SQ chonk: Use authelia

2023-10-06 00:14:14 +02:00 · 2023-10-06 00:14:14 +02:00 · dbef702ac3
parent 9accff4383
commit dbef702ac3
6 changed files with 161 additions and 0 deletions
--- a/hosts/chonk/authelia.nix
+++ b/hosts/chonk/authelia.nix
@ -0,0 +1,112 @@
 {
  pkgs,
  config,
  self,
  ...
 }: let
  containerStateDir = "/var/lib/authelia-gssws";
  hostStateDir = "/opt/authelia";
  domain = "auth.gssws.de";
  servicePort = 9091;
 in {
  age.secrets.authelia_users = {
    file = "${self}/secrets/chonk_authelia_users.age";
    owner = "999";
    group = "999";
  };
  age.secrets.authelia_storage_encryption_key = {
    file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
    owner = "999";
    group = "999";
  };
  age.secrets.authelia_jwt_secret = {
    file = "${self}/secrets/chonk_authelia_jwt_secret.age";
    owner = "999";
    group = "999";
  };
  services.nginx.virtualHosts."${domain}" = {
    forceSSL = true;
    enableACME = true;
    locations."/" = {
      proxyPass = "http://127.0.0.1:${toString servicePort}";
    };
  };
  containers."authelia" = {
    autoStart = true;
    ephemeral = true;
    bindMounts = {
      "${containerStateDir}" = {
        hostPath = hostStateDir;
        isReadOnly = false;
      };
      "/run/agenix" = {
        hostPath = "/run/agenix";
        isReadOnly = false;
      };
      "/run/agenix.d" = {
        hostPath = "/run/agenix.d";
        isReadOnly = false;
      };
    };
    config = {
      config,
      pkgs,
      ...
    }: {
      networking.firewall.enable = false;
      services.authelia.instances."gssws" = {
        enable = true;
        secrets = {
          jwtSecretFile = "/run/agenix/authelia_jwt_secret";
          storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
        };
        settings = {
          theme = "auto";
          server.port = servicePort;
          session.domain = domain;
          default_redirection_url = "https://home.gssws.de/";
          access_control.default_policy = "two_factor";
          authentication_backend = {
            password_reset.disable = false;
            file = {
              path = "/run/agenix/authelia_users";
            };
          };
          storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
          totp = {
            issuer = "auth.gssws.de";
            algorithm = "SHA512";
            digits = 8;
          };
          webauthn = {
            display_name = "auth.gssws.de";
          };
          notifier.smtp = {
            address = "smtp://mail.gssws.de:25";
            sender = "Authelia <authelia@gssws.de>";
            identifier = "auth.gssws.de";
          };
        };
      };
      system.stateVersion = "23.05";
    };
  };
 }
--- a/hosts/chonk/configuration.nix
+++ b/hosts/chonk/configuration.nix
@ -23,6 +23,8 @@
    ./libvirt-container.nix
    ./monitoring.nix
    ./authelia.nix
  ];
  boot.loader.systemd-boot.enable = lib.mkForce false;
--- a/secrets/chonk_authelia_jwt_secret.age
