patrick/nix-config
1
1
Fork 0
Code Issues Pull requests Projects Wiki Activity

feat: more authelia config

Browse source
This commit is contained in:
Patrick 2024-03-02 22:26:12 +01:00
parent 4e87eeb859
commit bf62c91c80
Signed by: patrick
GPG key ID: 451F95EFB8BECD0F
14 changed files with 78 additions and 27 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
hosts/elisabeth/guests.nix
View file

@ -167,7 +167,7 @@ in {
}; };
upstreams.spotify = { upstreams.spotify = {
servers."${ipOf "your_spotify"}:80" = {}; servers."${ipOf "yourspotify"}:80" = {};
extraConfig = '' extraConfig = ''
zone spotify 64k ; zone spotify 64k ;
@ -182,7 +182,7 @@ in {
''; '';
}; };
upstreams.apispotify = { upstreams.apispotify = {
servers."${ipOf "your_spotify"}:8080" = {}; servers."${ipOf "yourspotify"}:8080" = {};
extraConfig = '' extraConfig = ''
zone spotify 64k ; zone spotify 64k ;
@ -215,7 +215,7 @@ in {
}; };
upstreams.authelia = { upstreams.authelia = {
servers."${ipOf "authelia"}:${nodes.elisabeth-authelia.config.services.authelia.instances.main.settings.server.port}" = {}; servers."${ipOf "authelia"}:${toString nodes.elisabeth-authelia.config.services.authelia.instances.main.settings.server.port}" = {};
extraConfig = '' extraConfig = ''
zone authelia 64k ; zone authelia 64k ;
@ -318,7 +318,7 @@ in {
// mkContainer "ddclient" {} // mkContainer "ddclient" {}
// mkContainer "ollama" {} // mkContainer "ollama" {}
// mkContainer "ttrss" {} // mkContainer "ttrss" {}
// mkContainer "your_spotify" {} // mkContainer "yourspotify" {}
// mkContainer "authelia" {} // mkContainer "authelia" {}
// mkContainer "nextcloud" { // mkContainer "nextcloud" {
enablePanzer = true; enablePanzer = true;

16
hosts/elisabeth/secrets/authelia/generated/jwtSecretFile.age Normal file
View file

@ -0,0 +1,16 @@
age-encryption.org/v1
-> X25519 06ApX5aFkGGBZFiRzKXWa5J0KzTRvIpfVPj9PbCZL0g
0TSmmaFdsqwNeo88KN99SA4ic0qzIfkSzN+LRTNyxjI
-> piv-p256 XTQkUA Av9DOmZbdPg34/ft14oJqDAed9koW10K0GnLG2zxD6gT
ciVxB44vzwd6JVC8hHA7QmCZKOg5mXJpCPM3TEOtxDo
-> piv-p256 ZFgiIw AnzHn7w1HzXThePlNWQ2gsuI8IAtVRzTivJkdFbndRy5
oWS6LWUJ1UPNhDQlQuRPk1smVfNp+miHO11cB8BCtOU
-> piv-p256 5vmPtQ A9tG9yTpBkENwkl7fbPP6QQfxIcUdJ9lRDsXWxgCC0mb
Y2NQQPKA/TPfTQEPSJM+G/7kgWE4MuZv5cyIxg4n3Z0
-> piv-p256 ZFgiIw Aum8R6QQirv/h8X44t5Vqf6jrc2Ks4ObpVHASBRG6E+z
yFXpEuV1S64QQOwplCgcqv1IeQdA1wLHkMLXq7PRiG0
-> .,WXo%c"-grease
Qi2+FJrKEpgKNl+H7ZHJatAYrf4XZ/DChH0L58CgSEObMZvEEa/ETAnCLXEk7NzJ
Dt7KJie/Apa9TaxFAKg
--- N1wuqRUreHW/oJ027WYIgWEa8Nc4Zqfcw6k5GxmFJQs
áfĂ<EFBFBD>ĺvJ1Źg(ŕ}Ge…ě]«*ŰŠÜ/öç:ęčGŐ·±~C š®Ú}3™<ąV¤ëŕ<C3AB>•2ᢾç3 ěŕ°»1ějú0

