WIP: feat(authelia): Add authentication with authelia

configuration/default.nix

@@ -13,6 +13,7 @@
     "${modulesPath}/profiles/minimal.nix"
     (import ../modules)
 
+    ./services/auth
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit

configuration/services/auth/authelia.nix

@@ -0,0 +1,93 @@
+{ config, ... }:
+{
+  systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
+
+  services = {
+    authelia.instances.tlaternet = {
+      enable = true;
+
+      environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.sops.secrets."authelia/lldap-password".path;
+
+      settings = {
+        authentication_backend.ldap =
+          let
+            cfglldap = config.services.lldap.settings;
+          in
+          {
+            # TODO(tlater): Enable when authelia has a webhook notifier:
+            # https://github.com/authelia/authelia/issues/7695
+            password_reset.disable = true;
+            refresh_interval = "1m";
+            address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
+            implementation = "lldap";
+            base_dn = cfglldap.ldap_base_dn;
+            user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
+          };
+
+        password_policy.zxcvbn.enabled = true;
+
+        telemetry.metrics.enabled = true;
+
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "*.${config.services.nginx.domain}";
+              policy = "one_factor";
+            }
+          ];
+        };
+        notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
+
+        session = {
+          cookies = [
+            {
+              domain = "${config.services.nginx.domain}";
+              authelia_url = "https://auth.${config.services.nginx.domain}";
+            }
+          ];
+          redis.host = config.services.redis.servers.authelia.unixSocket;
+        };
+
+        storage = {
+          postgres = {
+            address = "/var/run/postgresql";
+            username = config.services.authelia.instances.tlaternet.user;
+            database = config.services.authelia.instances.tlaternet.user;
+          };
+        };
+
+        # Auth options
+        default_2fa_method = "totp";
+        totp.issuer = "tlater.net";
+        webauthn = {
+          display_name = "tlater.net";
+          enable_passkey_login = true;
+
+          attestation_conveyance_preference = "direct";
+          filtering.prohibit_backup_eligibility = true;
+          metadata = {
+            enabled = true;
+            validate_trust_anchor = true;
+            validate_entry = true;
+            validate_status = true;
+            validate_entry_permit_zero_aaguid = false;
+          };
+        };
+        duo_api.disable = true;
+      };
+
+      secrets = {
+        storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+        jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+        sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
+      };
+    };
+
+    redis.servers.authelia = {
+      enable = true;
+      user = config.services.authelia.instances.tlaternet.user;
+    };
+  };
+}

configuration/services/auth/default.nix

@@ -0,0 +1,6 @@
+{
+  imports = [
+    ./authelia.nix
+    ./lldap.nix
+  ];
+}

configuration/services/auth/lldap-provisioning.nu

@@ -0,0 +1,44 @@
+#!/usr/bin/env nushell
+
+let groups = [{
+
+}]
+
+let users = [
+
+]
+
+let settings = open $env.LLDAP_CONFIG
+let url = (
+  'http://' |
+  $in + ($settings | get http_host | default '127.0.0.1') |
+  $in + ':' |
+  $in + ($settings | get http_port | default '17170' | into string))
+let user = $settings | get ldap_user_dn | default admin
+let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
+
+let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
+
+def query [operation: string, query: string, variables: list<string>] {
+  let body = {
+    query: $query,
+    operationName: $operation,
+    variables: $variables
+  }
+
+  let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
+
+  if ("errors" in $res) {
+    let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
+
+    error make {
+      msg: $msg,
+      label: {
+          text: "Query defined here",
+          span: (metadata $query).span
+      }
+    }
+  } else {
+    $res.data
+  }
+}

