From f08bfc3145eb87bb8124836e3445e42182185493 Mon Sep 17 00:00:00 2001 From: b12f Date: Fri, 6 Sep 2024 19:29:08 +0200 Subject: [PATCH] pie/authelia: add jellyfin oidc config base --- flake.lock | 17 ----- flake.nix | 2 - hosts/pie/authelia.nix | 69 ++++++++++++++++--- hosts/pie/unbound.nix | 19 +++-- overlays/default.nix | 2 - secrets/authelia-jwks-private-key.age | Bin 0 -> 2843 bytes secrets/authelia-oidc-hmac-secret.age | Bin 0 -> 1268 bytes secrets/authelia-oidc-issuer-private-key.age | 22 ++++++ secrets/authelia-users-file.age | Bin 1384 -> 1675 bytes secrets/jellyfin-oidc-client-secret.age | 22 ++++++ secrets/secrets.nix | 5 ++ terraform/b12f.io.tf | 24 +++---- 12 files changed, 131 insertions(+), 51 deletions(-) create mode 100644 secrets/authelia-jwks-private-key.age create mode 100644 secrets/authelia-oidc-hmac-secret.age create mode 100644 secrets/authelia-oidc-issuer-private-key.age create mode 100644 secrets/jellyfin-oidc-client-secret.age diff --git a/flake.lock b/flake.lock index 22178b3..a9982ca 100644 --- a/flake.lock +++ b/flake.lock @@ -61,22 +61,6 @@ "type": "github" } }, - "authelia-438": { - "locked": { - "lastModified": 1714672681, - "narHash": "sha256-r/vqZTUi7TxLgZtkgq0YRlH+Hh9rtfjx93OwETrgO4I=", - "owner": "nicomem", - "repo": "nixpkgs", - "rev": "01b37b0465266d7a587546cece37960d7c962e31", - "type": "github" - }, - "original": { - "owner": "nicomem", - "ref": "authelia-4.38", - "repo": "nixpkgs", - "type": "github" - } - }, "darwin": { "inputs": { "nixpkgs": [ @@ -699,7 +683,6 @@ "inputs": { "adblock-unbound": "adblock-unbound", "agenix": "agenix", - "authelia-438": "authelia-438", "deno2nix": "deno2nix", "deploy-rs": "deploy-rs", "flake-compat": "flake-compat_2", diff --git a/flake.nix b/flake.nix index 1a7c088..175f677 100644 --- a/flake.nix +++ b/flake.nix @@ -24,8 +24,6 @@ deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.flake-compat.follows = "flake-compat"; - authelia-438.url = "github:nicomem/nixpkgs/authelia-4.38"; - agenix.url = "github:ryantm/agenix"; agenix.inputs.nixpkgs.follows = "nixpkgs"; diff --git a/hosts/pie/authelia.nix b/hosts/pie/authelia.nix index cb17727..acb92d9 100644 --- a/hosts/pie/authelia.nix +++ b/hosts/pie/authelia.nix @@ -9,14 +9,6 @@ with lib; let psCfg = config.pub-solar; xdg = config.home-manager.users."