WIP: feat(authelia): Add authentication with authelia

configuration/default.nix

@@ -13,6 +13,7 @@
     "${modulesPath}/profiles/minimal.nix"
     (import ../modules)
 
+    ./services/authelia.nix
     ./services/backups.nix
     ./services/battery-manager.nix
     ./services/conduit

configuration/services/authelia.nix

@@ -0,0 +1,44 @@
+{ config, ... }:
+{
+  services.authelia.instances.tlaternet = {
+    enable = true;
+
+    settings = {
+      default_2fa_method = "totp";
+      headers.csp_template = todo!();
+
+      authentication_backend.ldap = {
+
+      };
+
+      totp = {
+        issuer = "tlater.net";
+      };
+
+      webauthn = {
+        # enable_passkey_login = true; ?
+        display_name = "tlater.net";
+      };
+
+      duo_api.disable = true;
+
+      telemetry.metrics.enabled = true;
+    };
+
+    secrets = {
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+      jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+    };
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_user_email = "admin@tlater.net";
+
+      ldap_base_dn = "dc=tlater,dc=net";
+
+      database_url = "postgres:///lldap";
+    };
+  };
+}

configuration/services/metrics/victoriametrics.nix

@@ -9,6 +9,10 @@ in
     extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
 
     scrapeConfigs = {
+      authelia = {
+        targets = [ "127.0.0.1:9959" ];
+      };
+
       forgejo = {
         targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
         extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;

configuration/services/postgres.nix

@@ -25,6 +25,10 @@
         name = "nextcloud";
         ensureDBOwnership = true;
       }
+      {
+        name = "lldap";
+        ensureDBOwnership = true;
+      }
     ];
 
     ensureDatabases = [

configuration/sops.nix

@@ -3,6 +3,9 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
+      "authelia/storage-encryption-key" = { };
+      "authelia/jwt-secret" = { };
+
       "battery-manager/email" = { };
 
       "battery-manager/password" = { };

keys/staging.yaml

@@ -1,3 +1,6 @@
+authelia:
+    storage-encryption-key: ENC[AES256_GCM,data:J42pTSYI/5s=,iv:BfXT8FkVp1qubn32fhoeXPn8ZZhSqHLxkDLJ3WJ88To=,tag:Bz9AGodTY8vacu4d8jSXyA==,type:str]
+    jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -37,8 +40,8 @@ sops:
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2025-02-07T17:43:24Z"
+    lastmodified: "2025-05-23T22:56:39Z"
-    mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
+    mac: ENC[AES256_GCM,data:lTwuWYMhZtKe/904EFiVOH2YRqW7Y0Bae+14x5cCdRIH7NORRXLdJkcO2X0vq8uXDi4MRAauLHUp5gAr+kM0ygKQHQnIOPo/8+hZKIdZt1jgUVBj4wh+6D+kVTIsekizPIf9L3m0hH701LqpQ0EvYjGYiHoKx/WxrK9u1hmDVCk=,iv:yCibsageq+8TO01U7Ej8hgpFeWPLPp+JrlvpocvXHBE=,tag:Qy6ZjBdNHhlXDCwaF8sHWQ==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-
@@ -76,4 +79,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
     unencrypted_suffix: _unencrypted
-    version: 3.9.2
+    version: 3.9.4