configuration/services/auth/lldap.nix

@@ -0,0 +1,64 @@
+{
+  lib,
+  pkgs,
+  config,
+  ...
+}:
+{
+  services = {
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=tlater,dc=net";
+        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
+        ldap_host = "127.0.0.1";
+
+        http_host = "127.0.0.1";
+        http_url = "https://lldap.${config.services.nginx.domain}";
+
+        force_ldap_user_pass_reset = "always";
+
+        smtp_options.enable_password_reset = false;
+
+        environment = {
+          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
+          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
+        };
+      };
+    };
+
+    nginx.virtualHosts = {
+      "lldap.${config.services.nginx.domain}" = {
+        useACMEHost = "tlater.net";
+        forceSSL = true;
+        enableHSTS = true;
+
+        locations."/".proxyPass =
+          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
+      };
+    };
+  };
+
+  systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
+
+  systemd.services.lldap-provisioning = {
+    requisite = [ config.systemd.services.lldap.name ];
+    wantedBy = [ config.systemd.services.lldap.name ];
+    after = [ config.systemd.services.lldap.name ];
+
+    path = [
+      pkgs.nushell
+      pkgs.lldap-cli
+    ];
+
+    script = "exec nu ${./lldap-provisioning.nu}";
+
+    environment = {
+      LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+      # LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
+    };
+
+    serviceConfig.Type = "oneshot";
+  };
+}

configuration/services/metrics/victoriametrics.nix

@@ -9,6 +9,10 @@ in
     extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
 
     scrapeConfigs = {
+      authelia = {
+        targets = [ "127.0.0.1:9959" ];
+      };
+
       forgejo = {
         targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
         extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;

configuration/services/postgres.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   services.postgresql = {
     package = pkgs.postgresql_14;
@@ -17,10 +17,18 @@
     # that operation needs to be performed manually on the system as
     # well.
     ensureUsers = [
+      {
+        name = config.services.authelia.instances.tlaternet.user;
+        ensureDBOwnership = true;
+      }
       {
         name = "grafana";
         ensureDBOwnership = true;
       }
+      {
+        name = "lldap";
+        ensureDBOwnership = true;
+      }
       {
         name = "nextcloud";
         ensureDBOwnership = true;
@@ -28,7 +36,9 @@
     ];
 
     ensureDatabases = [
+      config.services.authelia.instances.tlaternet.user
       "grafana"
+      "lldap"
       "nextcloud"
     ];
   };

configuration/sops.nix

@@ -3,6 +3,24 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
+      "authelia/storage-encryption-key" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/jwt-secret" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/session-secret" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/lldap-password" = {
+        owner = "authelia-tlaternet";
+        group = "lldap";
+        mode = "0440";
+      };
+
       "battery-manager/email" = { };
 
       "battery-manager/password" = { };
@@ -28,6 +46,10 @@
       "heisenbridge/as-token" = { };
       "heisenbridge/hs-token" = { };
 
+      # lldap
+      "lldap/admin-password" = { };
+      "lldap/key" = { };
+
       # Matrix-hookshot
       "matrix-hookshot/as-token" = { };
       "matrix-hookshot/hs-token" = { };

keys/staging.yaml

@@ -1,3 +1,8 @@
+authelia:
+    storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
+    session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
+    lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -9,6 +14,9 @@ forgejo:
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
+lldap:
+    admin-password: ENC[AES256_GCM,data:s18N1fvXtzE=,iv:FGXF5+PwDZrQIJylx+pkjY4SO0mmfiGUPZeFAINmGnY=,tag:rpPSFdWzCHhyp4ITddRekg==,type:str]
+    key: ENC[AES256_GCM,data:spbrfjm4Ozhu6XAPxN1cuQ==,iv:QEDCGfl75aP0T68nbWmqkPem46FHrs8nj7zVkWYcHt4=,tag:P4p3rC5I2KqPm733wbTp9g==,type:str]
 nextcloud:
     tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
 steam:
@@ -32,13 +40,8 @@ turn:
     #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
     ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2025-02-07T17:43:24Z"
-    mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
+    lastmodified: "2025-05-26T19:48:08Z"
+    mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-
@@ -76,4 +79,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.10.2