${psCfg.user.name}".xdg; in { - disabledModules = [ - "services/security/authelia.nix" - ]; - - imports = [ - "${flake.inputs.authelia-438}/nixos/modules/services/security/authelia.nix" - ]; - age.secrets."authelia-storage-encryption-key" = { file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; mode = "400"; @@ -35,6 +27,24 @@ in { owner = "authelia-b12f"; }; + age.secrets."authelia-oidc-issuer-private-key" = { + file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + + age.secrets."authelia-oidc-hmac-secret" = { + file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + + age.secrets."authelia-jwks-private-key" = { + file = "${flake.self}/secrets/authelia-jwks-private-key.age"; + mode = "400"; + owner = "authelia-b12f"; + }; + age.secrets."authelia-users-file" = { file = "${flake.self}/secrets/authelia-users-file.age"; mode = "400"; @@ -69,6 +79,8 @@ in { storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path; sessionSecretFile = config.age.secrets."authelia-session-secret".path; jwtSecretFile = config.age.secrets."authelia-jwt-secret".path; + oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path; + oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path; }; settings = { @@ -81,7 +93,7 @@ in { }; authentication_backend = { refresh_interval = "disable"; - password_reset = {disable = true;}; + password_reset.disable = true; file = { path = config.age.secrets."authelia-users-file".path; watch = false; @@ -106,6 +118,45 @@ in { identifier = "auth@b12f.io"; subject = "[auth.b12f.io] {title}"; }; + identity_providers.oidc = { + jwks = [{ + key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}''; + }]; + authorization_policies = { + admins = { + default_policy = "deny"; + rules = [{ + policy = "two_factor"; + subject = "group:admins"; + }]; + }; + jellyfin = { + default_policy = "deny"; + rules = [{ + policy = "two_factor"; + subject = "group:jellyfin-users"; + }]; + }; + }; + clients = [ + { + client_id = "jellyfin"; + client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ"; + public = false; + authorization_policy = "jellyfin"; + require_pkce = true; + pkce_challenge_method = "S256"; + redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ]; + scopes = [ + "openid" + "profile" + "groups" + ]; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_post"; + } + ]; + }; }; }; diff --git