WIP: feat(authelia): Add authentication with authelia

2025-05-24 07:26:11 +08:00 · 2025-05-24 07:26:11 +08:00 · 4869db8290
commit 4869db8290
parent 94ec261a94
6 changed files with 62 additions and 3 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -13,6 +13,7 @@
    "${modulesPath}/profiles/minimal.nix"
    (import ../modules)

+    ./services/authelia.nix
    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit
--- a/configuration/services/authelia.nix
+++ b/configuration/services/authelia.nix
@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  services.authelia.instances.tlaternet = {
+    enable = true;
+
+    settings = {
+      default_2fa_method = "totp";
+      headers.csp_template = todo!();
+
+      authentication_backend.ldap = {
+
+      };
+
+      totp = {
+        issuer = "tlater.net";
+      };
+
+      webauthn = {
+        # enable_passkey_login = true; ?
+        display_name = "tlater.net";
+      };
+
+      duo_api.disable = true;
+
+      telemetry.metrics.enabled = true;
+    };
+
+    secrets = {
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+      jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+    };
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_user_email = "admin@tlater.net";
+
+      ldap_base_dn = "dc=tlater,dc=net";
+
+      database_url = "postgres:///lldap";
+    };
+  };
+}
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@ -9,6 +9,10 @@ in
    extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];

    scrapeConfigs = {
+      authelia = {
+        targets = [ "127.0.0.1:9959" ];
+      };
+
      forgejo = {
        targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
        extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@ -25,6 +25,10 @@
        name = "nextcloud";
        ensureDBOwnership = true;
      }
+      {
+        name = "lldap";
+        ensureDBOwnership = true;
+      }
    ];

    ensureDatabases = [
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@ -3,6 +3,9 @@
    defaultSopsFile = ../keys/production.yaml;

    secrets = {
+      "authelia/storage-encryption-key" = { };
+      "authelia/jwt-secret" = { };
+
      "battery-manager/email" = { };

      "battery-manager/password" = { };