pie/authelia: add jellyfin oidc config base

This commit is contained in:
b12f 2024-09-06 19:29:08 +02:00
parent ee324d57af
commit f08bfc3145
Signed by: b12f
GPG key ID: 729956E1124F8F26
12 changed files with 131 additions and 51 deletions

View file

@ -61,22 +61,6 @@
"type": "github" "type": "github"
} }
}, },
"authelia-438": {
"locked": {
"lastModified": 1714672681,
"narHash": "sha256-r/vqZTUi7TxLgZtkgq0YRlH+Hh9rtfjx93OwETrgO4I=",
"owner": "nicomem",
"repo": "nixpkgs",
"rev": "01b37b0465266d7a587546cece37960d7c962e31",
"type": "github"
},
"original": {
"owner": "nicomem",
"ref": "authelia-4.38",
"repo": "nixpkgs",
"type": "github"
}
},
"darwin": { "darwin": {
"inputs": { "inputs": {
"nixpkgs": [ "nixpkgs": [
@ -699,7 +683,6 @@
"inputs": { "inputs": {
"adblock-unbound": "adblock-unbound", "adblock-unbound": "adblock-unbound",
"agenix": "agenix", "agenix": "agenix",
"authelia-438": "authelia-438",
"deno2nix": "deno2nix", "deno2nix": "deno2nix",
"deploy-rs": "deploy-rs", "deploy-rs": "deploy-rs",
"flake-compat": "flake-compat_2", "flake-compat": "flake-compat_2",

View file

@ -24,8 +24,6 @@
deploy-rs.inputs.nixpkgs.follows = "nixpkgs"; deploy-rs.inputs.nixpkgs.follows = "nixpkgs";
deploy-rs.inputs.flake-compat.follows = "flake-compat"; deploy-rs.inputs.flake-compat.follows = "flake-compat";
authelia-438.url = "github:nicomem/nixpkgs/authelia-4.38";
agenix.url = "github:ryantm/agenix"; agenix.url = "github:ryantm/agenix";
agenix.inputs.nixpkgs.follows = "nixpkgs"; agenix.inputs.nixpkgs.follows = "nixpkgs";

View file

@ -9,14 +9,6 @@ with lib; let
psCfg = config.pub-solar; psCfg = config.pub-solar;
xdg = config.home-manager.users."${psCfg.user.name}".xdg; xdg = config.home-manager.users."${psCfg.user.name}".xdg;
in { in {
disabledModules = [
"services/security/authelia.nix"
];
imports = [
"${flake.inputs.authelia-438}/nixos/modules/services/security/authelia.nix"
];
age.secrets."authelia-storage-encryption-key" = { age.secrets."authelia-storage-encryption-key" = {
file = "${flake.self}/secrets/authelia-storage-encryption-key.age"; file = "${flake.self}/secrets/authelia-storage-encryption-key.age";
mode = "400"; mode = "400";
@ -35,6 +27,24 @@ in {
owner = "authelia-b12f"; owner = "authelia-b12f";
}; };
age.secrets."authelia-oidc-issuer-private-key" = {
file = "${flake.self}/secrets/authelia-oidc-issuer-private-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-oidc-hmac-secret" = {
file = "${flake.self}/secrets/authelia-oidc-hmac-secret.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-jwks-private-key" = {
file = "${flake.self}/secrets/authelia-jwks-private-key.age";
mode = "400";
owner = "authelia-b12f";
};
age.secrets."authelia-users-file" = { age.secrets."authelia-users-file" = {
file = "${flake.self}/secrets/authelia-users-file.age"; file = "${flake.self}/secrets/authelia-users-file.age";
mode = "400"; mode = "400";
@ -69,6 +79,8 @@ in {
storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path; storageEncryptionKeyFile = config.age.secrets."authelia-storage-encryption-key".path;
sessionSecretFile = config.age.secrets."authelia-session-secret".path; sessionSecretFile = config.age.secrets."authelia-session-secret".path;
jwtSecretFile = config.age.secrets."authelia-jwt-secret".path; jwtSecretFile = config.age.secrets."authelia-jwt-secret".path;
oidcIssuerPrivateKeyFile = config.age.secrets."authelia-oidc-issuer-private-key".path;
oidcHmacSecretFile = config.age.secrets."authelia-oidc-hmac-secret".path;
}; };
settings = { settings = {
@ -81,7 +93,7 @@ in {
}; };
authentication_backend = { authentication_backend = {
refresh_interval = "disable"; refresh_interval = "disable";
password_reset = {disable = true;}; password_reset.disable = true;
file = { file = {
path = config.age.secrets."authelia-users-file".path; path = config.age.secrets."authelia-users-file".path;
watch = false; watch = false;
@ -106,6 +118,45 @@ in {
identifier = "auth@b12f.io"; identifier = "auth@b12f.io";
subject = "[auth.b12f.io] {title}"; subject = "[auth.b12f.io] {title}";
}; };
identity_providers.oidc = {
jwks = [{
key = ''{{- fileContent "${config.age.secrets."authelia-jwks-private-key".path}" | nindent 8 }}'';
}];
authorization_policies = {
admins = {
default_policy = "deny";
rules = [{
policy = "two_factor";
subject = "group:admins";
}];
};
jellyfin = {
default_policy = "deny";
rules = [{
policy = "two_factor";
subject = "group:jellyfin-users";
}];
};
};
clients = [
{
client_id = "jellyfin";
client_secret = "$pbkdf2-sha512$310000$koY0g1AqL.fEeQUJcE48SA$b9G4p7qquc6M9rSTnR.Ac3Le9KS25zbTN0aNiXT4sxag7Kstu4Pt66/sVlAh3lIS4CGjLcPA2GvjhXnapC.ziQ";
public = false;
authorization_policy = "jellyfin";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://media.b12f.io/sso/OID/redirect/authelia" ];
scopes = [
"openid"
"profile"
"groups"
];
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_post";
}
];
};
}; };
}; };