a/hosts/pie/unbound.nix b/hosts/pie/unbound.nix index a769b7a..47d16d8 100644 --- a/hosts/pie/unbound.nix +++ b/hosts/pie/unbound.nix @@ -45,17 +45,17 @@ "::1" "192.168.178.2" - "2a02:908:5b1:e3c0:2::" + "fd00:b12f:acab:1312:acab:2::" ]; access-control = [ "127.0.0.1/32 allow" # Allow from local network "192.168.178.0/24 allow" - "2a02:908:5b1:e3c0::/64 allow" + "fd00:b12f:acab:1312:acab::/64 allow" # Allow from wireguard - "10.13.12.0/24 allow" + "192.168.178.0/24 allow" "fd00:b12f:acab:1312::/64 allow" ]; local-zone = [ @@ -66,7 +66,16 @@ "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\"" "\"pie.local. 10800 IN A 192.168.178.2\"" - "\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\"" + "\"pie.local. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\"" + "\"pie.b12f.io. 10800 IN A 192.168.178.2\"" + "\"firefly.b12f.io. 10800 IN A 192.168.178.2\"" + "\"firefly-importer.b12f.io. 10800 IN A 192.168.178.2\"" + "\"paperless.b12f.io. 10800 IN A 192.168.178.2\"" + "\"invoicing.b12f.io. 10800 IN A 192.168.178.2\"" + "\"auth.b12f.io. 10800 IN A 192.168.178.2\"" + + "\"droppie.b12f.io. 10800 IN A 192.168.178.3\"" + "\"media.b12f.io. 10800 IN A 192.168.178.3\"" "\"fritz.box. 10800 IN A 192.168.178.1\"" "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\"" @@ -79,7 +88,7 @@ { name = "."; forward-addr = [ - "10.13.12.7" + "192.168.178.7" "fd00:b12f:acab:1312:acab:7::" ]; } diff --git a/overlays/default.nix b/overlays/default.nix index dd9e9fc..253f881 100644 --- a/overlays/default.nix +++ b/overlays/default.nix @@ -15,14 +15,12 @@ (final: prev: let unstable = import inputs.nixpkgs-unstable {system = prev.system;}; master = import inputs.nixpkgs-master {system = prev.system;}; - authelia-438 = import inputs.authelia-438 {system = prev.system;}; in { factorio-headless = master.factorio-headless; paperless-ngx = unstable.paperless-ngx; waybar = master.waybar; nix-inspect = unstable.nix-inspect; nix = unstable.lix; - authelia = authelia-438.authelia; adlist = inputs.adblock-unbound.packages.${prev.system}; diff --git a/secrets/authelia-jwks-private-key.age b/secrets/authelia-jwks-private-key.age new file mode 100644 index 0000000000000000000000000000000000000000..9c9fad04f6af0e9f40b5d27764cec1247f73860e GIT binary patch literal 2843 zcmY+``CrTl1Hf@dr0Jq`$YP2uO3insISI|xeCNKJQ?xV9%y+KlzDud};vq*wjwPZT zi$bVf^x7Qtu1Ob}JC&D{W5Yg(=O5I#Fj|(U~e4SjF3;Apc7M&tN5tIb<|1_Ij0XJk& zga8qyh6GBRi00;^a&$bN2~9Cm9UeUnm1MO8sbsuZ1qi)pmd{4ypb1hE#RSRKd^EwD zi?