feat: more authelia config

2024-03-02 22:26:12 +01:00 · 2024-03-02 22:26:12 +01:00 · bf62c91c80
parent 4e87eeb859
commit bf62c91c80
14 changed files with 78 additions and 27 deletions
--- a/hosts/elisabeth/guests.nix
+++ b/hosts/elisabeth/guests.nix
@ -167,7 +167,7 @@ in {
    };

    upstreams.spotify = {
-      servers."${ipOf "your_spotify"}:80" = {};
+      servers."${ipOf "yourspotify"}:80" = {};

      extraConfig = ''
        zone spotify 64k ;
@ -182,7 +182,7 @@ in {
      '';
    };
    upstreams.apispotify = {
-      servers."${ipOf "your_spotify"}:8080" = {};
+      servers."${ipOf "yourspotify"}:8080" = {};

      extraConfig = ''
        zone spotify 64k ;
@ -215,7 +215,7 @@ in {
    };

    upstreams.authelia = {
-      servers."${ipOf "authelia"}:${nodes.elisabeth-authelia.config.services.authelia.instances.main.settings.server.port}" = {};
+      servers."${ipOf "authelia"}:${toString nodes.elisabeth-authelia.config.services.authelia.instances.main.settings.server.port}" = {};

      extraConfig = ''
        zone authelia 64k ;
@ -318,7 +318,7 @@ in {
    // mkContainer "ddclient" {}
    // mkContainer "ollama" {}
    // mkContainer "ttrss" {}
-    // mkContainer "your_spotify" {}
+    // mkContainer "yourspotify" {}
    // mkContainer "authelia" {}
    // mkContainer "nextcloud" {
      enablePanzer = true;
--- a/hosts/elisabeth/secrets/authelia/generated/jwtSecretFile.age
+++ b/hosts/elisabeth/secrets/authelia/generated/jwtSecretFile.age
@ -0,0 +1,16 @@
+age-encryption.org/v1
+-> X25519 06ApX5aFkGGBZFiRzKXWa5J0KzTRvIpfVPj9PbCZL0g
+0TSmmaFdsqwNeo88KN99SA4ic0qzIfkSzN+LRTNyxjI
+-> piv-p256 XTQkUA Av9DOmZbdPg34/ft14oJqDAed9koW10K0GnLG2zxD6gT
+ciVxB44vzwd6JVC8hHA7QmCZKOg5mXJpCPM3TEOtxDo
+-> piv-p256 ZFgiIw AnzHn7w1HzXThePlNWQ2gsuI8IAtVRzTivJkdFbndRy5
+oWS6LWUJ1UPNhDQlQuRPk1smVfNp+miHO11cB8BCtOU
+-> piv-p256 5vmPtQ A9tG9yTpBkENwkl7fbPP6QQfxIcUdJ9lRDsXWxgCC0mb
+Y2NQQPKA/TPfTQEPSJM+G/7kgWE4MuZv5cyIxg4n3Z0
+-> piv-p256 ZFgiIw Aum8R6QQirv/h8X44t5Vqf6jrc2Ks4ObpVHASBRG6E+z
+yFXpEuV1S64QQOwplCgcqv1IeQdA1wLHkMLXq7PRiG0
+-> .,WXo%c"-grease
+Qi2+FJrKEpgKNl+H7ZHJatAYrf4XZ/DChH0L58CgSEObMZvEEa/ETAnCLXEk7NzJ
+Dt7KJie/Apa9TaxFAKg
+--- N1wuqRUreHW/oJ027WYIgWEa8Nc4Zqfcw6k5GxmFJQs
+áfĂ<EFBFBD>cç‹ĺvJ1Źg(ŕ}Ge…ě]«*ŰŠÜ/öç:‹ęčGŐ·±~Cš®Ú}3™<‹ąV¤ëŕ<C3AB>•2á˘ľç3ěŕ°»1ě—–jú0
--- a/hosts/elisabeth/secrets/authelia/generated/oidcHmacSecretFile.age
+++ b/hosts/elisabeth/secrets/authelia/generated/oidcHmacSecretFile.age
@ -0,0 +1,17 @@
+age-encryption.org/v1
+-> X25519 KCu+kmNrft9I3dP568evAr9toPlvwNGwi51OuuFAMmA
+SavIBXP6vgBq4t87CFFvigOfSX1a/3MIf9eT/PF+jCA
+-> piv-p256 XTQkUA Aoa9rcvR2dCwcJ6i6nUOPtmc17+SH4RDNYXdQC6WjoWC
+bgGbSS3F2VN2kAz2vBXcpv62LZj+QxXOeL5mu4CnytE
+-> piv-p256 ZFgiIw AsK46GY/H2QoD+wUpsQmS4GiMnWF/l7I1nnamJpz3k18
+OjaCMi7R2h2iVIyFFyVQc9GWZ70+toXLU6rt7Cd9tQg
+-> piv-p256 5vmPtQ A4A2srTvpDT1mHKWwlZWmYoMbSXJyXcIPuKR+JSdEsqZ
+wpw60WbrXoYqoPOvMXNa1AVnTP/zEL2nnKjMh3aWXSY
+-> piv-p256 ZFgiIw ApDBsoUg8w5xjBHUSsQ8ZmQNU7ypGaBcae6U/3gDbMs/