View file

@ -45,17 +45,17 @@
"::1" "::1"
"192.168.178.2" "192.168.178.2"
"2a02:908:5b1:e3c0:2::" "fd00:b12f:acab:1312:acab:2::"
]; ];
access-control = [ access-control = [
"127.0.0.1/32 allow" "127.0.0.1/32 allow"
# Allow from local network # Allow from local network
"192.168.178.0/24 allow" "192.168.178.0/24 allow"
"2a02:908:5b1:e3c0::/64 allow" "fd00:b12f:acab:1312:acab::/64 allow"
# Allow from wireguard # Allow from wireguard
"10.13.12.0/24 allow" "192.168.178.0/24 allow"
"fd00:b12f:acab:1312::/64 allow" "fd00:b12f:acab:1312::/64 allow"
]; ];
local-zone = [ local-zone = [
@ -66,7 +66,16 @@
"\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\"" "\"brwb8763f64a364.local. 10800 IN A 192.168.178.4\""
"\"pie.local. 10800 IN A 192.168.178.2\"" "\"pie.local. 10800 IN A 192.168.178.2\""
"\"pie.local. 10800 IN AAAA 2a02:908:5b1:e3c0:2::\"" "\"pie.local. 10800 IN AAAA fd00:b12f:acab:1312:acab:2::\""
"\"pie.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly.b12f.io. 10800 IN A 192.168.178.2\""
"\"firefly-importer.b12f.io. 10800 IN A 192.168.178.2\""
"\"paperless.b12f.io. 10800 IN A 192.168.178.2\""
"\"invoicing.b12f.io. 10800 IN A 192.168.178.2\""
"\"auth.b12f.io. 10800 IN A 192.168.178.2\""
"\"droppie.b12f.io. 10800 IN A 192.168.178.3\""
"\"media.b12f.io. 10800 IN A 192.168.178.3\""
"\"fritz.box. 10800 IN A 192.168.178.1\"" "\"fritz.box. 10800 IN A 192.168.178.1\""
"\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\"" "\"fritz.box. 10800 IN AAAA fd00::3ea6:2fff:fe57:30b0\""
@ -79,7 +88,7 @@
{ {
name = "."; name = ".";
forward-addr = [ forward-addr = [
"10.13.12.7" "192.168.178.7"
"fd00:b12f:acab:1312:acab:7::" "fd00:b12f:acab:1312:acab:7::"
]; ];
} }

View file

@ -15,14 +15,12 @@
(final: prev: let (final: prev: let
unstable = import inputs.nixpkgs-unstable {system = prev.system;}; unstable = import inputs.nixpkgs-unstable {system = prev.system;};
master = import inputs.nixpkgs-master {system = prev.system;}; master = import inputs.nixpkgs-master {system = prev.system;};
authelia-438 = import inputs.authelia-438 {system = prev.system;};
in { in {
factorio-headless = master.factorio-headless; factorio-headless = master.factorio-headless;
paperless-ngx = unstable.paperless-ngx; paperless-ngx = unstable.paperless-ngx;
waybar = master.waybar; waybar = master.waybar;
nix-inspect = unstable.nix-inspect; nix-inspect = unstable.nix-inspect;
nix = unstable.lix; nix = unstable.lix;
authelia = authelia-438.authelia;
adlist = inputs.adblock-unbound.packages.${prev.system}; adlist = inputs.adblock-unbound.packages.${prev.system};

Binary file not shown.