17
hosts/elisabeth/secrets/authelia/generated/oidcHmacSecretFile.age Normal file
View file

@ -0,0 +1,17 @@
age-encryption.org/v1
-> X25519 KCu+kmNrft9I3dP568evAr9toPlvwNGwi51OuuFAMmA
SavIBXP6vgBq4t87CFFvigOfSX1a/3MIf9eT/PF+jCA
-> piv-p256 XTQkUA Aoa9rcvR2dCwcJ6i6nUOPtmc17+SH4RDNYXdQC6WjoWC
bgGbSS3F2VN2kAz2vBXcpv62LZj+QxXOeL5mu4CnytE
-> piv-p256 ZFgiIw AsK46GY/H2QoD+wUpsQmS4GiMnWF/l7I1nnamJpz3k18
OjaCMi7R2h2iVIyFFyVQc9GWZ70+toXLU6rt7Cd9tQg
-> piv-p256 5vmPtQ A4A2srTvpDT1mHKWwlZWmYoMbSXJyXcIPuKR+JSdEsqZ
wpw60WbrXoYqoPOvMXNa1AVnTP/zEL2nnKjMh3aWXSY
-> piv-p256 ZFgiIw ApDBsoUg8w5xjBHUSsQ8ZmQNU7ypGaBcae6U/3gDbMs/
HV5IbLIrJCoKRjH9M4Sng/baKi/psP/39KNP6xuYIZc
-> ,,`-grease [s1hu@3, 7<TV@7f rs;GHj
rFimGwUpgPab/8Ux3jMYimTCzqMRDGmJIj78TbwuLlHbJUNz
--- md/FF8N4yA8h17erpuuMjgZo2pffJ/aUVyk1I7R4wI0
jß÷M7öäĺÄlŮÖ<C5AE>Q5<51> ,Ő<Ř–°©¸¤ °ŕËO“$żŘÉ>©câx :
Şr ś3Ţ[+ĎďŽůéÄdHc÷ż
T´

BIN
hosts/elisabeth/secrets/authelia/generated/oidcIssuerPrivateKeyFile.age Normal file
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/authelia/generated/sessionSecretFile.age Normal file
View file

Binary file not shown.

BIN
hosts/elisabeth/secrets/authelia/generated/storageEncryptionKeyFile.age Normal file
View file

Binary file not shown.

1
hosts/elisabeth/secrets/authelia/host.pub Normal file
View file

@ -0,0 +1 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDDDUHkaf1U4+5fB1r4ErcXCJNtFyazakXbEDIDxb28r

BIN
hosts/elisabeth/secrets/gitea/generated/openid-secret.age Normal file
View file

Binary file not shown.

0
hosts/elisabeth/secrets/yourspotify/host.pub Normal file
View file

2
modules/config/users.nix
View file

@ -29,7 +29,7 @@
tt_rss = uidGid 219; tt_rss = uidGid 219;
freshrss = uidGid 220; freshrss = uidGid 220;
mongodb = uidGid 221; mongodb = uidGid 221;
your_spotify = uidGid 222; authelia-main = uidGid 222;
paperless = uidGid 315; paperless = uidGid 315;
systemd-oom = uidGid 300; systemd-oom = uidGid 300;
systemd-coredump = uidGid 301; systemd-coredump = uidGid 301;