+HV5IbLIrJCoKRjH9M4Sng/baKi/psP/39KNP6xuYIZc
+-> ,,`-grease [s1hu@3, 7<TV@7f rs;GHj
+rFimGwUpgPab/8Ux3jMYimTCzqMRDGmJIj78TbwuLlHbJUNz
+--- md/FF8N4yA8h17erpuuMjgZo2pffJ/aUVyk1I7R4wI0
+jß÷M7‘öäĺÄlŮÖ<C5AE>Q5<51>
,Ő<Ř–°©¸¤ °ŕË‘O“$żŘÉ>©c‹âx
:
+Ş›r	ś3Ţ[+ĎďŽůéÄdHc÷ż
+T´
--- a/hosts/elisabeth/secrets/authelia/generated/oidcIssuerPrivateKeyFile.age
+++ b/hosts/elisabeth/secrets/authelia/generated/oidcIssuerPrivateKeyFile.age
--- a/hosts/elisabeth/secrets/authelia/generated/sessionSecretFile.age
+++ b/hosts/elisabeth/secrets/authelia/generated/sessionSecretFile.age
--- a/hosts/elisabeth/secrets/authelia/generated/storageEncryptionKeyFile.age
+++ b/hosts/elisabeth/secrets/authelia/generated/storageEncryptionKeyFile.age
--- a/hosts/elisabeth/secrets/authelia/host.pub
+++ b/hosts/elisabeth/secrets/authelia/host.pub
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDDDUHkaf1U4+5fB1r4ErcXCJNtFyazakXbEDIDxb28r
--- a/hosts/elisabeth/secrets/gitea/generated/openid-secret.age
+++ b/hosts/elisabeth/secrets/gitea/generated/openid-secret.age
--- a/hosts/elisabeth/secrets/yourspotify/host.pub
+++ b/hosts/elisabeth/secrets/yourspotify/host.pub
--- a/modules/config/users.nix
+++ b/modules/config/users.nix
@ -29,7 +29,7 @@
    tt_rss = uidGid 219;
    freshrss = uidGid 220;
    mongodb = uidGid 221;
-    your_spotify = uidGid 222;
+    authelia-main = uidGid 222;
    paperless = uidGid 315;
    systemd-oom = uidGid 300;
    systemd-coredump = uidGid 301;
--- a/modules/services/authelia.nix
+++ b/modules/services/authelia.nix
@ -1,42 +1,47 @@
-{config, ...}: let
+{
+  config,
+  pkgs,
+  ...
+}: let
  stateDir = "/var/lib/authelia-main";
 in {
  age.secrets.jwtSecretFile = {
    generator.script = "alnum";
    mode = "440";
-    inherit (config.authelia.instances.main) group;
+    inherit (config.services.authelia.instances.main) group;
  };

  age.secrets.sessionSecretFile = {
    generator.script = "alnum";
    mode = "440";
-    inherit (config.authelia.instances.main) group;
+    inherit (config.services.authelia.instances.main) group;
  };

  age.secrets.storageEncryptionKeyFile = {
    generator.script = "alnum";
    mode = "440";
-    inherit (config.authelia.instances.main) group;
+    inherit (config.services.authelia.instances.main) group;
  };

  age.secrets.oidcHmacSecretFile = {
    generator.script = "alnum";
    mode = "440";
-    inherit (config.authelia.instances.main) group;
+    inherit (config.services.authelia.instances.main) group;
  };

  age.secrets.oidcIssuerPrivateKeyFile = {
    generator.script = {pkgs, ...}: ''
-      ${pkgs.openssl}/bin/openssl genrsa --outform PEM 4096
+      ${pkgs.openssl}/bin/openssl genrsa 4096
    '';
    mode = "440";
-    inherit (config.authelia.instances.main) group;
+    inherit (config.services.authelia.instances.main) group;
  };
+  networking.firewall.allowedTCPPorts = [config.services.authelia.instances.main.settings.server.port];

