tlaternet/tlaternet-server
1
0
Fork 0
Code Issues10 Pull requests Releases Activity

Compare commits

..

2 commits
8c89c377ba ... dc56d6b1f2

Author SHA1 Message Date
Tristan Daniël Maat
dc56d6b1f2
WIP: feat: Add minecraft server 2025-05-27 04:02:12 +08:00
Tristan Daniël Maat
27f28457b2
WIP: feat(authelia): Add authentication with authelia 2025-05-27 04:02:12 +08:00
6 changed files with 136 additions and 51 deletions

2
configuration/default.nix
View file

@ -13,7 +13,7 @@
"${modulesPath}/profiles/minimal.nix"
(import ../modules)
./services/authelia.nix
./services/auth
./services/backups.nix
./services/battery-manager.nix
./services/conduit

66
configuration/services/authelia.nix → configuration/services/auth/authelia.nix
View file

@ -1,26 +1,29 @@
{ config, ... }:
{
systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
services = {
authelia.instances.tlaternet = {
enable = true;
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
config.sops.secrets."authelia/lldap-password".path;
AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
};
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
config.sops.secrets."authelia/lldap-password".path;
settings = {
authentication_backend.ldap = {
# TODO(tlater): Enable when authelia has a webhook notifier:
# https://github.com/authelia/authelia/issues/7695
password_reset.disable = true;
refresh_interval = "1m";
address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
implementation = "lldap";
base_dn = config.services.lldap.settings.ldap_base_dn;
user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
};
authentication_backend.ldap =
let
cfglldap = config.services.lldap.settings;
in
{
# TODO(tlater): Enable when authelia has a webhook notifier:
# https://github.com/authelia/authelia/issues/7695
password_reset.disable = true;
refresh_interval = "1m";
address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
implementation = "lldap";
base_dn = cfglldap.ldap_base_dn;
user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
};
password_policy.zxcvbn.enabled = true;
@ -86,38 +89,5 @@
enable = true;
user = config.services.authelia.instances.tlaternet.user;
};
lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=tlater,dc=net";
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
ldap_host = "127.0.0.1";
http_host = "127.0.0.1";
http_url = "https://lldap.${config.services.nginx.domain}";
force_ldap_user_pass_reset = "always";
smtp_options.enable_password_reset = false;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
};
};
};
nginx.virtualHosts = {
"lldap.${config.services.nginx.domain}" = {
useACMEHost = "tlater.net";
forceSSL = true;
enableHSTS = true;
locations."/".proxyPass =
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
};
};
};
}

6
configuration/services/auth/default.nix Normal file
View file

@ -0,0 +1,6 @@
{
imports = [
./authelia.nix
./lldap.nix
];
}

44
configuration/services/auth/lldap-provisioning.nu Normal file
View file

@ -0,0 +1,44 @@
#!/usr/bin/env nushell
let groups = [{
}]
let users = [
]
let settings = open $env.LLDAP_CONFIG
let url = (
'http://' |
$in + ($settings | get http_host | default '127.0.0.1') |
$in + ':' |
$in + ($settings | get http_port | default '17170' | into string))
let user = $settings | get ldap_user_dn | default admin
let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
def query [operation: string, query: string, variables: list<string>] {
let body = {
query: $query,
operationName: $operation,
variables: $variables
}
let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
if ("errors" in $res) {
let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
error make {
msg: $msg,
label: {
text: "Query defined here",
span: (metadata $query).span
}
}
} else {
$res.data
}
}

64
configuration/services/auth/lldap.nix Normal file
View file

@ -0,0 +1,64 @@
{
lib,
pkgs,
config,
...
}:
{
services = {
lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=tlater,dc=net";
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
ldap_host = "127.0.0.1";
http_host = "127.0.0.1";
http_url = "https://lldap.${config.services.nginx.domain}";
force_ldap_user_pass_reset = "always";
smtp_options.enable_password_reset = false;
environment = {
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
};
};
};
nginx.virtualHosts = {
"lldap.${config.services.nginx.domain}" = {
useACMEHost = "tlater.net";
forceSSL = true;
enableHSTS = true;
locations."/".proxyPass =
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
};
};
};
systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
systemd.services.lldap-provisioning = {
requisite = [ config.systemd.services.lldap.name ];
wantedBy = [ config.systemd.services.lldap.name ];
after = [ config.systemd.services.lldap.name ];
path = [
pkgs.nushell
pkgs.lldap-cli
];
script = "exec nu ${./lldap-provisioning.nu}";
environment = {
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
# LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
};
serviceConfig.Type = "oneshot";
};
}

5
keys/staging.yaml
View file

@ -2,6 +2,7 @@ authelia:
storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
porkbun:
api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
@ -39,8 +40,8 @@ turn:
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
sops:
lastmodified: "2025-05-25T18:42:33Z"
mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
lastmodified: "2025-05-26T19:48:08Z"
mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
pgp:
- created_at: "2025-01-21T17:55:30Z"
enc: |-