diff --git a/configuration/default.nix b/configuration/default.nix
index 0377e9c..ffdf379 100644
--- a/configuration/default.nix
+++ b/configuration/default.nix
@@ -13,6 +13,7 @@
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
+ ./services/authelia.nix
./services/backups.nix
./services/battery-manager.nix
./services/conduit
diff --git a/configuration/services/authelia.nix b/configuration/services/authelia.nix
new file mode 100644
index 0000000..e47f101
--- /dev/null
+++ b/configuration/services/authelia.nix
@@ -0,0 +1,123 @@
+{ config, ... }:
+{
+ services = {
+ authelia.instances.tlaternet = {
+ enable = true;
+
+ environmentVariables = {
+ AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+ config.sops.secrets."authelia/lldap-password".path;
+ AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
+ };
+
+ settings = {
+ authentication_backend.ldap = {
+ # TODO(tlater): Enable when authelia has a webhook notifier:
+ # https://github.com/authelia/authelia/issues/7695
+ password_reset.disable = true;
+ refresh_interval = "1m";
+ address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
+ implementation = "lldap";
+ base_dn = config.services.lldap.settings.ldap_base_dn;
+ user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
+ };
+
+ password_policy.zxcvbn.enabled = true;
+
+ telemetry.metrics.enabled = true;
+
+ access_control = {
+ default_policy = "deny";
+ rules = [
+ {
+ domain = "*.${config.services.nginx.domain}";
+ policy = "one_factor";
+ }
+ ];
+ };
+ notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
+
+ session = {
+ cookies = [
+ {
+ domain = "${config.services.nginx.domain}";
+ authelia_url = "https://auth.${config.services.nginx.domain}";
+ }
+ ];
+ redis.host = config.services.redis.servers.authelia.unixSocket;
+ };
+
+ storage = {
+ postgres = {
+ address = "/var/run/postgresql";
+ username = config.services.authelia.instances.tlaternet.user;
+ database = config.services.authelia.instances.tlaternet.user;
+ };
+ };
+
+ # Auth options
+ default_2fa_method = "totp";
+ totp.issuer = "tlater.net";
+ webauthn = {
+ display_name = "tlater.net";
+ enable_passkey_login = true;
+
+ attestation_conveyance_preference = "direct";
+ filtering.prohibit_backup_eligibility = true;
+ metadata = {
+ enabled = true;
+ validate_trust_anchor = true;
+ validate_entry = true;
+ validate_status = true;
+ validate_entry_permit_zero_aaguid = false;
+ };
+ };
+ duo_api.disable = true;
+ };
+
+ secrets = {
+ storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+ jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+ sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
+ };
+ };
+
+ redis.servers.authelia = {
+ enable = true;
+ user = config.services.authelia.instances.tlaternet.user;
+ };
+
+ lldap = {
+ enable = true;
+ settings = {
+ ldap_base_dn = "dc=tlater,dc=net";
+ database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
+ ldap_host = "127.0.0.1";
+
+ http_host = "127.0.0.1";
+ http_url = "https://lldap.${config.services.nginx.domain}";
+
+ force_ldap_user_pass_reset = "always";
+
+ smtp_options.enable_password_reset = false;
+
+ environment = {
+ LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
+ LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+ LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
+ };
+ };
+ };
+
+ nginx.virtualHosts = {
+ "lldap.${config.services.nginx.domain}" = {
+ useACMEHost = "tlater.net";
+ forceSSL = true;
+ enableHSTS = true;
+
+ locations."/".proxyPass =
+ "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
+ };
+ };
+ };
+}
diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix
index f37b8b0..e362c49 100644
--- a/configuration/services/metrics/victoriametrics.nix
+++ b/configuration/services/metrics/victoriametrics.nix
@@ -9,6 +9,10 @@ in
extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ];
scrapeConfigs = {
+ authelia = {
+ targets = [ "127.0.0.1:9959" ];
+ };
+
forgejo = {
targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ];
extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path;
diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix
index 85a6843..9ac9ff3 100644
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
{
services.postgresql = {
package = pkgs.postgresql_14;
@@ -17,10 +17,18 @@
# that operation needs to be performed manually on the system as
# well.
ensureUsers = [
+ {
+ name = config.services.authelia.instances.tlaternet.user;
+ ensureDBOwnership = true;
+ }
{
name = "grafana";
ensureDBOwnership = true;
}
+ {
+ name = "lldap";
+ ensureDBOwnership = true;
+ }
{
name = "nextcloud";
ensureDBOwnership = true;
@@ -28,7 +36,9 @@
];
ensureDatabases = [
+ config.services.authelia.instances.tlaternet.user
"grafana"
+ "lldap"
"nextcloud"
];
};
diff --git a/configuration/sops.nix b/configuration/sops.nix
index 0337438..cb16026 100644
--- a/configuration/sops.nix
+++ b/configuration/sops.nix
@@ -3,6 +3,24 @@
defaultSopsFile = ../keys/production.yaml;
secrets = {
+ "authelia/storage-encryption-key" = {
+ owner = "authelia-tlaternet";
+ group = "authelia-tlaternet";
+ };
+ "authelia/jwt-secret" = {
+ owner = "authelia-tlaternet";
+ group = "authelia-tlaternet";
+ };
+ "authelia/session-secret" = {
+ owner = "authelia-tlaternet";
+ group = "authelia-tlaternet";
+ };
+ "authelia/lldap-password" = {
+ owner = "authelia-tlaternet";
+ group = "lldap";
+ mode = "0440";
+ };
+
"battery-manager/email" = { };
"battery-manager/password" = { };
@@ -28,6 +46,10 @@
"heisenbridge/as-token" = { };
"heisenbridge/hs-token" = { };
+ # lldap
+ "lldap/admin-password" = { };
+ "lldap/key" = { };
+
# Matrix-hookshot
"matrix-hookshot/as-token" = { };
"matrix-hookshot/hs-token" = { };
diff --git a/keys/staging.yaml b/keys/staging.yaml
index 876d60e..94692c6 100644
--- a/keys/staging.yaml
+++ b/keys/staging.yaml
@@ -1,3 +1,7 @@
+authelia:
+ storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
+ jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
+ session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
porkbun:
api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -9,6 +13,9 @@ forgejo:
grafana:
adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
+lldap:
+ admin-password: ENC[AES256_GCM,data:s18N1fvXtzE=,iv:FGXF5+PwDZrQIJylx+pkjY4SO0mmfiGUPZeFAINmGnY=,tag:rpPSFdWzCHhyp4ITddRekg==,type:str]
+ key: ENC[AES256_GCM,data:spbrfjm4Ozhu6XAPxN1cuQ==,iv:QEDCGfl75aP0T68nbWmqkPem46FHrs8nj7zVkWYcHt4=,tag:P4p3rC5I2KqPm733wbTp9g==,type:str]
nextcloud:
tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
steam:
@@ -32,13 +39,8 @@ turn:
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2025-02-07T17:43:24Z"
- mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str]
+ lastmodified: "2025-05-25T18:42:33Z"
+ mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-
@@ -76,4 +78,4 @@ sops:
-----END PGP MESSAGE-----
fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
unencrypted_suffix: _unencrypted
- version: 3.9.2
+ version: 3.10.2