Binary file not shown.

View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 8bHz7g H2MPu4q1K5Wqj3HPTZ4CG3iLDSW8MVDF7dGduvfEuU8
OezMmd+UxTPY+GU5bRRtIW35NIptZDYnI7qMW2qjrnc
-> ssh-rsa kFDS0A
W2vJ/TdhLlw+0mgVHiSU7EhV7KR9ivf/CLklqN1xv6zRPBVZhtzZ24fugFn77at4
+UgSQJb67Wq6wTOlIphe4fEhsScjaJR8lGdxP3HdxSpS1UE0ZVOZysaSLjWuQZdc
Z/lM0R63uABMAGm7tPXNtpzJG54gdlJwizPt2MTqCJ0odxs8P2aJEE3cIEUaxkiK
yXT+BUh7rG/UUM/bGlEz/BKdqygnPd9/g6Mnz3vWMpd1DRImkpl0+EH91VCkJNBq
P27l+RezidQcCjVktzscs7OzLFNR/7CwZCY9n2otX58GPxdXdHoKk/F9uJgpwQAk
j4k55FcAU+6mBD3M8aRxeSAe6rebyUnmIaUmk2RqZoGVy7JmWBwKW88g2DbEwA3o
ednGd9h/WVhrXYH+tp+jDrwqclYCemUik0NJz2UejuZ1YgBYSit2B0/L86hT8ob3
kVSGCDB1d0JoO4my8LZK4CkOGyVuyKuTEg7usZQw33iixD4wCO9tj8A5hG/gAVVP
osThDXYSFcwxUIk5L03F/zbsS6JuzImJDfNj4VvTagX3V0Rg/IqINY6NQtevACYm
Y1v2vZSwWazozty/bYNiNWk1M0e8HWvXSbLlWO5Nh/x/SZVW7kLCZeFF5teSaaKU
sYVm6zimnnZYifdQUxoHzPCF5bHF3r3TJxilQVbLK4w
-> piv-p256 zqq/iw AgOo+pIZ5Q4Nc43jjLHNCaNA8kpnNH4gfRw+fOCwi+sa
XlY14IT2498CFA/rhmEwBh0EYyG5ncZUa66ARVpYloY
-> piv-p256 vRzPNw Arce2/iFcvj75c2jnYKjdS/cGABX5r59QwlQDeYNKktm
j2RPpJoKgCgohrppf73GrfBX2LmphttLcYZMn80FnmE
--- 35kxW61pqLlo/5f0eAyaVBMk9RDgXKkCiSRDZpBiKk4
ůÀíÇt•õB5Þ<E28099>`Tòªa<œjŠ;c㺽¬<C2BD><ƒã9!j„·;¾ÉÇQ½öºö³TÎЩË~jüj&ÇŠ›çúˆ%dR”¹XH Îpà1Z±Ö¡3§ÏÁÐöV
IÊ5”vRÛ×Ú©<C39A>â[ÐJ“üŠUßM†uB'÷€ŒúÎr—f€»a-"FDA<12>#OÞì`˜˜€S1÷Ê 

Binary file not shown.

