WIP: feat: Add minecraft server

configuration/services/authelia.nix

@@ -1,44 +1,123 @@
 { config, ... }:
 {
-  services.authelia.instances.tlaternet = {
-    enable = true;
-
-    settings = {
-      default_2fa_method = "totp";
-      headers.csp_template = todo!();
-
-      authentication_backend.ldap = {
+  services = {
+    authelia.instances.tlaternet = {
+      enable = true;
 
+      environmentVariables = {
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+          config.sops.secrets."authelia/lldap-password".path;
+        AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
       };
 
-      totp = {
-        issuer = "tlater.net";
+      settings = {
+        authentication_backend.ldap = {
+          # TODO(tlater): Enable when authelia has a webhook notifier:
+          # https://github.com/authelia/authelia/issues/7695
+          password_reset.disable = true;
+          refresh_interval = "1m";
+          address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
+          implementation = "lldap";
+          base_dn = config.services.lldap.settings.ldap_base_dn;
+          user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
+        };
+
+        password_policy.zxcvbn.enabled = true;
+
+        telemetry.metrics.enabled = true;
+
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "*.${config.services.nginx.domain}";
+              policy = "one_factor";
+            }
+          ];
+        };
+        notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt";
+
+        session = {
+          cookies = [
+            {
+              domain = "${config.services.nginx.domain}";
+              authelia_url = "https://auth.${config.services.nginx.domain}";
+            }
+          ];
+          redis.host = config.services.redis.servers.authelia.unixSocket;
+        };
+
+        storage = {
+          postgres = {
+            address = "/var/run/postgresql";
+            username = config.services.authelia.instances.tlaternet.user;
+            database = config.services.authelia.instances.tlaternet.user;
+          };
+        };
+
+        # Auth options
+        default_2fa_method = "totp";
+        totp.issuer = "tlater.net";
+        webauthn = {
+          display_name = "tlater.net";
+          enable_passkey_login = true;
+
+          attestation_conveyance_preference = "direct";
+          filtering.prohibit_backup_eligibility = true;
+          metadata = {
+            enabled = true;
+            validate_trust_anchor = true;
+            validate_entry = true;
+            validate_status = true;
+            validate_entry_permit_zero_aaguid = false;
+          };
+        };
+        duo_api.disable = true;
       };
 
-      webauthn = {
-        # enable_passkey_login = true; ?
-        display_name = "tlater.net";
+      secrets = {
+        storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
+        jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+        sessionSecretFile = config.sops.secrets."authelia/session-secret".path;
       };
-
-      duo_api.disable = true;
-
-      telemetry.metrics.enabled = true;
     };
 
-    secrets = {
-      storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path;
-      jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path;
+    redis.servers.authelia = {
+      enable = true;
+      user = config.services.authelia.instances.tlaternet.user;
     };
-  };
 
-  services.lldap = {
-    enable = true;
-    settings = {
-      ldap_user_email = "admin@tlater.net";
+    lldap = {
+      enable = true;
+      settings = {
+        ldap_base_dn = "dc=tlater,dc=net";
+        database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
+        ldap_host = "127.0.0.1";
 
-      ldap_base_dn = "dc=tlater,dc=net";
+        http_host = "127.0.0.1";
+        http_url = "https://lldap.${config.services.nginx.domain}";
 
-      database_url = "postgres:///lldap";
+        force_ldap_user_pass_reset = "always";
+
+        smtp_options.enable_password_reset = false;
+
+        environment = {
+          LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
+          LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
+          LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
+        };
+      };
+    };
+
+    nginx.virtualHosts = {
+      "lldap.${config.services.nginx.domain}" = {
+        useACMEHost = "tlater.net";
+        forceSSL = true;
+        enableHSTS = true;
+
+        locations."/".proxyPass =
+          "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
+      };
     };
   };
 }

