From 80d0f8fc9fb158217e6e75b4a71d1987ea9b5a79 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= Date: Sun, 19 Oct 2025 03:19:30 +0800 Subject: [PATCH] WIP: Auth --- configuration/default.nix | 1 + configuration/services/auth/authelia.nix | 87 ++++++++++++++++++++++++ configuration/services/auth/default.nix | 5 ++ configuration/services/postgres.nix | 5 ++ keys/staging.yaml | 10 ++- 5 files changed, 105 insertions(+), 3 deletions(-) create mode 100644 configuration/services/auth/authelia.nix create mode 100644 configuration/services/auth/default.nix diff --git a/configuration/default.nix b/configuration/default.nix index f2d1615..041c885 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -13,6 +13,7 @@ "${modulesPath}/profiles/minimal.nix" (import ../modules) + ./services/auth ./services/backups.nix ./services/battery-manager.nix ./services/conduit diff --git a/configuration/services/auth/authelia.nix b/configuration/services/auth/authelia.nix new file mode 100644 index 0000000..f05e3f0 --- /dev/null +++ b/configuration/services/auth/authelia.nix @@ -0,0 +1,87 @@ +{ config, ... }: +let + instanceName = config.services.authelia.instances.main.name; +in +{ + services.authelia.instances.main = { + enable = true; + + settings = { + theme = "auto"; + default_2fa_method = "totp"; + + authentication_backend = { + password_reset.disable = true; + password_change.disable = true; + + file = { + inherit (config.sops.secrets."authelia/users") path; + + search = { + email = true; + case_insensitive = false; + }; + }; + }; + + storage.postgres = { + address = "unix:///run/postgresql"; + database = "authelia"; + username = "authelia"; + }; + + session.cookies = [ + { + domain = config.services.nginx.domain; + authelia_url = "https://auth.${config.services.nginx.domain}"; + } + ]; + + notifier.filesystem.filename = ''{{ env "RUNTIME_DIRECTORY" }}/authelia-notifications''; + + access_control = { + + }; + + server = { + # Maybe a systemd socket can be used for this in the future, + # see: + # https://github.com/systemd/systemd/issues/23067#issuecomment-1212232155 + address = "unix://${config.systemd.sockets."authelia-${instanceName}".socketConfig.ListenStream}"; + }; + }; + + secrets = { + jwtSecretFile = config.sops.secrets."authelia/jwt".path; + storageEncryptionKeyFile = config.sops.secrets."authelia/storage".path; + }; + }; + + systemd.sockets."authelia-${instanceName}" = { + socketConfig = { + Accept = false; + ListenStream = "/var/run/authelia.sock"; + SocketGroup = "authelia"; + SocketMode = "0660"; + }; + }; + + systemd.services."authelia-${instanceName}" = { + requires = [ "authelia-${instanceName}.socket" ]; + + serviceConfig = { + RuntimeDirectory = "authelia-${instanceName}"; + SupplementaryGroups = [ "authelia" ]; + }; + }; + + # TODO: Need to map these to systemd creds to pass them into the + # service because user permissions + sops.secrets = { + "authelia/users" = { }; + "authelia/jwt" = { }; + "authelia/storage" = { }; + }; + + users.groups.authelia = { }; +} diff --git a/configuration/services/auth/default.nix b/configuration/services/auth/default.nix new file mode 100644 index 0000000..4b9c671 --- /dev/null +++ b/configuration/services/auth/default.nix @@ -0,0 +1,5 @@ +{ + imports = [ + ./authelia.nix + ]; +} diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix index 85a6843..ddb2c82 100644 --- a/configuration/services/postgres.nix +++ b/configuration/services/postgres.nix @@ -17,6 +17,10 @@ # that operation needs to be performed manually on the system as # well. ensureUsers = [ + { + name = "authelia"; + ensureDBOwnership = true; + } { name = "grafana"; ensureDBOwnership = true; @@ -28,6 +32,7 @@ ]; ensureDatabases = [ + "authelia" "grafana" "nextcloud" ]; diff --git a/keys/staging.yaml b/keys/staging.yaml index 6fa212d..caa5707 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -1,3 +1,7 @@ +authelia: + users: "" + jwt: ENC[AES256_GCM,data:oKA1B7zZAzTZL4nBdHvPENVx7M2BgbMBmNtetri0qCVB7qNFIgbnwVCJFiDvjKxxNdedqUKBZZL5QJbTlPNRxCVdFgBBMFiib3khxMP8kzqff2MgJZxumonlJt5Jmh8tVxwLRJwE/2fp/N9w2hRs0vhfmMyAA4y7RZv3R9/eaKM=,iv:2iTAwP6dipPBMskyygnBJHJ53E0nmHYcGyWDrODEs1Q=,tag:koSEZtQQzOzpbQBgUP5ZHw==,type:str] + storage: ENC[AES256_GCM,data:bO+bHu6jRvfbLU6xIDaE2JwXpNnMK916Upv43ycg9fCb+U5hqQfqBBwC2xVEVXtCBRq1VER+gc8rs8/XDT9vZkvMUqAHj4RqXHyzX0UjwsvccBJSLfoLUiT6obk3oVLo5CY7R2TukPuyFXPbMUOrBk9gnbk7z4IWzcwNnuOKBT4=,iv:RmKIS/cgZ0tUQDFF2yfaJnfTvPaeadjG0LPXKIzYFrA=,tag:XmqDhDf3Ja1BsyrYmzTKDg==,type:str] porkbun: api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str] secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str] @@ -32,8 +36,8 @@ turn: #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment] ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str] sops: - lastmodified: "2025-02-07T17:43:24Z" - mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str] + lastmodified: "2025-10-20T20:04:21Z" + mac: ENC[AES256_GCM,data:kRrmVm3PQooRA/MoHgDb9EaRnoKY9CJxAflus9Po8NBmyQxV6Ehjf8DlI6yf7ZpPlhV+VHZJamyPD+hsHp1hSr8krvr0o52ZQdKn4MJQzSQXa4K9i3i0+glj7cNGs2SzTJnKwN9lxBywZpbVDlkXmvRQYLE9tWPWoSBdurOibjw=,iv:2iBQ1cYT85mCc7jf2GTEOjNiHBlR/F76Dvjl/k5dyLA=,tag:Z7dY2i0KWmmoVp7VJjq1Sw==,type:str] pgp: - created_at: "2025-10-03T21:38:26Z" enc: |- @@ -67,4 +71,4 @@ sops: -----END PGP MESSAGE----- fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.11.0