From dbef702ac37c1dfbba6f91468887b85eb729d5af Mon Sep 17 00:00:00 2001
From: Hendrik Sokolowski <hensoko@gssws.de>
Date: Fri, 6 Oct 2023 00:14:14 +0200
Subject: [PATCH] SQ chonk: Use authelia

---
 hosts/chonk/authelia.nix                      | 112 ++++++++++++++++++
 hosts/chonk/configuration.nix                 |   2 +
 secrets/chonk_authelia_jwt_secret.age         |  15 +++
 .../chonk_authelia_storage_encryption_key.age |  15 +++
 secrets/chonk_authelia_users.age              |  14 +++
 secrets/secrets.nix                           |   3 +
 6 files changed, 161 insertions(+)
 create mode 100644 hosts/chonk/authelia.nix
 create mode 100644 secrets/chonk_authelia_jwt_secret.age
 create mode 100644 secrets/chonk_authelia_storage_encryption_key.age
 create mode 100644 secrets/chonk_authelia_users.age

diff --git a/hosts/chonk/authelia.nix b/hosts/chonk/authelia.nix
new file mode 100644
index 00000000..14bbaffa
--- /dev/null
+++ b/hosts/chonk/authelia.nix
@@ -0,0 +1,112 @@
+{
+  pkgs,
+  config,
+  self,
+  ...
+}: let
+  containerStateDir = "/var/lib/authelia-gssws";
+  hostStateDir = "/opt/authelia";
+  domain = "auth.gssws.de";
+  servicePort = 9091;
+in {
+  age.secrets.authelia_users = {
+    file = "${self}/secrets/chonk_authelia_users.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_storage_encryption_key = {
+    file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_jwt_secret = {
+    file = "${self}/secrets/chonk_authelia_jwt_secret.age";
+    owner = "999";
+    group = "999";
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString servicePort}";
+    };
+  };
+
+  containers."authelia" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts = {
+      "${containerStateDir}" = {
+        hostPath = hostStateDir;
+        isReadOnly = false;
+      };
+
+      "/run/agenix" = {
+        hostPath = "/run/agenix";
+        isReadOnly = false;
+      };
+
+      "/run/agenix.d" = {
+        hostPath = "/run/agenix.d";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      services.authelia.instances."gssws" = {
+        enable = true;
+
+        secrets = {
+          jwtSecretFile = "/run/agenix/authelia_jwt_secret";
+          storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
+        };
+
+        settings = {
+          theme = "auto";
+          server.port = servicePort;
+
+          session.domain = domain;
+          default_redirection_url = "https://home.gssws.de/";
+
+          access_control.default_policy = "two_factor";
+
+          authentication_backend = {
+            password_reset.disable = false;
+            file = {
+              path = "/run/agenix/authelia_users";
+            };
+          };
+
+          storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
+
+          totp = {
+            issuer = "auth.gssws.de";
+            algorithm = "SHA512";
+            digits = 8;
+          };
+
+          webauthn = {
+            display_name = "auth.gssws.de";
+          };
+
+          notifier.smtp = {
+            address = "smtp://mail.gssws.de:25";
+            sender = "Authelia <authelia@gssws.de>";
+            identifier = "auth.gssws.de";
+          };
+        };
+      };
+
+      system.stateVersion = "23.05";
+    };
+  };
+}
diff --git a/hosts/chonk/configuration.nix b/hosts/chonk/configuration.nix
index 113854e4..df06ef4e 100644
--- a/hosts/chonk/configuration.nix
+++ b/hosts/chonk/configuration.nix
@@ -23,6 +23,8 @@
 
     ./libvirt-container.nix
     ./monitoring.nix
+
+    ./authelia.nix
   ];
 