47
modules/services/authelia.nix
View file

@ -1,42 +1,47 @@
{config, ...}: let {
config,
pkgs,
...
}: let
stateDir = "/var/lib/authelia-main"; stateDir = "/var/lib/authelia-main";
in { in {
age.secrets.jwtSecretFile = { age.secrets.jwtSecretFile = {
generator.script = "alnum"; generator.script = "alnum";
mode = "440"; mode = "440";
inherit (config.authelia.instances.main) group; inherit (config.services.authelia.instances.main) group;
}; };
age.secrets.sessionSecretFile = { age.secrets.sessionSecretFile = {
generator.script = "alnum"; generator.script = "alnum";
mode = "440"; mode = "440";
inherit (config.authelia.instances.main) group; inherit (config.services.authelia.instances.main) group;
}; };
age.secrets.storageEncryptionKeyFile = { age.secrets.storageEncryptionKeyFile = {
generator.script = "alnum"; generator.script = "alnum";
mode = "440"; mode = "440";
inherit (config.authelia.instances.main) group; inherit (config.services.authelia.instances.main) group;
}; };
age.secrets.oidcHmacSecretFile = { age.secrets.oidcHmacSecretFile = {
generator.script = "alnum"; generator.script = "alnum";
mode = "440"; mode = "440";
inherit (config.authelia.instances.main) group; inherit (config.services.authelia.instances.main) group;
}; };
age.secrets.oidcIssuerPrivateKeyFile = { age.secrets.oidcIssuerPrivateKeyFile = {
generator.script = {pkgs, ...}: '' generator.script = {pkgs, ...}: ''
${pkgs.openssl}/bin/openssl genrsa --outform PEM 4096 ${pkgs.openssl}/bin/openssl genrsa 4096
''; '';
mode = "440"; mode = "440";
inherit (config.authelia.instances.main) group; inherit (config.services.authelia.instances.main) group;
}; };
networking.firewall.allowedTCPPorts = [config.services.authelia.instances.main.settings.server.port];
services.authelia.instances.main = { services.authelia.instances.main = {
enable = true; enable = true;
secrets = { secrets = {
jwtSecretFile = config.age.secrets.jwtSecretsFile.path; jwtSecretFile = config.age.secrets.jwtSecretFile.path;
sessionSecretFile = config.age.secrets.sessionSecretFile.path; sessionSecretFile = config.age.secrets.sessionSecretFile.path;
storageEncryptionKeyFile = config.age.secrets.storageEncryptionKeyFile.path; storageEncryptionKeyFile = config.age.secrets.storageEncryptionKeyFile.path;
oidcHmacSecretFile = config.age.secrets.oidcHmacSecretFile.path; oidcHmacSecretFile = config.age.secrets.oidcHmacSecretFile.path;
@ -46,31 +51,43 @@ in {
session = { session = {
domain = config.secrets.secrets.global.domains.web; domain = config.secrets.secrets.global.domains.web;
}; };
totp.disable = true; webauthn.disable = true;
dua_api.disable = true; duo_api.disable = true;
ntp.disable_startup_check = true; ntp.disable_startup_check = true;
theme = "dark"; theme = "dark";
default_2fa_method = "webauthn"; default_2fa_method = "totp";
server.host = "0.0.0.0"; server.host = "0.0.0.0";
access_control.default_policy = "one_factor";
webauthn = {
attestation_conveyance_preference = "none";
user_verification = "discouraged";
};
authentication_backend = { authentication_backend = {
password_reset.disable = true; password_reset.disable = true;
file = { file = {
path = path = pkgs.writeText "user-db" (builtins.toJSON {
builtins.toJSON { users.patrick = {
disabled = false;
displayname = "Patrick";
password = "$argon2id$v=19$m=4096,t=3,p=1$Ym5yc3VhZHJub2I$ihbPHC697Nybk1H7WHCMKi+2KkvNhdwvScaorkkj5yM";
email = "patrick@${config.secrets.secrets.global.domains.mail_public}";
groups = ["admin" "forgejo_admin"];
}; };
});
}; };
}; };
password_policy.standard = { password_policy.standard = {
enabled = true; enabled = true;
min_length = 32; min_length = 32;
}; };
notifier.filesystem.filename = "${stateDir}/notifications.txt";
storage.local.path = "${stateDir}/db.sqlite3"; storage.local.path = "${stateDir}/db.sqlite3";
identity_providers.oidc.clients = [ identity_providers.oidc.clients = [
{ {
id = "forgejo"; id = "forgejo";
secret = ""; secret = "$argon2id$v=19$m=4096,t=3,p=1$Ym5yc3VhZHJub2I$0gZRilVu8O1rmVxX+ZTMFFHqya6YN8l+8QXFIorhtKM";
redirect_uris = ["git.${config.secrets.secrets.global.domains.web}/user/oauth2/authelia/callback"]; redirect_uris = ["https://git.${config.secrets.secrets.global.domains.web}/user/oauth2/authelia/callback"];
public = false; public = false;
scopes = ["openid" "email" "profile" "groups"]; scopes = ["openid" "email" "profile" "groups"];
} }