  services.authelia.instances.main = {
    enable = true;
    secrets = {
-      jwtSecretFile = config.age.secrets.jwtSecretsFile.path;
+      jwtSecretFile = config.age.secrets.jwtSecretFile.path;
      sessionSecretFile = config.age.secrets.sessionSecretFile.path;
      storageEncryptionKeyFile = config.age.secrets.storageEncryptionKeyFile.path;
      oidcHmacSecretFile = config.age.secrets.oidcHmacSecretFile.path;
@ -46,31 +51,43 @@ in {
      session = {
        domain = config.secrets.secrets.global.domains.web;
      };
-      totp.disable = true;
-      dua_api.disable = true;
+      webauthn.disable = true;
+      duo_api.disable = true;
      ntp.disable_startup_check = true;
      theme = "dark";
-      default_2fa_method = "webauthn";
+      default_2fa_method = "totp";
      server.host = "0.0.0.0";
+      access_control.default_policy = "one_factor";
+      webauthn = {
+        attestation_conveyance_preference = "none";
+        user_verification = "discouraged";
+      };

      authentication_backend = {
        password_reset.disable = true;
        file = {
-          path =
-            builtins.toJSON {
+          path = pkgs.writeText "user-db" (builtins.toJSON {
+            users.patrick = {
+              disabled = false;
+              displayname = "Patrick";
+              password = "$argon2id$v=19$m=4096,t=3,p=1$Ym5yc3VhZHJub2I$ihbPHC697Nybk1H7WHCMKi+2KkvNhdwvScaorkkj5yM";
+              email = "patrick@${config.secrets.secrets.global.domains.mail_public}";
+              groups = ["admin" "forgejo_admin"];
            };
+          });
        };
      };
      password_policy.standard = {
        enabled = true;
        min_length = 32;
      };
+      notifier.filesystem.filename = "${stateDir}/notifications.txt";
      storage.local.path = "${stateDir}/db.sqlite3";
      identity_providers.oidc.clients = [
        {
          id = "forgejo";
-          secret = "";
-          redirect_uris = ["git.${config.secrets.secrets.global.domains.web}/user/oauth2/authelia/callback"];
+          secret = "$argon2id$v=19$m=4096,t=3,p=1$Ym5yc3VhZHJub2I$0gZRilVu8O1rmVxX+ZTMFFHqya6YN8l+8QXFIorhtKM";
+          redirect_uris = ["https://git.${config.secrets.secrets.global.domains.web}/user/oauth2/authelia/callback"];
          public = false;
          scopes = ["openid" "email" "profile" "groups"];
        }
--- a/modules/services/gitea.nix
+++ b/modules/services/gitea.nix
@ -85,6 +85,7 @@ in {
      };
      oauth2_client = {
        ACCOUNT_LINKING = "auto";
+        USERNAME = "userid";
        ENABLE_AUTO_REGISTRATION = true;
        OPENID_CONNECT_SCOPES = "email profile";
        REGISTER_EMAIL_CONFIRM = false;
@ -108,9 +109,7 @@ in {
        # port forwarding in elisabeth
      };
      service = {
-        DISABLE_REGISTRATION = true;
-        ALLOW_ONLY_INTERNAL_REGISTRATION = true;
-        ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
+        DISABLE_REGISTRATION = false;
        SHOW_REGISTRATION_BUTTON = false;
        REGISTER_EMAIL_CONFIRM = false;
        ENABLE_NOTIFY_MAIL = true;
@ -149,16 +148,17 @@ in {
        "--group-claim-name"
        "groups"
        "--admin-group"
-        "forgejo_admins"
+        "forgejo_admin"
        "--skip-local-2fa"
      ];
    in
      lib.mkAfter ''
        provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
+          SECRET="$(< ${config.age.secrets.openid-secret.path})"
        if [[ -z "$provider_id" ]]; then
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.openid-secret.path})" ${exe} admin auth add-oauth ${args}
+          ${exe} admin auth add-oauth ${args} --secret "$SECRET"
        else
-          FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.openid-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args}
+          ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
        fi
      '';
  };
--- a/modules/services/your_spotify.nix
+++ b/modules/services/your_spotify.nix
@ -6,7 +6,7 @@
    rekeyFile = ../../secrets/your_spotify.age;
  };
  services.your_spotify = {
-    enable = true;
+    #enable = true;
    settings = {
      CLIENT_ENDPOINT = "https://spotify.${config.secrets.secrets.global.domains.web}";
      API_ENDPOINT = "https://api.spotify.${config.secrets.secrets.global.domains.web}";
--- a/secrets/secrets.nix.age
+++ b/secrets/secrets.nix.age
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDDDUHkaf1U4+5fB1r4ErcXCJNtFyazakXbEDIDxb28r`