd='Bed#7liUXbKNw +G+p?jJ#Vibti erQ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9815018..f0ab8c3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -74,8 +74,13 @@ in { "authelia-storage-encryption-key.age".publicKeys = pieKeys ++ baseKeys; "authelia-session-secret.age".publicKeys = pieKeys ++ baseKeys; "authelia-jwt-secret.age".publicKeys = pieKeys ++ baseKeys; + "authelia-oidc-issuer-private-key.age".publicKeys = pieKeys ++ baseKeys; + "authelia-oidc-hmac-secret.age".publicKeys = pieKeys ++ baseKeys; + "authelia-jwks-private-key.age".publicKeys = pieKeys ++ baseKeys; "authelia-users-file.age".publicKeys = pieKeys ++ baseKeys; + "jellyfin-oidc-client-secret.age".publicKeys = droppieKeys ++ baseKeys; + "rclone-pubsolar.conf.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; "restic-password.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; diff --git a/terraform/b12f.io.tf b/terraform/b12f.io.tf index 93621d3..caa6989 100644 --- a/terraform/b12f.io.tf +++ b/terraform/b12f.io.tf @@ -124,22 +124,6 @@ resource "hostingde_record" "b12f-dmarc" { ttl = 300 } -resource "hostingde_record" "b12f-droppie-AAAA" { - zone_id = hostingde_zone.b12f.id - name = "droppie.b12f.io" - type = "AAAA" - content = "2a02:908:5b1:e3c0:3::" - ttl = 300 -} - -resource "hostingde_record" "b12f-pie-AAAA" { - zone_id = hostingde_zone.b12f.id - name = "pie.b12f.io" - type = "AAAA" - content = "2a02:908:5b1:e3c0:2::" - ttl = 300 -} - resource "hostingde_record" "b12f-firefly" { zone_id = hostingde_zone.b12f.id name = "firefly.b12f.io" @@ -179,3 +163,11 @@ resource "hostingde_record" "b12f-media" { content = "frikandel.b12f.io" ttl = 300 } + +resource "hostingde_record" "b12f-auth" { + zone_id = hostingde_zone.b12f.id + name = "auth.b12f.io" + type = "CNAME" + content = "frikandel.b12f.io" + ttl = 300 +}