@Jukc|Z!@B39awnW!WN+GtRlFkBj6>eFgu zLJLu7RU@fFz~X?AZnut1!^1Erp2AJ_kOksQmD_1#p`0YCkI3-2%&5#9KGxuN5iMLf z5n;_xF+jGDYz4R^A%m7G*MTwxAM(M74l84Xn95;oOgAuZ^6csNOW=_R16cP`Lnn?qMcoT(B#)z~OE6=8r z3X?DZQI57i2A05Q<;idvCL@UEQ}r~L29k)>bgsh)!T_Vo0ii5dhF79tdeF2aI?YP8 zXt4kpDb;9EAOSMSCaI-P44Um#NHR&ZTv#q!%waPbWSpG_S=>&d z#4Y41jWUE(YtZYw5*42AlSi_JvSBtoSbZNwol zFa=&BM@T(3x&dhe1#TBfWCbW5IhQLJTa07@C&z;Ed3XeE2G{=Ijx9P@vIT{~!hKdN zLg$7Pv7p#(AUO?Ol3d^v(+zy1Oy?nUjC_kN)9VxxO)iAerBKii0tZZsm5LdllVr|B zq0q_2>85D|D zKG13g0fh)@h9xH_!$l^VP{z^XY#5yim*dhWd0ApN&&j2_(FhwF(j*ZPbgP7{k~tw* zoM`YRP*)vYKpULExW~?`-|;vL9bM-n>e4r=-SJvaPk?VG*`h&yp|lksv@TzkM_fi?c; zWeFAadilW#zsGjlcNQ=|e%}}qGnR1`rd=QmU*LLxpq)F^7jgQ8f-y-2(SP0CI-w)i zqZh*;?qCFV6wec6myL@zty_Cy9jW6*O!}4AQB8(llHvXt_e*IAxLbQiqMfGMf4wvK z^pB_7-!01e@YK;Mu8U?c&sOCwU%l_TR~xteyfyBAT*aE8+O~*`Uq@Q6zyFK!X@)&#xvNk1XE+|jVRr22A7cTU)wnyz;CgQW=8K~;EZ_q2dZv?;Ua4To{lOUXsf#}UZ9 zy)V<~wfa5&o*?qcANH>2C-;tnFCXJHRHQ8;(+)2mr}nwC-+BmZLMtW&zF2zxR-GX5 zS?}8#L|;j_E>vRZP49c=&JN($t_+BzMe}QS$A%iVfc@6Zud^w={F#wy0s75@;)TW; z2h<0Lpq|iG1Wg#@@BEn_9HVC5vX8!%w2jC@!${7v{CWW10yJ>0Y8+^03f%EoWDDI(S?Cp~QWd+{Cr!$E|U1LoCWEBxAW1R|<0L7MWU z=SMCwXY7XZQE%hYtP7*>M1Es=UrSNk2ZP|r{^Hx)Ya|=TxEH2^o8A|m7`+o%#R}e2 zraZcLu4SYKpR!xzX|68u@2~y{Jkk6Ch_1#`bZI{Kj?otJ;Yr`mPI)7p5+9$Yth{-V zzP6#RQ;BjA>WMSEr_zLBpkHZFIu6gql>-2AgnI*pr&i z!=JMZ%@hBc4PsVQyEPAae^j`Wd)m3>Z zHy|tL*^cwI<;i2Zq-<8`!6ByZo0u}$#}U@{a60ET1{En9nm3M| zDF|=<>FAZM`Pb-yknZuW_~Q#Rg;6^)&@HN_o3u)7)L7@fFHk$%YbI%Yi4DWp_W6a! zCqu)^cWFzm-s^`hPYxbnCSP()n7!3ccVS&@MYP3HG&ts(MwBdF*8KE!0tZ_%G_$_E z_Q|Slvny;xB*g6S(k z<^p2L!B#ziw9nhqQr<~6A3x11i6ZlMB1}|HeE0r;O`R`3ck%9czvbHuec{25(7hqy zqout{R{m(p@yt1S*}MK=Wc^yUCa$=#_{@}!k?ne!c*qxcZ}HA+ zU9F@|;q!z0KlL3Mf*<=*?pL*?YenMn@UfV-1CLe}Dh8q_tr?kN%oz@zpITbF$j$65 zv+n4+G*$l3Ru(O$-!<*|Jz_ZQ)||kTEh!%kHCS#&tpKWSlo4ZlwnZHo@z?w`=VQU_ z@P-52`j&Tn_q!v97%{2n-x-*IQOXB z?|tMoqNuq;we7>*s_7NL<;0Q(iK@Q1FI`-AAb&97VS@bmcLP0ttB*0ZKXGn-Bj0n? s{IjMS_B;ekEV(wQc70shLE|enzrAJA$XYu^)x?N1jEY626jUW z5ZYLGr4hF?SKTo{5Pyo48v-2pD-%2l8nu80EKa-7grWbmUA68d6IO#LfbN#afWyL> z;m9MV4r48z2{njk`M7X-@o3kD5w{dBbZ`TKLU_>SMI@onNYfovB0NCz8qlU!