tlaternet/tlaternet-server
1
0
Fork 0
Code Issues 10 Pull requests Activity

WIP: authelia: Add SSO

Browse source
This commit is contained in:
Tristan Daniël Maat 2024-04-13 04:34:53 +02:00
parent 0d43b5177d
commit 6c1389c104
Signed by: tlater
GPG key ID: 49670FD774E43268
7 changed files with 206 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

1
configuration/default.nix
View file

@ -14,6 +14,7 @@
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
./services/auth.nix
./services/backups.nix
./services/battery-manager.nix
./services/conduit.nix

105
configuration/services/auth.nix Normal file
View file

@ -0,0 +1,105 @@
{config, ...}: let
user = config.services.authelia.instances.main.user;
domain = "authelia.${config.services.nginx.domain}";
in {
services.authelia.instances.main = {
enable = true;
settings = {
theme = "auto";
access_control.default_policy = "one_factor";
authentication_backend = {
password_reset.disable = true;
file.path = "/var/lib/authelia-main/users.yml";
};
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
session = {
domain = config.services.nginx.domain;
redis.host = config.services.redis.servers.authelia.unixSocket;
};
# server.endpoints.authz.auth-request.implementation = "AuthRequest";
storage.postgres = {
host = "/run/postgresql";
database = user;
username = user;
password = "unnecessary";
};
};
secrets = {
storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
};
};
systemd.services.authelia-main.after = ["postgresql.service"];
services.nginx.virtualHosts."${domain}" = {
forceSSL = true;
enableACME = true;
enableHSTS = true;
locations = {
"/" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
extraConfig = ''
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-URI $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Real-IP $remote_addr;
proxy_redirect http:// $scheme://;
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
"/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
};
"/api/authz/" = {
proxyPass = "http://127.0.0.1:9091";
recommendedProxySettings = false;
};
};
};
services.redis.servers.authelia = {
inherit user;
enable = true;
};
sops.secrets = {
"authelia/storageEncryptionKey" = {
owner = user;
group = user;
};
"authelia/sessionSecret" = {
owner = user;
group = user;
};
"authelia/jwtSecret" = {
owner = user;
group = user;
};
};
}

1
configuration/services/metrics/grafana.nix
View file

@ -40,6 +40,7 @@ in {
forceSSL = true;
enableACME = true;
enableHSTS = true;
enableAuthorization = true;
locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
};
}

11
configuration/services/postgres.nix
View file

@ -1,4 +1,8 @@
{pkgs, ...}: {
{
config,
pkgs,
...
}: {
services.postgresql = {
package = pkgs.postgresql_14;
enable = true;
@ -24,11 +28,16 @@
name = "nextcloud";
ensureDBOwnership = true;
}
{
name = config.services.authelia.instances.main.user;
ensureDBOwnership = true;
}
];
ensureDatabases = [
"grafana"
"nextcloud"
config.services.authelia.instances.main.user
];
};
}