   boot.loader.systemd-boot.enable = lib.mkForce false;
diff --git a/secrets/chonk_authelia_jwt_secret.age b/secrets/chonk_authelia_jwt_secret.age
new file mode 100644
index 00000000..e5ba5403
--- /dev/null
+++ b/secrets/chonk_authelia_jwt_secret.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw Apw//H4a37XD/Ahc2H6sMgJoM0VQ8RWyNIq56yEm+no
+BNUgGmTl9JIbreob+8AbQA5wxpdW7WygDI92niy1jgQ
+-> ssh-ed25519 YFSOsg ASLv+TOx0DWmbNXSS3HUKS5puniN1w0FMrmMun4/2Xs
+W+/rf6VjlutzLfEFuukc12k9Gz2qMtO1dM16NIWyCUw
+-> ssh-ed25519 iHV63A gOWG5xpmZkOsbJwtA/LizsKTCPBlaYgUhzv6dS3GikU
+Jc8nEl5qGWwqQbucqy2AY1DWEwj7605OlTgtgqSOe2g
+-> ssh-ed25519 Oya/Zw JiLOj7SedW6XSY+XFrXf6Q4A0BCQ34Kjdara9LongzI
+mjxxUFLYHnTFtCWLVZpiHDDTSBR/uhz9hB4d741mahc
+-> @wmC-grease l~lJ rW HpVY S|
+6KfyYCevSvxvlGf4Ts/hB1JS5V2lG077PrgoVBlx5sLjeCRr2KF5dThtRfoeVTZV
+BGJ5
+--- R2Kjwn9GDi6oTDWE5SvGnPz/0RNHRwm6FuSB166gbTk
+lŒJU3ª´Ì{©«É XgG¬zùó-È’°T®Ó^LX-7U%Ï7H>"44ºå]¦„>Œ?i
+³Æ¹2/¡Ð¦
\ No newline at end of file
diff --git a/secrets/chonk_authelia_storage_encryption_key.age b/secrets/chonk_authelia_storage_encryption_key.age
new file mode 100644
index 00000000..175ee63e
--- /dev/null
+++ b/secrets/chonk_authelia_storage_encryption_key.age
@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw BKaJOaemFofcTtYVUXTMApzwEd42LdRA2vRmXCKpxwQ
+QXOGSdJoJEbtUK+G+TFY5AKCo1TgWuy2qnRu6zbymJQ
+-> ssh-ed25519 YFSOsg UJcVYMY7iS5QlW6nfdLnK5a7wAdpygYtZhPBiuwx8FQ
+Ubhix1fkykeOD6U0ytKSMHdsjbmY0Mtc07zBLFl9uvE
+-> ssh-ed25519 iHV63A d2+m6Ryo5TkgJ1uNvoIZk9qHUQWkGJ1Dv5SX21inQUw
+/JP9RcaA+Hu3UsHhhZuF2mBOTpcCG5Mfa98mNxWmD1s
+-> ssh-ed25519 Oya/Zw 5DsVfU4lP7BhBRc4AAhHdc1flHULF9AQgH0i7mv00h4
+Ba7poebUMFXd8Jl8rHWqivxDC6aQhhZy7/14ynRHk6U
+-> &qpx-grease v}*
+NRFo9WSsLJZjKaA/hGI88QQjJxBX8enh99hsF8lgZPO4Cd8x1qsWhseO2vBHBHGa
+
+--- Xjb/GVPQNCC9+3X3rue8nBToJipoEJb4O/ixjpOrBsg
+ä&ñ(Ã;9™6ÒQ"1w#¡nøº[×GX.
+î!;µù=­4‹+Yà¬×ÄRSnq]‚ŽÕãz#ÉFòCàÃ
\ No newline at end of file
diff --git a/secrets/chonk_authelia_users.age b/secrets/chonk_authelia_users.age
new file mode 100644
index 00000000..e8047fce
--- /dev/null
+++ b/secrets/chonk_authelia_users.age
@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw seAHnMdOhbSvm2EmyY6rf9i0rfApCHTAKHVnpGSNvzI
+PzY8+xJCIemo42mUFgt/0Zep7tiNpgwOyb8fAJVKB/s
+-> ssh-ed25519 YFSOsg doaGH3q9/oHUfXjnuhY5zg+h0eWdw1qDP8XntmVy2Ac
+4eEvBcoWIqJJWC2fy5lQv+dCpFnbVtBBdzLg5Ftjf6A
+-> ssh-ed25519 iHV63A LNjKmQl/+9sZgv1a60+L3peU7LMSufmIOeZqaHDVji8
+Gzvb3Bd8EAHqDDxc8cruTKHE0+uyek4UP8UH2QbnedA
+-> ssh-ed25519 Oya/Zw NzA3tUU554imIollIvRKhphlrbq4y9x6Q4EVQEes8ls
+qpY+Vb6EKmhh45SdJsDlWlIDzWKSj1P5yrme4pmn63A
+-> R"^mQ-grease
+Q/i8Ht0+HG1Ekuy9kpjLmRXWEBDUtBX3ldS6+ME
+--- vz5tu+PqfzucpQXuSTZoIE1b9NodOPsBqh8VSDzW0to
+@¸z¼å¹ûfJ}_ïì¢MÍÅ£ž!Sôè’Õüøäõš€‰*wR[å-µ±*üyŠÒØçÊ¾† Õ’BÈ‰
+­^1vÆ€W=¯§‚O‹FµFYå_LLF<5c5cýot£„À5\lÇOclbál¾¡àî3ñšˆ{1\ãT§¤è*ÆCÃŽR¹z<™x‡©’\ˆÚ4M™ÝÇ×³ev7îBÍ'vÒt°-ý­¿Zš“•_ŸY{A³¡—øé›ðu‚éÐŒô¾&ïU£~ì±3Lq(w‰Îø:SŽ!Å¦Ôûÿ±ÇÚàY	1º…[;60Ö.:ù·]*óüæ!
\ No newline at end of file
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 452c04e1..5f5824de 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -54,6 +54,9 @@ in {
   "chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
   "chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
   "chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_users.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_storage_encryption_key.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_jwt_secret.age".publicKeys = users ++ [system_chonk];
 
   "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];