View file

@ -0,0 +1,22 @@
age-encryption.org/v1
-> ssh-ed25519 LVlqCg 3dIRzCAXM+OhZFouFtUUWjYT1NUht1Z5e+j8wUPUIBk
VKe/jEGVW96bF+WucYA12+LfBYGnQC5RCZ8uz+ax6so
-> ssh-rsa kFDS0A
gV0l6GhK03/a1A/n7l6AcnwqfREH3OvydpbneRiUVFiDXz+AIi42BO8LSqpnCTfZ
IsRK9VPfrRmdr39PQRqeMmOVTUQ4oYcQ8R/k560UupgQ0HIdA6UhWhJ0/Nj0CESF
gWpUbfYi0N30Dnw6EqAjOu2n685BfBSsbRonTPDZQCydY12IiUDCu4FEZ1yQOBvX
FYy8wOp5gT8L1KR2aXz2/XeAb/aGIFO3SMBL1KZzltL9tGxAQe8DH3HMAXq+Qyao
wvnoozz5h8wDzLZUGilYS35k8cQIV+BtAJbXq+PPgCyIlKw/rZVfNY19yIJv7y0e
1jZxL7C8HA+Q6hPoUSlLY35aHY3EYduw8uBSmDNMuDgZvXYC8F8oNPLr1Rtr52zi
5ET2hnKR1yq/PJVme62Xkgl2MKprvX5gxbYMn2sw4E6NX8X8jneKKEFcFjDFSSWL
MgnLdumE9s9AHqoaqspIO+y8ic/juHg4/4nEdQ9ExiF/EeTUAPoX1TqJNSy8NYz+
k2xqKSBdGsR4xfyEGA9Z2FrF3XTvE59nzfHU0g7A82U9pRy8Tkhw0lFanR9T/2R8
3ernZtj0k5B3HqYVaC5fduognoCJf5xzCedi+sCSCmkwBOczgOVMhzSMg1yLiyrz
OYNEyMa+IWFzwsP4BXsriNzdNMZGv9UwJzQC/pRBu4g
-> piv-p256 zqq/iw A9+TuOOX80CNXDp0XlVgQu7EUV9cjRqdu+PKrxKf1LQv
Ci3pOvlbaDJJ7nHd3m3EHpQpNIxZvXlzProLzrczPyA
-> piv-p256 vRzPNw AvhB0SZ9T54oujQP592HUpFuphMTA39BRhUajcO1sBOA
YG4iUO7Uvj3FmLTVj+LeElrIQTMpknVhfpsf98tGSMo
--- 50lcfhrBzcAuN+b6CARqOHA/Fr65DpUKKYKhq4UZ5VE
,ba¬Öø£…ÕÏü+‰”Á'y¡xª0â嶳¹õìË{ѹgB½Çd=˜'BeèdÅ#À7l¦°iUóX¹bKNwìÓ
G†+Š™p?îÿJ#¼Vibâti eör„€Q„ìÄ

View file

@ -74,8 +74,13 @@ in {
"authelia-storage-encryption-key.age".publicKeys = pieKeys ++ baseKeys; "authelia-storage-encryption-key.age".publicKeys = pieKeys ++ baseKeys;
"authelia-session-secret.age".publicKeys = pieKeys ++ baseKeys; "authelia-session-secret.age".publicKeys = pieKeys ++ baseKeys;
"authelia-jwt-secret.age".publicKeys = pieKeys ++ baseKeys; "authelia-jwt-secret.age".publicKeys = pieKeys ++ baseKeys;
"authelia-oidc-issuer-private-key.age".publicKeys = pieKeys ++ baseKeys;
"authelia-oidc-hmac-secret.age".publicKeys = pieKeys ++ baseKeys;
"authelia-jwks-private-key.age".publicKeys = pieKeys ++ baseKeys;
"authelia-users-file.age".publicKeys = pieKeys ++ baseKeys; "authelia-users-file.age".publicKeys = pieKeys ++ baseKeys;
"jellyfin-oidc-client-secret.age".publicKeys = droppieKeys ++ baseKeys;
"rclone-pubsolar.conf.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; "rclone-pubsolar.conf.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys;
"restic-password.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys; "restic-password.age".publicKeys = pieKeys ++ frikandelKeys ++ stroopwafelKeys ++ chocolatebarKeys ++ baseKeys;

View file

@ -124,22 +124,6 @@ resource "hostingde_record" "b12f-dmarc" {
ttl = 300 ttl = 300
} }
resource "hostingde_record" "b12f-droppie-AAAA" {
zone_id = hostingde_zone.b12f.id
name = "droppie.b12f.io"
type = "AAAA"
content = "2a02:908:5b1:e3c0:3::"
ttl = 300
}
resource "hostingde_record" "b12f-pie-AAAA" {
zone_id = hostingde_zone.b12f.id
name = "pie.b12f.io"
type = "AAAA"
content = "2a02:908:5b1:e3c0:2::"
ttl = 300
}
resource "hostingde_record" "b12f-firefly" { resource "hostingde_record" "b12f-firefly" {
zone_id = hostingde_zone.b12f.id zone_id = hostingde_zone.b12f.id
name = "firefly.b12f.io" name = "firefly.b12f.io"
@ -179,3 +163,11 @@ resource "hostingde_record" "b12f-media" {
content = "frikandel.b12f.io" content = "frikandel.b12f.io"
ttl = 300 ttl = 300
} }
resource "hostingde_record" "b12f-auth" {
zone_id = hostingde_zone.b12f.id
name = "auth.b12f.io"
type = "CNAME"
content = "frikandel.b12f.io"
ttl = 300
}