configuration/services/postgres.nix

@@ -1,4 +1,4 @@
-{ pkgs, ... }:
+{ config, pkgs, ... }:
 {
   services.postgresql = {
     package = pkgs.postgresql_14;
@@ -18,21 +18,27 @@
     # well.
     ensureUsers = [
       {
-        name = "grafana";
+        name = config.services.authelia.instances.tlaternet.user;
         ensureDBOwnership = true;
       }
       {
-        name = "nextcloud";
+        name = "grafana";
         ensureDBOwnership = true;
       }
       {
         name = "lldap";
         ensureDBOwnership = true;
       }
+      {
+        name = "nextcloud";
+        ensureDBOwnership = true;
+      }
     ];
 
     ensureDatabases = [
+      config.services.authelia.instances.tlaternet.user
       "grafana"
+      "lldap"
       "nextcloud"
     ];
   };

configuration/sops.nix

@@ -3,8 +3,23 @@
     defaultSopsFile = ../keys/production.yaml;
 
     secrets = {
-      "authelia/storage-encryption-key" = { };
-      "authelia/jwt-secret" = { };
+      "authelia/storage-encryption-key" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/jwt-secret" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/session-secret" = {
+        owner = "authelia-tlaternet";
+        group = "authelia-tlaternet";
+      };
+      "authelia/lldap-password" = {
+        owner = "authelia-tlaternet";
+        group = "lldap";
+        mode = "0440";
+      };
 
       "battery-manager/email" = { };
 
@@ -31,6 +46,10 @@
       "heisenbridge/as-token" = { };
       "heisenbridge/hs-token" = { };
 
+      # lldap
+      "lldap/admin-password" = { };
+      "lldap/key" = { };
+
       # Matrix-hookshot
       "matrix-hookshot/as-token" = { };
       "matrix-hookshot/hs-token" = { };

keys/staging.yaml

@@ -1,6 +1,7 @@
 authelia:
-    storage-encryption-key: ENC[AES256_GCM,data:J42pTSYI/5s=,iv:BfXT8FkVp1qubn32fhoeXPn8ZZhSqHLxkDLJ3WJ88To=,tag:Bz9AGodTY8vacu4d8jSXyA==,type:str]
+    storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
     jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
+    session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
 porkbun:
     api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
     secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@@ -12,6 +13,9 @@ forgejo:
 grafana:
     adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str]
     secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str]
+lldap:
+    admin-password: ENC[AES256_GCM,data:s18N1fvXtzE=,iv:FGXF5+PwDZrQIJylx+pkjY4SO0mmfiGUPZeFAINmGnY=,tag:rpPSFdWzCHhyp4ITddRekg==,type:str]
+    key: ENC[AES256_GCM,data:spbrfjm4Ozhu6XAPxN1cuQ==,iv:QEDCGfl75aP0T68nbWmqkPem46FHrs8nj7zVkWYcHt4=,tag:P4p3rC5I2KqPm733wbTp9g==,type:str]
 nextcloud:
     tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str]
 steam:
@@ -35,13 +39,8 @@ turn:
     #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
     ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
 sops:
-    kms: []
-    gcp_kms: []
-    azure_kv: []
-    hc_vault: []
-    age: []
-    lastmodified: "2025-05-23T22:56:39Z"
-    mac: ENC[AES256_GCM,data:lTwuWYMhZtKe/904EFiVOH2YRqW7Y0Bae+14x5cCdRIH7NORRXLdJkcO2X0vq8uXDi4MRAauLHUp5gAr+kM0ygKQHQnIOPo/8+hZKIdZt1jgUVBj4wh+6D+kVTIsekizPIf9L3m0hH701LqpQ0EvYjGYiHoKx/WxrK9u1hmDVCk=,iv:yCibsageq+8TO01U7Ej8hgpFeWPLPp+JrlvpocvXHBE=,tag:Qy6ZjBdNHhlXDCwaF8sHWQ==,type:str]
+    lastmodified: "2025-05-25T18:42:33Z"
+    mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
     pgp:
         - created_at: "2025-01-21T17:55:30Z"
           enc: |-
@@ -79,4 +78,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc
     unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2