diff --git a/.sops.yaml b/.sops.yaml index 21d2151..9e9a860 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -129,10 +129,3 @@ creation_rules: - *yt - *cy - *chunk - - path_regex: secrets/services/authelia.yaml - key_groups: - - age: - - *yt - - *cy - - *chunk - diff --git a/flake.lock b/flake.lock index a0bb113..480ec6e 100644 --- a/flake.lock +++ b/flake.lock @@ -131,11 +131,11 @@ "rocksdb": "rocksdb" }, "locked": { - "lastModified": 1743473828, - "narHash": "sha256-x/sfh6LCHGAz8rL23GHhH7dac1LtHBbRRJi1p8gOdtI=", + "lastModified": 1743186614, + "narHash": "sha256-uGI98B+binIclsCJd2wXb7l1k2wV7e+sNmX4R8L5RPc=", "owner": "girlbossceo", "repo": "conduwuit", - "rev": "0f81c1e1ccdcb0c5c6d5a27e82f16eb37b1e61c8", + "rev": "3e57b7d35d5bd6cfed5900b377f7c68970213518", "type": "github" }, "original": { @@ -276,11 +276,11 @@ "nixpkgs-lib": "nixpkgs-lib" }, "locked": { - "lastModified": 1743550720, - "narHash": "sha256-hIshGgKZCgWh6AYJpJmRgFdR3WUbkY04o82X05xqQiY=", + "lastModified": 1741352980, + "narHash": "sha256-+u2UunDA4Cl5Fci3m7S643HzKmIDAe+fiXrLqYsR2fs=", "owner": "hercules-ci", "repo": "flake-parts", - "rev": "c621e8422220273271f52058f618c94e405bb0f5", + "rev": "f4330d22f1c5d2ba72d3d22df5597d123fdb60a9", "type": "github" }, "original": { @@ -453,11 +453,11 @@ ] }, "locked": { - "lastModified": 1743556466, - "narHash": "sha256-rvU79DJ6rPDxiH0sTp686Vlm+JewwAZPGcwt8OfHJbM=", + "lastModified": 1743430792, + "narHash": "sha256-pGKDA84oK1WTt2yxBUjAwKLacNwJkf9CS7cTXXfgWvI=", "owner": "nix-community", "repo": "home-manager", - "rev": "5ee44bc7c2e853f144390a12ebe5174ad7e3b9e0", + "rev": "216690777e47aa0fb1475e4dbe2510554ce0bc4b", "type": "github" }, "original": { @@ -794,11 +794,11 @@ }, "nixpkgs-stable_2": { "locked": { - "lastModified": 1743501102, - "narHash": "sha256-7PCBQ4aGVF8OrzMkzqtYSKyoQuU2jtpPi4lmABpe5X4=", + "lastModified": 1743367904, + "narHash": "sha256-sOos1jZGKmT6xxPvxGQyPTApOunXvScV4lNjBCXd/CI=", "owner": "nixos", "repo": "nixpkgs", - "rev": "02f2af8c8a8c3b2c05028936a1e84daefa1171d4", + "rev": "7ffe0edc685f14b8c635e3d6591b0bbb97365e6c", "type": "github" }, "original": { @@ -842,11 +842,11 @@ }, "nixpkgs_4": { "locked": { - "lastModified": 1743559129, - "narHash": "sha256-7gpAWsENV3tY2HmeHYQ2MoQxGpys+jQWnkS/BHAMXVk=", + "lastModified": 1743386251, + "narHash": "sha256-aRAFj+SzZGUlCMDBbd6yI09ffo9lMgx726VTZMMCRGA=", "owner": "nixos", "repo": "nixpkgs", - "rev": "adae22bea8bcc0aa2fd6e8732044660fb7755f5e", + "rev": "1d3a750cb7d8e1058a425810c80790a3842ef27b", "type": "github" }, "original": { @@ -867,11 +867,11 @@ "nuschtosSearch": "nuschtosSearch" }, "locked": { - "lastModified": 1743536158, - "narHash": "sha256-/jlBU7EGIfaa5VKwvVyrSspuuNmgKYOjAuTd2ywyevg=", + "lastModified": 