SQ chonk: Use authelia

hosts/chonk/authelia.nix

@@ -0,0 +1,112 @@
+{
+  pkgs,
+  config,
+  self,
+  ...
+}: let
+  containerStateDir = "/var/lib/authelia-gssws";
+  hostStateDir = "/opt/authelia";
+  domain = "auth.gssws.de";
+  servicePort = 9091;
+in {
+  age.secrets.authelia_users = {
+    file = "${self}/secrets/chonk_authelia_users.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_storage_encryption_key = {
+    file = "${self}/secrets/chonk_authelia_storage_encryption_key.age";
+    owner = "999";
+    group = "999";
+  };
+
+  age.secrets.authelia_jwt_secret = {
+    file = "${self}/secrets/chonk_authelia_jwt_secret.age";
+    owner = "999";
+    group = "999";
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString servicePort}";
+    };
+  };
+
+  containers."authelia" = {
+    autoStart = true;
+    ephemeral = true;
+    bindMounts = {
+      "${containerStateDir}" = {
+        hostPath = hostStateDir;
+        isReadOnly = false;
+      };
+
+      "/run/agenix" = {
+        hostPath = "/run/agenix";
+        isReadOnly = false;
+      };
+
+      "/run/agenix.d" = {
+        hostPath = "/run/agenix.d";
+        isReadOnly = false;
+      };
+    };
+
+    config = {
+      config,
+      pkgs,
+      ...
+    }: {
+      networking.firewall.enable = false;
+
+      services.authelia.instances."gssws" = {
+        enable = true;
+
+        secrets = {
+          jwtSecretFile = "/run/agenix/authelia_jwt_secret";
+          storageEncryptionKeyFile = "/run/agenix/authelia_storage_encryption_key";
+        };
+
+        settings = {
+          theme = "auto";
+          server.port = servicePort;
+
+          session.domain = domain;
+          default_redirection_url = "https://home.gssws.de/";
+
+          access_control.default_policy = "two_factor";
+
+          authentication_backend = {
+            password_reset.disable = false;
+            file = {
+              path = "/run/agenix/authelia_users";
+            };
+          };
+
+          storage.local.path = "/var/lib/authelia-gssws/db.sqlite3";
+
+          totp = {
+            issuer = "auth.gssws.de";
+            algorithm = "SHA512";
+            digits = 8;
+          };
+
+          webauthn = {
+            display_name = "auth.gssws.de";
+          };
+
+          notifier.smtp = {
+            address = "smtp://mail.gssws.de:25";
+            sender = "Authelia <authelia@gssws.de>";
+            identifier = "auth.gssws.de";
+          };
+        };
+      };
+
+      system.stateVersion = "23.05";
+    };
+  };
+}

hosts/chonk/configuration.nix

@@ -23,6 +23,8 @@
 
     ./libvirt-container.nix
     ./monitoring.nix
+
+    ./authelia.nix
   ];
 
   boot.loader.systemd-boot.enable = lib.mkForce false;

secrets/chonk_authelia_jwt_secret.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw Apw//H4a37XD/Ahc2H6sMgJoM0VQ8RWyNIq56yEm+no
+BNUgGmTl9JIbreob+8AbQA5wxpdW7WygDI92niy1jgQ
+-> ssh-ed25519 YFSOsg ASLv+TOx0DWmbNXSS3HUKS5puniN1w0FMrmMun4/2Xs
+W+/rf6VjlutzLfEFuukc12k9Gz2qMtO1dM16NIWyCUw
+-> ssh-ed25519 iHV63A gOWG5xpmZkOsbJwtA/LizsKTCPBlaYgUhzv6dS3GikU
+Jc8nEl5qGWwqQbucqy2AY1DWEwj7605OlTgtgqSOe2g
+-> ssh-ed25519 Oya/Zw JiLOj7SedW6XSY+XFrXf6Q4A0BCQ34Kjdara9LongzI
+mjxxUFLYHnTFtCWLVZpiHDDTSBR/uhz9hB4d741mahc
+-> @wmC-grease l~lJ rW HpVY S|
+6KfyYCevSvxvlGf4Ts/hB1JS5V2lG077PrgoVBlx5sLjeCRr2KF5dThtRfoeVTZV
+BGJ5
+--- R2Kjwn9GDi6oTDWE5SvGnPz/0RNHRwm6FuSB166gbTk
+lŒJU3ª´Ì{©«É XgG¬z<C2AC>ùó-È’°T®Ó^LX-7U%Ï7H>"44ºå]¦„>Œ?i<>
+³Æ¹2/¡Ð¦