12
modules/services/gitea.nix
View file

@ -85,6 +85,7 @@ in {
}; };
oauth2_client = { oauth2_client = {
ACCOUNT_LINKING = "auto"; ACCOUNT_LINKING = "auto";
USERNAME = "userid";
ENABLE_AUTO_REGISTRATION = true; ENABLE_AUTO_REGISTRATION = true;
OPENID_CONNECT_SCOPES = "email profile"; OPENID_CONNECT_SCOPES = "email profile";
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
@ -108,9 +109,7 @@ in {
# port forwarding in elisabeth # port forwarding in elisabeth
}; };
service = { service = {
DISABLE_REGISTRATION = true; DISABLE_REGISTRATION = false;
ALLOW_ONLY_INTERNAL_REGISTRATION = true;
ALLOW_ONLY_EXTERNAL_REGISTRATION = false;
SHOW_REGISTRATION_BUTTON = false; SHOW_REGISTRATION_BUTTON = false;
REGISTER_EMAIL_CONFIRM = false; REGISTER_EMAIL_CONFIRM = false;
ENABLE_NOTIFY_MAIL = true; ENABLE_NOTIFY_MAIL = true;
@ -149,16 +148,17 @@ in {
"--group-claim-name" "--group-claim-name"
"groups" "groups"
"--admin-group" "--admin-group"
"forgejo_admins" "forgejo_admin"
"--skip-local-2fa" "--skip-local-2fa"
]; ];
in in
lib.mkAfter '' lib.mkAfter ''
provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1) provider_id=$(${exe} admin auth list | ${pkgs.gnugrep}/bin/grep -w '${providerName}' | cut -f1)
SECRET="$(< ${config.age.secrets.openid-secret.path})"
if [[ -z "$provider_id" ]]; then if [[ -z "$provider_id" ]]; then
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.openid-secret.path})" ${exe} admin auth add-oauth ${args} ${exe} admin auth add-oauth ${args} --secret "$SECRET"
else else
FORGEJO_ADMIN_OAUTH2_SECRET="$(< ${config.age.secrets.openid-secret.path})" ${exe} admin auth update-oauth --id "$provider_id" ${args} ${exe} admin auth update-oauth --id "$provider_id" ${args} --secret "$SECRET"
fi fi
''; '';
}; };

2
modules/services/your_spotify.nix → modules/services/yourspotify.nix
View file

@ -6,7 +6,7 @@
rekeyFile = ../../secrets/your_spotify.age; rekeyFile = ../../secrets/your_spotify.age;
}; };
services.your_spotify = { services.your_spotify = {
enable = true; #enable = true;
settings = { settings = {
CLIENT_ENDPOINT = "https://spotify.${config.secrets.secrets.global.domains.web}"; CLIENT_ENDPOINT = "https://spotify.${config.secrets.secrets.global.domains.web}";
API_ENDPOINT = "https://api.spotify.${config.secrets.secrets.global.domains.web}"; API_ENDPOINT = "https://api.spotify.${config.secrets.secrets.global.domains.web}";

BIN
secrets/secrets.nix.age
View file

Binary file not shown.