tlaternet/tlaternet-server
1
0
Fork 0
Code Issues10 Pull requests Releases Activity

WIP: feat(authelia): Add authentication with authelia

Browse source
This commit is contained in:
Tristan Daniël Maat 2025-05-24 07:26:11 +08:00
parent 94ec261a94
commit 9869157c07
Signed by: tlater
GPG key ID: 49670FD774E43268
6 changed files with 171 additions and 9 deletions
configuration/services
authelia.nix

123
configuration/services/authelia.nix Normal file
View file

@ -0,0 +1,123 @@
{ config, ... }:
{
services = {
authelia.instances.tlaternet = {
enable = true;
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
config.sops.secrets."authelia/lldap-password".path;
AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
};
settings = {
authentication_backend.ldap = {
# TODO(tlater): Enable when authelia has a webhook notifier:
# https://github.com/authelia/authelia/issues/7695
password_reset.disable = true;
refresh_interval = "1m";
address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
implementation = "lldap";
base_dn = config.services.lldap.settings.ldap_base_dn;
user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
};
password_policy.zxcvbn.enabled = true;
telemetry.metrics.enabled = true;
access_control = {
default_policy = "deny";
rules = [
{
domain = "*.${config.services.nginx.domain}";
policy = "one_factor";
}
];
};
notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
session = {
cookies = [
{
domain = "${config.services.nginx.domain}";
authelia_url = "https://auth.${config.services.nginx.domain}";
}
];
redis.host = config.services.redis.servers.authelia.unixSocket;
};
storage = {
postgres = {
address = "/var/run/postgresql";
username = config.services.authelia.instances.tlaternet.user;
database = config.services.authelia.instances.tlaternet.user;
};
};
# Auth options
default_2fa_method = "totp";
totp.issuer = "tlater.net";
webauthn = {
display_name = "tlater.net";
enable_passkey_login = true;
attestation_conveyance_preference = "direct";
filtering.prohibit_backup_eligibility = true;
metadata = {
enabled = true;
validate_trust_anchor = true;
validate_entry = true;
validate_status = true;
validate_entry_permit_zero_aaguid = false;
};
};
duo_api.disable = true;
};
secrets = {
storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
};
};
redis.servers.authelia = {
enable = true;
user = config.services.authelia.instances.tlaternet.user;
};
lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=tlater,dc=net";
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
ldap_host = "127.0.0.1";
http_host = "127.0.0.1";
http_url = "https://lldap.${config.services.nginx.domain}";
force_ldap_user_pass_reset = "always";
smtp_options.enable_password_reset = false;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
};
};
};
nginx.virtualHosts = {
"lldap.${config.services.nginx.domain}" = {
useACMEHost = "tlater.net";
forceSSL = true;
enableHSTS = true;
locations."/".proxyPass =
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
};
};
};
}