1743362786, + "narHash": "sha256-XbXIRDbb8/vLBX1M096l7lM5wfzBTp1ZXfUl9bUhVGU=", "owner": "nix-community", "repo": "nixvim", - "rev": "754b8df7e37be04b7438decee5a5aa18af72cbe1", + "rev": "d81f37256d0a8691b837b74979d27bf89be8ecdd", "type": "github" }, "original": { @@ -890,11 +890,11 @@ ] }, "locked": { - "lastModified": 1743201766, - "narHash": "sha256-bb/dqoIjtIWtJRzASOe8g4m8W2jUIWtuoGPXdNjM/Tk=", + "lastModified": 1742659553, + "narHash": "sha256-i/JCrr/jApVorI9GkSV5to+USrRCa0rWuQDH8JSlK2A=", "owner": "NuschtOS", "repo": "search", - "rev": "2651dbfad93d6ef66c440cbbf23238938b187bde", + "rev": "508752835128a3977985a4d5225ff241f7756181", "type": "github" }, "original": { @@ -1011,11 +1011,11 @@ ] }, "locked": { - "lastModified": 1743561237, - "narHash": "sha256-dd97LXek202OWmUXvKYFdYWj0jHrn3p+L5Ojh1SEOqs=", + "lastModified": 1743388531, + "narHash": "sha256-OBcNE+2/TD1AMgq8HKMotSQF8ZPJEFGZdRoBJ7t/HIc=", "owner": "oxalica", "repo": "rust-overlay", - "rev": "1de27ae43712a971c1da100dcd84386356f03ec7", + "rev": "011de3c895927300651d9c2cb8e062adf17aa665", "type": "github" }, "original": { @@ -1031,11 +1031,11 @@ ] }, "locked": { - "lastModified": 1743502316, - "narHash": "sha256-zI2WSkU+ei4zCxT+IVSQjNM9i0ST++T2qSFXTsAND7s=", + "lastModified": 1743305778, + "narHash": "sha256-Ux/UohNtnM5mn9SFjaHp6IZe2aAnUCzklMluNtV6zFo=", "owner": "Mic92", "repo": "sops-nix", - "rev": "e7f4d7ed8bce8dfa7d2f2fe6f8b8f523e54646f8", + "rev": "8e873886bbfc32163fe027b8676c75637b7da114", "type": "github" }, "original": { @@ -1104,11 +1104,11 @@ ] }, "locked": { - "lastModified": 1743558944, - "narHash": "sha256-LtmHSXZjFXUWYwWhvEPWSbnmAD62TrvLdZGqQvcSHIY=", + "lastModified": 1743386331, + "narHash": "sha256-LqcqOUJJcTUgACX2N+i6cqMTZ/b0WAT4WUhwV9JWsZg=", "owner": "nix-community", "repo": "nix-vscode-extensions", - "rev": "bc23f562c367b3e6300d596c24f0080220897df7", + "rev": "300097f877ee9a0c401a57e7ec731f4edace7117", "type": "github" }, "original": { diff --git a/hosts/chunk/default.nix b/hosts/chunk/default.nix index 56bae51..22290c1 100644 --- a/hosts/chunk/default.nix +++ b/hosts/chunk/default.nix @@ -146,12 +146,12 @@ ]; openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix" ]; }; users.users.root.openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPdhAQYy0+vS+QmyCd0MAbqbgzyMGcsuuFyf6kg2yKge yt@ytlinux" - "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOfubDWr0kRm2o4DqaK6l1s4NCdTkljXZWKWCiF5nX+6" + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyn2+OoRN4nExti+vFQ1NHEZip0slAoCH9C5/FzvgZD yt@ytnix" ]; # for forgejo users.users.git = { @@ -190,6 +190,4 @@ # container stuff my.containerization.enable = true; - - my.authelia.enable = true; } diff --git a/hosts/chunk/garage.nix b/hosts/chunk/garage.nix index 982e1f4..28f7b22 100644 --- a/hosts/chunk/garage.nix +++ b/hosts/chunk/garage.nix @@ -40,7 +40,7 @@ reverse_proxy localhost:3903 ''; "*.web.cy7.sh" = { - serverAliases = [ "nixcache.cy7.sh" "staging.cy7.sh" ]; + serverAliases = [ "nixcache.cy7.sh" ]; extraConfig = '' import common @plain { diff --git a/hosts/chunk/redlib.nix b/hosts/chunk/redlib.nix index fac65cd..d095da5 100644 --- a/hosts/chunk/redlib.nix +++ b/hosts/chunk/redlib.nix @@ -13,7 +13,6 @@ services.caddy.virtualHosts."red.cy7.sh".extraConfig = '' import common - import authelia reverse_proxy localhost:8087 ''; } diff --git a/modules/authelia.nix b/modules/authelia.nix deleted file mode 100644 index 0db83ee..0000000 --- a/modules/authelia.nix +++ /dev/null @@ -1,68 +0,0 @@ -{ - config, - lib, - ... -}: -let - cfg = config.my.authelia; - getSecret = path: config.sops.secrets.${path}.path; - sopsConfig = { - sopsFile = ../secrets/services/authelia.yaml; - owner = "authelia-main"; - }; - domain = "auth.cy7.sh"; - varPath = "/var/lib/authelia-main"; -in -{ - options.my.authelia = { - enable = lib.mkEnableOption "authelia"; - }; - - config = lib.mkIf cfg.enable { - services.authelia.instances.main = { - enable = true; - settings = { - theme = "dark"; - default_2fa_method = "webauthn"; - log.level = "info"; - log.format = "text"; - server = { - disable_healthcheck = true; - endpoints.authz.forward-auth.implementation = "ForwardAuth"; - }; - authentication_backend.file.path = "${varPath}/users_database.yaml"; - access_control = { - default_policy = "deny"; - rules = [ - { - domain = "red.cy7.sh"; - policy = "one_factor"; - } - ]; - }; - session.cookies = [{ - domain = "cy7.sh"; - authelia_url = "https://${domain}"; - }]; - storage.local.path = "${varPath}/db.sqlite3"; - notifier.filesystem.filename = "${varPath}/notifications.txt"; - }; - secrets = { - sessionSecretFile = getSecret "authelia/session"; - storageEncryptionKeyFile = getSecret "authelia/storage"; - jwtSecretFile = getSecret "authelia/jwt"; - }; - }; - - sops.secrets = { - "authelia/jwt" = sopsConfig; - "authelia/storage" = sopsConfig; - "authelia/session" = sopsConfig; - }; - - services.caddy.virtualHosts.${domain}.extraConfig = '' - import common - reverse_proxy localhost:9091 - ''; - }; -} \ No newline at end of file diff --git a/modules/caddy.nix b/modules/caddy.nix index 0eb2cb7..90ec770 100644 --- a/modules/caddy.nix +++ b/modules/caddy.nix @@ -34,13 +34,6 @@ in resolvers 1.1.1.1 8.8.8.8 } } - - (authelia) { - forward_auth localhost:9091 { - uri /api/authz/forward-auth - copy_headers Remote-User Remote-Groups Remote-Name Remote-Email - } - } ''; environmentFile = config.sops.secrets."caddy/env".path; diff --git a/modules/default.nix b/modules/default.nix index db7bfa4..640d56b 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -9,6 +9,5 @@ ./vaultwarden.nix ./searx.nix ./attic.nix - ./authelia.nix ]; } diff --git a/secrets/services/authelia.yaml b/secrets/services/authelia.yaml deleted file mode 100644 index ebf6497..0000000 --- a/secrets/services/authelia.yaml +++ /dev/null @@ -1,37 +0,0 @@ -authelia: - jwt: ENC[AES256_GCM,data:L20XZt1eYz1srY+xIliasq4x2guxNIUOM4mVTPe/1uS2wQY6h1uY9n7yoMQ=,iv:OhTuutHQOVLG/CjX3m839Acw9eq/Yh3Iy947km1jalQ=,tag:nq/lwsfGSzeH6RsXLzr24g==,type:str] - storage: ENC[AES256_GCM,data:RW15TzoZifv0xrVAfrM7yFXv1ISp7v1c20PL4nGkQrXwjablPKQa5IZ0Fvg=,iv:YQ7+2h4O0Qx9BqnFU7WMaZuPtKU4BUo56/KPq2NQYxI=,tag:LQ8gWhf9rblGkN5bhPHPIQ==,type:str] - session: ENC[AES256_GCM,data:fJY4uSKRIcHDyDqndT9YiolOX1HDw2BphoaZONAv8AhdPV+aG5qj9Ppy3Rw=,iv:dcFZyIdZQQlyAORudsUCCD2wx4Sc7NF0dh/v/M6iYko=,tag:vBYU58mL7DecMqhX/TUdVg==,type:str] -sops: - age: - - recipient: age1sy0at69err83qyml2vqu8xvwjccfws447aaadfvacj2qluw3p45s2mtrw8 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJOG1menBCTTF3YURCOThM - Q3Z4bnZJYmtQY1RmdTBSeFlhZCtUVzg4Qm5ZClo5NFJqaWg3NElKQjRLcFZGdmxP - cFMwOGxoelJlVnJNamUxWFhETWpiY3cKLS0tIFNDWGRkYVZQWTd2YXg2aGswbmJz - MVJQdDV3ZGdzd3NYL29tYU51NndiNmcKtagAZdoZQo0y0atvRI6f1tY/3j8aD4RP - yvs9RVDdNqm990O5EudjMNhoKLXnFQtX9NlzYVHzrsX0UT/HSUi7mQ== - -----END AGE ENCRYPTED FILE----- - - recipient: age10h6pg5qdpc4t0rpmksfv788a57f04n83zgqaezkjjn65nkhv547s0vxfdn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0K2tGaktsdXVPN3g0bXps - ZkVWamZGc0QzNk1TaVdla1RDaW90TVpYb25rCmRPL29ZNFFCbVkrbVpseW5SZlFN - dmlLWHVBb1RMb1dvY3NKNHc3NEpMZFEKLS0tIFluRGN6U2paVzVBdCt4d3FyMVZ4 - Nkx5aHo4Qk8vU01wazdWdmhvNWRLQTAK7kiQiEdF1LpzQ/syjRjyhchShrnfhHFE - M/XWLSIcnnApt1dOyJhJlpsQTnT6Y6Fqem0y779/uOQCBJGavscOWw== - -----END AGE ENCRYPTED FILE----- - - recipient: age1eg6sxflw6l44fp20sl068sampwd95fm0mnh4ssegrhtktgm50ptqcuspyn - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzK2U3YlRLK3BuK1Q0TkYy - SE1lTkVXUUV4NFVuT2V2VjdqUFpBbVFLSTJnCjI3c0xpMnBnV0M0Q0ZHYTdUSVZl - MWNMQXowWitFVTlIMFBadVJ6OHBBR28KLS0tIHJ1M0NkZzFMSndIUjBwN2tFUmF5 - b2pGTmJva2VnOFZlRWxlOW5wMitDUkkKrZyzpch6jTSsumseBEaN8xQXfng4P7ds - JSoock3sEmL4NSfxXSu+PP8kEOXFtu1yAcmSSeVDDhV7jiwE4egu2Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-04-02T06:02:29Z" - mac: ENC[AES256_GCM,data:F/nZqGBLsjLqocmtQCShAEDK79pEwZRVXw1ZNd6Rr2I6fewF2j3XAM5Zk9oRyI1jeD6lnKcWaYVx7dYFbcstlmTUZ2farIYZ6G/ylBMQxNP9mom+wWPz9oCwd5qBF5YrI0PtO6dFD7XXcUlWcWlPheuJ035XGp53rtNmvy1LVW0=,iv:+iWhVLm+KSLMb42n5d2I3JE6AQq/6tbd6LHd2nyUKfI=,tag:+oclIvtaG1s3SVLqbDiNwQ==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.1