(s(cG zM63vjBW*<BJaXb2Hvx)rK=52F3Rdvc*@CGQbIZo#@$mg|YLj$(mIN6nZs|kgbohVL6I9 zd~dA+A)l$cgSb>>M0Uubtr>~smSVNvvgvVuDC6`f@%YLH`3VBJ7Q2+zdT6Uyq<~sN z_+wPkWQpDmjs-TuWrh+MzR?oHlpPzLESCX2E~3&*SzDmyE--`eF?ytD8zNcOW{pfU zg~DrcJWxfy0GG`+sv0D063TO}{QhoL1nx(e9!Ua~@T52gIs=<_iv<&!M%!e&C6vQa zjze2mGm&zVdsV!&coGE5nK@Y`tg%9rN++j6isrmS9T`COYeunjr4FigLz9StsC;e- zh0o&LDhT6XgL(5=b z*ky66i_0pU7>?>ncDJskrHI9gc^4jeEy`@hlJ`M4_P-vzYH_f}-bD z2JaCoBc~pdGDS-K^W!3_`vo$>dRTaY=DRqf}XcA-Bcr>>v zsGO)nJs6@`12B=;uB_E0blS|S>Uq?eJUa|2uPg;&YYd6N_gGbJk?!AS{6P= zJp%`9h>`N4W25`65|Twv_ZF9?4D33JEczY7FGG9jbHHd~=4A#;;iM%)6-*0$MhCWB ziqpwH5QcCfbeNG3p=Lh@`u%?INR@o+7Jfb8$SDBxt$0i z4e*DiKXCe`JIL)T-@joe76p89Y16y*?fcf%8!P|BkHwkmr!N2g3t;>(xsiSFTx)m_J289$yl`3WZWXWIB;P!Hwj=-ga-EU(wa0$Fc=Po; zCtrEk|N3+9)_bqrPOplWexp9U-ar53S06rd@50;ixp(fWKI5`D literal 0 HcmV?d00001 diff --git a/secrets/authelia-oidc-issuer-private-key.age b/secrets/authelia-oidc-issuer-private-key.age new file mode 100644 index 0000000..4ab985f --- /dev/null +++ b/secrets/authelia-oidc-issuer-private-key.age @@ -0,0 +1,22 @@ +age-encryption.org/v1 +-> ssh-ed25519 8bHz7g H2MPu4q1K5Wqj3HPTZ4CG3iLDSW8MVDF7dGduvfEuU8 +OezMmd+UxTPY+GU5bRRtIW35NIptZDYnI7qMW2qjrnc +-> ssh-rsa kFDS0A +W2vJ/TdhLlw+0mgVHiSU7EhV7KR9ivf/CLklqN1xv6zRPBVZhtzZ24fugFn77at4 ++UgSQJb67Wq6wTOlIphe4fEhsScjaJR8lGdxP3HdxSpS1UE0ZVOZysaSLjWuQZdc +Z/lM0R63uABMAGm7tPXNtpzJG54gdlJwizPt2MTqCJ0odxs8P2aJEE3cIEUaxkiK +yXT+BUh7rG/UUM/bGlEz/BKdqygnPd9/g6Mnz3vWMpd1DRImkpl0+EH91VCkJNBq +P27l+RezidQcCjVktzscs7OzLFNR/7CwZCY9n2otX58GPxdXdHoKk/F9uJgpwQAk +j4k55FcAU+6mBD3M8aRxeSAe6rebyUnmIaUmk2RqZoGVy7JmWBwKW88g2DbEwA3o +ednGd9h/WVhrXYH+tp+jDrwqclYCemUik0NJz2UejuZ1YgBYSit2B0/L86hT8ob3 +kVSGCDB1d0JoO4my8LZK4CkOGyVuyKuTEg7usZQw33iixD4wCO9tj8A5hG/gAVVP +osThDXYSFcwxUIk5L03F/zbsS6JuzImJDfNj4VvTagX3V0Rg/IqINY6NQtevACYm +Y1v2vZSwWazozty/bYNiNWk1M0e8HWvXSbLlWO5Nh/x/SZVW7kLCZeFF5teSaaKU +sYVm6zimnnZYifdQUxoHzPCF5bHF3r3TJxilQVbLK4w +-> piv-p256 zqq/iw AgOo+pIZ5Q4Nc43jjLHNCaNA8kpnNH4gfRw+fOCwi+sa +XlY14IT2498CFA/rhmEwBh0EYyG5ncZUa66ARVpYloY +-> piv-p256 vRzPNw Arce2/iFcvj75c2jnYKjdS/cGABX5r59QwlQDeYNKktm +j2RPpJoKgCgohrppf73GrfBX2LmphttLcYZMn80FnmE +--- 35kxW61pqLlo/5f0eAyaVBMk9RDgXKkCiSRDZpBiKk4 +ůǑtB5ޏ`Ta z;Pd@{^(_mWlaraIskW<%yjE!nE(5SR*V|hy(aEtO3lX`HipTk? z9LR?dL&bf}|FmYSY?mUTtQ)n(f}&zDElu#L65FjSTs5uJfWI6Qy_JZ=3QI8{V0d(Q zPJjw(F+!O&NkS`lv*szKq+F_Gi@;^GVvwjA1nU?r`H^5;r5l9lqw;P)Yk0g~s_f`O z3QzzlIfp7EC4Z_=!1#zkn%;zPH-Q5M2qa&V&7?#(O%LU9)bd!WYRM2!HXH_;qEUfl zeHalm$v`nsY=L!m6esRB))Q2Xu~C^qI6!