WIP: authelia: Add SSO

2024-04-13 04:34:53 +02:00 · 2024-04-13 04:34:53 +02:00 · aef71f548a
commit aef71f548a
parent 501c3466bc
7 changed files with 217 additions and 7 deletions
--- a/configuration/default.nix
+++ b/configuration/default.nix
@ -15,6 +15,7 @@
    (import ../modules)

    ./services/afvalcalendar.nix
+    ./services/auth.nix
    ./services/backups.nix
    ./services/battery-manager.nix
    ./services/conduit.nix
--- a/configuration/services/auth.nix
+++ b/configuration/services/auth.nix
@ -0,0 +1,95 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  user = config.services.authelia.instances.main.user;
+  domain = "auth.${config.services.nginx.domain}";
+in {
+  services.authelia.instances.main = {
+    enable = true;
+    settings = {
+      theme = "auto";
+
+      access_control.default_policy = "one_factor";
+
+      authentication_backend = {
+        password_reset.disable = true;
+        file.path = "/var/lib/authelia-main/users.yml";
+      };
+
+      notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+
+      session = {
+        domain = config.services.nginx.domain;
+        redis.host = config.services.redis.servers.authelia.unixSocket;
+      };
+
+      storage.postgres = {
+        host = "/run/postgresql";
+        port = 5432;
+        database = user;
+        username = user;
+
+        password = "unnecessary";
+      };
+    };
+
+    secrets = {
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path; # Database
+      sessionSecretFile = config.sops.secrets."authelia/sessionSecret".path; # Redis
+      jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
+    };
+  };
+
+  systemd.services.authelia-main.after = ["postgresql.service"];
+
+  services.nginx = {
+    # TODO(tlater): Possibly remove on next authelia release
+    additionalModules = with pkgs.nginxModules; [
+      develkit
+      set-misc
+    ];
+
+    virtualHosts."${domain}" = {
+      forceSSL = true;
+      enableACME = true;
+      enableHSTS = true;
+
+      locations = {
+        "/" = {
+          proxyPass = "http://127.0.0.1:9091";
+          recommendedProxySettings = false;
+          enableAutheliaProxy = true;
+        };
+
+        "/api/verify" = {
+          proxyPass = "http://127.0.0.1:9091";
+          recommendedProxySettings = false;
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia = {
+    inherit user;
+    enable = true;
+  };
+
+  sops.secrets = {
+    "authelia/storageEncryptionKey" = {
+      owner = user;
+      group = user;
+    };
+
+    "authelia/sessionSecret" = {
+      owner = user;
+      group = user;
+    };
+
+    "authelia/jwtSecret" = {
+      owner = user;
+      group = user;
+    };
+  };
+}
--- a/configuration/services/metrics/grafana.nix
+++ b/configuration/services/metrics/grafana.nix
@ -40,6 +40,7 @@ in {
    forceSSL = true;
    useACMEHost = "tlater.net";
    enableHSTS = true;
+    enableAuthorization = true;
    locations."/".proxyPass = "http://localhost:${toString config.services.grafana.settings.server.http_port}";
  };
 }
--- a/configuration/services/postgres.nix
+++ b/configuration/services/postgres.nix
@ -1,4 +1,8 @@
-{pkgs, ...}: {
+{
+  config,
+  pkgs,
+  ...
+}: {
  services.postgresql = {
    package = pkgs.postgresql_14;
    enable = true;
@ -24,11 +28,16 @@
        name = "nextcloud";
        ensureDBOwnership = true;
      }
+      {
+        name = config.services.authelia.instances.main.user;
+        ensureDBOwnership = true;
+      }
    ];

    ensureDatabases = [
      "grafana"
      "nextcloud"
+      config.services.authelia.instances.main.user
    ];
  };
 }