+++ b/secrets/chonk_authelia_jwt_secret.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw Apw//H4a37XD/Ahc2H6sMgJoM0VQ8RWyNIq56yEm+no
 BNUgGmTl9JIbreob+8AbQA5wxpdW7WygDI92niy1jgQ
 -> ssh-ed25519 YFSOsg ASLv+TOx0DWmbNXSS3HUKS5puniN1w0FMrmMun4/2Xs
 W+/rf6VjlutzLfEFuukc12k9Gz2qMtO1dM16NIWyCUw
 -> ssh-ed25519 iHV63A gOWG5xpmZkOsbJwtA/LizsKTCPBlaYgUhzv6dS3GikU
 Jc8nEl5qGWwqQbucqy2AY1DWEwj7605OlTgtgqSOe2g
 -> ssh-ed25519 Oya/Zw JiLOj7SedW6XSY+XFrXf6Q4A0BCQ34Kjdara9LongzI
 mjxxUFLYHnTFtCWLVZpiHDDTSBR/uhz9hB4d741mahc
 -> @wmC-grease l~lJ rW HpVY S|
 6KfyYCevSvxvlGf4Ts/hB1JS5V2lG077PrgoVBlx5sLjeCRr2KF5dThtRfoeVTZV
 BGJ5
 --- R2Kjwn9GDi6oTDWE5SvGnPz/0RNHRwm6FuSB166gbTk
 lŒJU3ª´Ì{©«É XgG¬z<C2AC>ùó-È’°T®Ó^LX-7U%Ï7H>"44ºå]¦„>Œ?i<>
 ³Æ¹2/¡Ð¦
--- a/secrets/chonk_authelia_storage_encryption_key.age
+++ b/secrets/chonk_authelia_storage_encryption_key.age
@ -0,0 +1,15 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw BKaJOaemFofcTtYVUXTMApzwEd42LdRA2vRmXCKpxwQ
 QXOGSdJoJEbtUK+G+TFY5AKCo1TgWuy2qnRu6zbymJQ
 -> ssh-ed25519 YFSOsg UJcVYMY7iS5QlW6nfdLnK5a7wAdpygYtZhPBiuwx8FQ
 Ubhix1fkykeOD6U0ytKSMHdsjbmY0Mtc07zBLFl9uvE
 -> ssh-ed25519 iHV63A d2+m6Ryo5TkgJ1uNvoIZk9qHUQWkGJ1Dv5SX21inQUw
 /JP9RcaA+Hu3UsHhhZuF2mBOTpcCG5Mfa98mNxWmD1s
 -> ssh-ed25519 Oya/Zw 5DsVfU4lP7BhBRc4AAhHdc1flHULF9AQgH0i7mv00h4
 Ba7poebUMFXd8Jl8rHWqivxDC6aQhhZy7/14ynRHk6U
 -> &qpx-grease v}*
 NRFo9WSsLJZjKaA/hGI88QQjJxBX8enh99hsF8lgZPO4Cd8x1qsWhseO2vBHBHGa
 --- Xjb/GVPQNCC9+3X3rue8nBToJipoEJb4O/ixjpOrBsg
 ä&ñ(Ã;
9™6ÒQ"1w#¡nøº[×GX.
 î!;µù=4‹+Yà¬×ÄRSnq<6E>]‚ŽÕãz#ÉFòCàÃ
--- a/secrets/chonk_authelia_users.age
+++ b/secrets/chonk_authelia_users.age
@ -0,0 +1,14 @@
 age-encryption.org/v1
 -> ssh-ed25519 hPyiJw seAHnMdOhbSvm2EmyY6rf9i0rfApCHTAKHVnpGSNvzI
 PzY8+xJCIemo42mUFgt/0Zep7tiNpgwOyb8fAJVKB/s
 -> ssh-ed25519 YFSOsg doaGH3q9/oHUfXjnuhY5zg+h0eWdw1qDP8XntmVy2Ac
 4eEvBcoWIqJJWC2fy5lQv+dCpFnbVtBBdzLg5Ftjf6A
 -> ssh-ed25519 iHV63A LNjKmQl/+9sZgv1a60+L3peU7LMSufmIOeZqaHDVji8
 Gzvb3Bd8EAHqDDxc8cruTKHE0+uyek4UP8UH2QbnedA
 -> ssh-ed25519 Oya/Zw NzA3tUU554imIollIvRKhphlrbq4y9x6Q4EVQEes8ls
 qpY+Vb6EKmhh45SdJsDlWlIDzWKSj1P5yrme4pmn63A
 -> R"^mQ-grease
 Q/i8Ht0+HG1Ekuy9kpjLmRXWEBDUtBX3ldS6+ME
 --- vz5tu+PqfzucpQXuSTZoIE1b9NodOPsBqh8VSDzW0to
@¸z¼å¹ûfJ}_ïì¢MÍÅ£ž!Sôè’
Õüøäõš€‰*wR[å-µ±*üyŠÒØçÊ¾† Õ’BÈ‰
 ^1vÆ€W=¯§‚O‹FµFY
å_LLF<5c5cýot£„À5\lÇOclbál¾¡àî3ñšˆ{1\ãT§¤è*ÆCÃŽ<C383>R¹z<™x<E284A2>‡©’\ˆÚ<CB86>4M™ÝÇ×³ev7îBÍ'vÒt°-ý¿Zš“•_ŸY{A³¡—<C2A1>øé›ðu‚éÐŒô¾&ïU£~ì±3Lq(w‰Îø:<3A>SŽ!Å¦Ôûÿ±ÇÚà<03>Y	1º…[;60Ö.:ù·]*óüæ!
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@ -54,6 +54,9 @@ in {
  "chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
  "chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
  "chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
  "chonk_authelia_users.age".publicKeys = users ++ [system_chonk];
  "chonk_authelia_storage_encryption_key.age".publicKeys = users ++ [system_chonk];
  "chonk_authelia_jwt_secret.age".publicKeys = users ++ [system_chonk];
  "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];