-evIkYe?F3!c#46SWAkM0n7&uK7%u-x& z*I5MtiY(a1vn?c)bVL9zt|c&n5N)g_Fi0&G4DdjRCzFDePSIVO<8q;R0x71WxJxWFY zsOra})w?^n|NCRLYB*I8_S!8?b5%QbR8XP?F~By`Rv<0tu^JGv{0Rv~L@^hULqnLxwz zKrt#6K;c+CAH=H)&Ot&(5vqBc)9JLw1vOhG3em9D%_jYgic1MK93lj{( z&UZt8Y3I3t2TuOs@gC=`Ugq`hY|2dh_4rd~mEft3pN@{pv7C+5`5nw8oZT&n$fX0qq{jf(JLbej6brS%i|8D-glgI9kt`_*3$9XoyGiM6#| zAEz&#dj55J{Qb$_^}can2dG{D%y#qXb-gc4*Sq{Z_M6ME+!&hMUc9p5$)m-=cF(o> z!2+#2eI(}71n|Lp6R7YcXSEw9~_{=_}=$hHT!fAIGBJhZs5_mc0! z!B;lCvPXG$K(b3U?Ve_qbo*m<(yH~Fn z(?@z9KK^F^k`InHKjoc!2lsvQcTqdCX~XgP(;xkOYBXQE_w4=OzVi>`z{Kv^U+PbN z@!@4hM^|2$-S_){#tzK~?^(Kb+i;g2pL+X~k=290dGYk&>}>9*uceAxix*d{-g;*9 zg}#Mbb3<>Pc_clyYx;KWdp|sOfA0jnY0FCs8<&23N!xg9dg{=F?&||T=s%K}{>y6n zp*<_86U(m67vg$)^Xc@gX`;_8aW@? wvhzoy**C6a_uhA+|Bv(7di>b|^7DfiX3+4z&wu0j{LIqpXID+G^XfnT4?0D$pC4H+n?6bgG-#p+=>XJ==3Zg{EL+1Z`ho!Qy5J3D)35^{I$_nn=~ z?rdlmsi?@nj3AU0Ez>SwiYP&mK@q`ukRl=yvmWfCm}oZ)vWFh}3w{sZH!!q0%~!_R zD7FHBJ{TK?v?$wiSlr>PJO7x5f6q-Us+W5=LvLj_Lk^R0qZ;i=fPcwLD(Ju#~^ zBMEstTJYLP>`#COT5z&nM(Ai(b{i4I${;$ZXEt0m+{D!k#D~Hd>L5%<`cE52gPc>V zc0mHDC5FP(SZqvoJ6e~J3mx2Qwws|NVY&c90U|4qyGVx&XAh83Pqh@2hG$wH9E+;D1l9DJy;!>&TL(>h)%x2O~kD33HmQwi}p z$O5z{w=gSUTCVD#17AyeeNjwnsY^3rU8XCPmv@Nn)KMvj^DAtz*Tq^Q=Zq_OoTzea z0%2@d5H=z4QiI{AdV^||l#Ycm4X?=#IHKx!MCf}-xf#<{SD0ZFN~ocz1sh;eS!@Or z;EB^x9V~k=ZR=38lIL5pjEnSyscS-yiV=R6492R8al^ni)1aCc1Z+6zmPg}>E&9Cx zh;Ta3l9{NqeA*`$YJFdoMLPo(p9p9T=3zd|EK2|rl98ZE1dECU;SFZC$j4dC@?)S^ zn~)+zSM*A)MH-xjAz-H%Ms_+0(N?!AxT#>lP{IwgbO`H(!10C*~8dRB$gER#ctfbyjnDB)oy z)oGZ?j}c6Bi{%cM5@i)^kcK`ZG}oLBszC$C2b&4|FhE0tlhe4xmrJ!7A3!!lyF09utSAlBiZ&OtK4fae!HboMX}!I zDmKKWztXkX56Nulvc4G>FIgR7#YI}GW0u+IsxY9=5jQQICx1yEmuu+ zYg*R&tw@k$Ok(>BrdL`(r(ED5O=F-t!1wR3STnt`_VBO38}sE8`>&o_y|iu5EB)ll z{NvXTe0J;A*`XWz-h8Zb{ ssh-ed25519 LVlqCg 3dIRzCAXM+OhZFouFtUUWjYT1NUht1Z5e+j8wUPUIBk +VKe/jEGVW96bF+WucYA12+LfBYGnQC5RCZ8uz+ax6so +-> ssh-rsa kFDS0A +gV0l6GhK03/a1A/n7l6AcnwqfREH3OvydpbneRiUVFiDXz+AIi42BO8LSqpnCTfZ +IsRK9VPfrRmdr39PQRqeMmOVTUQ4oYcQ8R/k560UupgQ0HIdA6UhWhJ0/Nj0CESF +gWpUbfYi0N30Dnw6EqAjOu2n685BfBSsbRonTPDZQCydY12IiUDCu4FEZ1yQOBvX +FYy8wOp5gT8L1KR2aXz2/XeAb/aGIFO3SMBL1KZzltL9tGxAQe8DH3HMAXq+Qyao +wvnoozz5h8wDzLZUGilYS35k8cQIV+BtAJbXq+PPgCyIlKw/rZVfNY19yIJv7y0e +1jZxL7C8HA+Q6hPoUSlLY35aHY3EYduw8uBSmDNMuDgZvXYC8F8oNPLr1Rtr52zi +5ET2hnKR1yq/PJVme62Xkgl2MKprvX5gxbYMn2sw4E6NX8X8jneKKEFcFjDFSSWL +MgnLdumE9s9AHqoaqspIO+y8ic/juHg4/4nEdQ9ExiF/EeTUAPoX1TqJNSy8NYz+ +k2xqKSBdGsR4xfyEGA9Z2FrF3XTvE59nzfHU0g7A82U9pRy8Tkhw0lFanR9T/2R8 +3ernZtj0k5B3HqYVaC5fduognoCJf5xzCedi+sCSCmkwBOczgOVMhzSMg1yLiyrz +OYNEyMa+IWFzwsP4BXsriNzdNMZGv9UwJzQC/pRBu4g +-> piv-p256 zqq/iw A9+TuOOX80CNXDp0XlVgQu7EUV9cjRqdu+PKrxKf1LQv +Ci3pOvlbaDJJ7nHd3m3EHpQpNIxZvXlzProLzrczPyA +-> piv-p256 vRzPNw AvhB0SZ9T54oujQP592HUpFuphMTA39BRhUajcO1sBOA +YG4iUO7Uvj3FmLTVj+LeElrIQTMpknVhfpsf98tGSMo +--- 50lcfhrBzcAuN+b6CARqOHA/Fr65DpUKKYKhq4UZ5VE +,ba+'yx0嶳{ѹgBd='Bed#7liUXbKNw +G+p?jJ#Vibti erQ \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 9815018..f0ab8c3 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -74,8 +74,13 @@ in { "authelia-storage-encryption-key.age".publicKeys = pieKeys ++ baseKeys; "authelia-session-secret.age".publicKeys = pieKeys ++ baseKeys; "authelia-jwt-secret.age".publicKeys = pieKeys ++ baseKeys; + "authelia-oidc-issuer-private-key.age".publicKeys = pieKeys ++ baseKeys; + "authelia-oidc-hmac-secret.age".publicKeys = pieKeys ++ baseKeys; + "authelia-jwks-private-key.age".publicKeys = pieKeys ++ baseKeys; "authelia-users-file.age".publicKeys = pieKeys ++ baseKeys; + "jellyfin-oidc-client-secret.age".publicKeys = droppieKeys ++ baseKeys; + "rclone-pubsolar.conf.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; "restic-password.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; diff --git a/terraform/b12f.io.tf b/terraform/b12f.io.tf index 93621d3..caa6989 100644 --- a/terraform/b12f.io.tf +++ b/terraform/b12f.io.tf @@ -124,22 +124,6 @@ resource "hostingde_record" "b12f-dmarc" { ttl = 300 } -resource "hostingde_record" "b12f-droppie-AAAA" { - zone_id = hostingde_zone.b12f.id - name = "droppie.b12f.io" - type = "AAAA" - content = "2a02:908:5b1:e3c0:3::" - ttl = 300 -} - -resource "hostingde_record" "b12f-pie-AAAA" { - zone_id = hostingde_zone.b12f.id - name = "pie.b12f.io" - type = "AAAA" - content = "2a02:908:5b1:e3c0:2::" - ttl = 300 -} - resource "hostingde_record" "b12f-firefly" { zone_id = hostingde_zone.b12f.id name = "firefly.b12f.io" @@ -179,3 +163,11 @@ resource "hostingde_record" "b12f-media" { content = "frikandel.b12f.io" ttl = 300 } + +resource "hostingde_record" "b12f-auth" { + zone_id = hostingde_zone.b12f.id + name = "auth.b12f.io" + type = "CNAME" + content = "frikandel.b12f.io" + ttl = 300 +}