cy/nixos-config
cy/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

init authelia

Browse source
This commit is contained in:
cy 2025-04-02 03:09:27 -04:00
parent da709432f5
commit 026abe5123
Signed by: cy
SSH key fingerprint: SHA256:o/geVWV4om1QhUSkKvDQeW/eAihwnjyXkqMwrVdbuts
8 changed files with 126 additions and 3 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
.sops.yaml
View file

@ -129,3 +129,10 @@ creation_rules:
- *yt
- *cy
- *chunk
- path_regex: secrets/services/authelia.yaml
key_groups:
- age:
- *yt
- *cy
- *chunk

6
hosts/chunk/default.nix
View file

@ -146,12 +146,12 @@
];
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
];
};
users.users.root.openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix"
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6"
];
# for forgejo
users.users.git = {
@ -190,4 +190,6 @@
# container stuff
my.containerization.enable = true;
my.authelia.enable = true;
}

2
hosts/chunk/garage.nix
View file

@ -40,7 +40,7 @@
reverse_proxy localhost:3903
'';
"*.web.cy7.sh" = {
serverAliases = [ "nixcache.cy7.sh" ];
serverAliases = [ "nixcache.cy7.sh" "staging.cy7.sh" ];
extraConfig = ''
import common
@plain {

1
hosts/chunk/redlib.nix
View file

@ -13,6 +13,7 @@
services.caddy.virtualHosts."red.cy7.sh".extraConfig = ''
import common
import authelia
reverse_proxy localhost:8087
'';
}

68
modules/authelia.nix Normal file
View file

@ -0,0 +1,68 @@
{
config,
lib,
...
}:
let
cfg = config.my.authelia;
getSecret = path: config.sops.secrets.${path}.path;
sopsConfig = {
sopsFile = ../secrets/services/authelia.yaml;
owner = "authelia-main";
};
domain = "auth.cy7.sh";
varPath = "/var/lib/authelia-main";
in
{
options.my.authelia = {
enable = lib.mkEnableOption "authelia";
};
config = lib.mkIf cfg.enable {
services.authelia.instances.main = {
enable = true;
settings = {
theme = "dark";
default_2fa_method = "webauthn";
log.level = "info";
log.format = "text";
server = {
disable_healthcheck = true;
endpoints.authz.forward-auth.implementation = "ForwardAuth";
};
authentication_backend.file.path = "${varPath}/users_database.yaml";
access_control = {
default_policy = "deny";
rules = [
{
domain = "red.cy7.sh";
policy = "one_factor";
}
];
};
session.cookies = [{
domain = "cy7.sh";
authelia_url = "https://${domain}";
}];
storage.local.path = "${varPath}/db.sqlite3";
notifier.filesystem.filename = "${varPath}/notifications.txt";
};
secrets = {
sessionSecretFile = getSecret "authelia/session";
storageEncryptionKeyFile = getSecret "authelia/storage";
jwtSecretFile = getSecret "authelia/jwt";
};
};
sops.secrets = {
"authelia/jwt" = sopsConfig;
"authelia/storage" = sopsConfig;
"authelia/session" = sopsConfig;
};
services.caddy.virtualHosts.${domain}.extraConfig = ''
import common
reverse_proxy localhost:9091
'';
};
}

7
modules/caddy.nix
View file

@ -34,6 +34,13 @@ in
resolvers 1.1.1.1 8.8.8.8
}
}
(authelia) {
forward_auth localhost:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
}
}
'';
environmentFile = config.sops.secrets."caddy/env".path;

1
modules/default.nix
View file

@ -9,5 +9,6 @@
./vaultwarden.nix
./searx.nix
./attic.nix
./authelia.nix
];
}

37
secrets/services/authelia.yaml Normal file
View file

@ -0,0 +1,37 @@
authelia:
jwt: ENC[AES256_GCM,data:L20XZt1eYz1srY+xIliasq4x2guxNIUOM4mVTPe/1uS2wQY6h1uY9n7yoMQ=,iv:OhTuutHQOVLG/CjX3m839Acw9eq/Yh3Iy947km1jalQ=,tag:nq/lwsfGSzeH6RsXLzr24g==,type:str]
storage: ENC[AES256_GCM,data:RW15TzoZifv0xrVAfrM7yFXv1ISp7v1c20PL4nGkQrXwjablPKQa5IZ0Fvg=,iv:YQ7+2h4O0Qx9BqnFU7WMaZuPtKU4BUo56/KPq2NQYxI=,tag:LQ8gWhf9rblGkN5bhPHPIQ==,type:str]
session: ENC[AES256_GCM,data:fJY4uSKRIcHDyDqndT9YiolOX1HDw2BphoaZONAv8AhdPV+aG5qj9Ppy3Rw=,iv:dcFZyIdZQQlyAORudsUCCD2wx4Sc7NF0dh/v/M6iYko=,tag:vBYU58mL7DecMqhX/TUdVg==,type:str]
sops:
age:
- recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJOG1menBCTTF3YURCOThM
Q3Z4bnZJYmtQY1RmdTBSeFlhZCtUVzg4Qm5ZClo5NFJqaWg3NElKQjRLcFZGdmxP
cFMwOGxoelJlVnJNamUxWFhETWpiY3cKLS0tIFNDWGRkYVZQWTd2YXg2aGswbmJz
MVJQdDV3ZGdzd3NYL29tYU51NndiNmcKtagAZdoZQo0y0atvRI6f1tY/3j8aD4RP
yvs9RVDdNqm990O5EudjMNhoKLXnFQtX9NlzYVHzrsX0UT/HSUi7mQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0K2tGaktsdXVPN3g0bXps
ZkVWamZGc0QzNk1TaVdla1RDaW90TVpYb25rCmRPL29ZNFFCbVkrbVpseW5SZlFN
dmlLWHVBb1RMb1dvY3NKNHc3NEpMZFEKLS0tIFluRGN6U2paVzVBdCt4d3FyMVZ4
Nkx5aHo4Qk8vU01wazdWdmhvNWRLQTAK7kiQiEdF1LpzQ/syjRjyhchShrnfhHFE
M/XWLSIcnnApt1dOyJhJlpsQTnT6Y6Fqem0y779/uOQCBJGavscOWw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK2U3YlRLK3BuK1Q0TkYy
SE1lTkVXUUV4NFVuT2V2VjdqUFpBbVFLSTJnCjI3c0xpMnBnV0M0Q0ZHYTdUSVZl
MWNMQXowWitFVTlIMFBadVJ6OHBBR28KLS0tIHJ1M0NkZzFMSndIUjBwN2tFUmF5
b2pGTmJva2VnOFZlRWxlOW5wMitDUkkKrZyzpch6jTSsumseBEaN8xQXfng4P7ds
JSoock3sEmL4NSfxXSu+PP8kEOXFtu1yAcmSSeVDDhV7jiwE4egu2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-04-02T06:02:29Z"
mac: ENC[AES256_GCM,data:F/nZqGBLsjLqocmtQCShAEDK79pEwZRVXw1ZNd6Rr2I6fewF2j3XAM5Zk9oRyI1jeD6lnKcWaYVx7dYFbcstlmTUZ2farIYZ6G/ylBMQxNP9mom+wWPz9oCwd5qBF5YrI0PtO6dFD7XXcUlWcWlPheuJ035XGp53rtNmvy1LVW0=,iv:+iWhVLm+KSLMb42n5d2I3JE6AQq/6tbd6LHd2nyUKfI=,tag:+oclIvtaG1s3SVLqbDiNwQ==,type:str]
unencrypted_suffix: _unencrypted
version: 3.10.1