secrets/chonk_authelia_storage_encryption_key.age

@@ -0,0 +1,15 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw BKaJOaemFofcTtYVUXTMApzwEd42LdRA2vRmXCKpxwQ
+QXOGSdJoJEbtUK+G+TFY5AKCo1TgWuy2qnRu6zbymJQ
+-> ssh-ed25519 YFSOsg UJcVYMY7iS5QlW6nfdLnK5a7wAdpygYtZhPBiuwx8FQ
+Ubhix1fkykeOD6U0ytKSMHdsjbmY0Mtc07zBLFl9uvE
+-> ssh-ed25519 iHV63A d2+m6Ryo5TkgJ1uNvoIZk9qHUQWkGJ1Dv5SX21inQUw
+/JP9RcaA+Hu3UsHhhZuF2mBOTpcCG5Mfa98mNxWmD1s
+-> ssh-ed25519 Oya/Zw 5DsVfU4lP7BhBRc4AAhHdc1flHULF9AQgH0i7mv00h4
+Ba7poebUMFXd8Jl8rHWqivxDC6aQhhZy7/14ynRHk6U
+-> &qpx-grease v}*
+NRFo9WSsLJZjKaA/hGI88QQjJxBX8enh99hsF8lgZPO4Cd8x1qsWhseO2vBHBHGa
+
+--- Xjb/GVPQNCC9+3X3rue8nBToJipoEJb4O/ixjpOrBsg
+ä&ñ(Ã;
9™6ÒQ"1w#¡nøº[×GX.
+î!;µù=­4‹+Yà¬×ÄRSnq<6E>]‚ŽÕãz#ÉFòCàÃ

secrets/chonk_authelia_users.age

@@ -0,0 +1,14 @@
+age-encryption.org/v1
+-> ssh-ed25519 hPyiJw seAHnMdOhbSvm2EmyY6rf9i0rfApCHTAKHVnpGSNvzI
+PzY8+xJCIemo42mUFgt/0Zep7tiNpgwOyb8fAJVKB/s
+-> ssh-ed25519 YFSOsg doaGH3q9/oHUfXjnuhY5zg+h0eWdw1qDP8XntmVy2Ac
+4eEvBcoWIqJJWC2fy5lQv+dCpFnbVtBBdzLg5Ftjf6A
+-> ssh-ed25519 iHV63A LNjKmQl/+9sZgv1a60+L3peU7LMSufmIOeZqaHDVji8
+Gzvb3Bd8EAHqDDxc8cruTKHE0+uyek4UP8UH2QbnedA
+-> ssh-ed25519 Oya/Zw NzA3tUU554imIollIvRKhphlrbq4y9x6Q4EVQEes8ls
+qpY+Vb6EKmhh45SdJsDlWlIDzWKSj1P5yrme4pmn63A
+-> R"^mQ-grease
+Q/i8Ht0+HG1Ekuy9kpjLmRXWEBDUtBX3ldS6+ME
+--- vz5tu+PqfzucpQXuSTZoIE1b9NodOPsBqh8VSDzW0to
+@¸z¼å¹ûfJ}_ïì¢MÍÅ£ž!Sôè’
Õüøäõš€‰*wR[å-µ±*üyŠÒØçʾ† Õ’Bȉ
+­^
1vÆ€W=¯§‚O‹FµFY
å_LLF<5c5cýot£„À5\lÇOclbál¾¡àî3ñšˆ{1\ãT§¤è*ÆCÃŽ<C383>R¹z<™x<E284A2>‡©’\ˆÚ<CB86>4M™ÝÇ׳ev7îBÍ'vÒt°-ý­¿Zš“•_ŸY{A³¡—<C2A1>øé›ðu‚éÐŒô¾&ïU£~ì±3Lq(w‰Îø:<3A>SŽ!ŦÔûÿ±ÇÚà<03>Y	1º…[;60Ö.:ù·]*óüæ!

secrets/secrets.nix

@@ -54,6 +54,9 @@ in {
   "chonk_restic_nextcloud_password.age".publicKeys = users ++ [system_chonk];
   "chonk_nix_builder_private_key.age".publicKeys = users ++ [system_chonk];
   "chonk_invidious_db_password.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_users.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_storage_encryption_key.age".publicKeys = users ++ [system_chonk];
+  "chonk_authelia_jwt_secret.age".publicKeys = users ++ [system_chonk];
 
   "home_controller_ringo_wireguard_key.age".publicKeys = users ++ [system_ringo];