Compare commits
2 commits
8c89c377ba
...
dc56d6b1f2
Author | SHA1 | Date | |
---|---|---|---|
dc56d6b1f2 | |||
27f28457b2 |
6 changed files with 136 additions and 51 deletions
configuration
keys
|
@ -13,7 +13,7 @@
|
||||||
"${modulesPath}/profiles/minimal.nix"
|
"${modulesPath}/profiles/minimal.nix"
|
||||||
(import ../modules)
|
(import ../modules)
|
||||||
|
|
||||||
./services/authelia.nix
|
./services/auth
|
||||||
./services/backups.nix
|
./services/backups.nix
|
||||||
./services/battery-manager.nix
|
./services/battery-manager.nix
|
||||||
./services/conduit
|
./services/conduit
|
||||||
|
|
|
@ -1,26 +1,29 @@
|
||||||
{ config, ... }:
|
{ config, ... }:
|
||||||
{
|
{
|
||||||
|
systemd.services.authelia-tlaternet.after = [ config.systemd.services.lldap-provisioning.name ];
|
||||||
|
|
||||||
services = {
|
services = {
|
||||||
authelia.instances.tlaternet = {
|
authelia.instances.tlaternet = {
|
||||||
enable = true;
|
enable = true;
|
||||||
|
|
||||||
environmentVariables = {
|
environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
||||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
config.sops.secrets."authelia/lldap-password".path;
|
||||||
config.sops.secrets."authelia/lldap-password".path;
|
|
||||||
AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path;
|
|
||||||
};
|
|
||||||
|
|
||||||
settings = {
|
settings = {
|
||||||
authentication_backend.ldap = {
|
authentication_backend.ldap =
|
||||||
# TODO(tlater): Enable when authelia has a webhook notifier:
|
let
|
||||||
# https://github.com/authelia/authelia/issues/7695
|
cfglldap = config.services.lldap.settings;
|
||||||
password_reset.disable = true;
|
in
|
||||||
refresh_interval = "1m";
|
{
|
||||||
address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}";
|
# TODO(tlater): Enable when authelia has a webhook notifier:
|
||||||
implementation = "lldap";
|
# https://github.com/authelia/authelia/issues/7695
|
||||||
base_dn = config.services.lldap.settings.ldap_base_dn;
|
password_reset.disable = true;
|
||||||
user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}";
|
refresh_interval = "1m";
|
||||||
};
|
address = "ldap://${cfglldap.ldap_host}:${toString cfglldap.ldap_port}";
|
||||||
|
implementation = "lldap";
|
||||||
|
base_dn = cfglldap.ldap_base_dn;
|
||||||
|
user = "cn=authelia,ou=people,${cfglldap.ldap_base_dn}";
|
||||||
|
};
|
||||||
|
|
||||||
password_policy.zxcvbn.enabled = true;
|
password_policy.zxcvbn.enabled = true;
|
||||||
|
|
||||||
|
@ -86,38 +89,5 @@
|
||||||
enable = true;
|
enable = true;
|
||||||
user = config.services.authelia.instances.tlaternet.user;
|
user = config.services.authelia.instances.tlaternet.user;
|
||||||
};
|
};
|
||||||
|
|
||||||
lldap = {
|
|
||||||
enable = true;
|
|
||||||
settings = {
|
|
||||||
ldap_base_dn = "dc=tlater,dc=net";
|
|
||||||
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
|
|
||||||
ldap_host = "127.0.0.1";
|
|
||||||
|
|
||||||
http_host = "127.0.0.1";
|
|
||||||
http_url = "https://lldap.${config.services.nginx.domain}";
|
|
||||||
|
|
||||||
force_ldap_user_pass_reset = "always";
|
|
||||||
|
|
||||||
smtp_options.enable_password_reset = false;
|
|
||||||
|
|
||||||
environment = {
|
|
||||||
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
|
|
||||||
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
|
||||||
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
nginx.virtualHosts = {
|
|
||||||
"lldap.${config.services.nginx.domain}" = {
|
|
||||||
useACMEHost = "tlater.net";
|
|
||||||
forceSSL = true;
|
|
||||||
enableHSTS = true;
|
|
||||||
|
|
||||||
locations."/".proxyPass =
|
|
||||||
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
};
|
};
|
||||||
}
|
}
|
6
configuration/services/auth/default.nix
Normal file
6
configuration/services/auth/default.nix
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
{
|
||||||
|
imports = [
|
||||||
|
./authelia.nix
|
||||||
|
./lldap.nix
|
||||||
|
];
|
||||||
|
}
|
44
configuration/services/auth/lldap-provisioning.nu
Normal file
44
configuration/services/auth/lldap-provisioning.nu
Normal file
|
@ -0,0 +1,44 @@
|
||||||
|
#!/usr/bin/env nushell
|
||||||
|
|
||||||
|
let groups = [{
|
||||||
|
|
||||||
|
}]
|
||||||
|
|
||||||
|
let users = [
|
||||||
|
|
||||||
|
]
|
||||||
|
|
||||||
|
let settings = open $env.LLDAP_CONFIG
|
||||||
|
let url = (
|
||||||
|
'http://' |
|
||||||
|
$in + ($settings | get http_host | default '127.0.0.1') |
|
||||||
|
$in + ':' |
|
||||||
|
$in + ($settings | get http_port | default '17170' | into string))
|
||||||
|
let user = $settings | get ldap_user_dn | default admin
|
||||||
|
let pass = open $env.LLDAP_LDAP_USER_PASS_FILE
|
||||||
|
|
||||||
|
let token = { username: $user, password: $pass } | to json | http post $'($url)/auth/simple/login' | get token
|
||||||
|
|
||||||
|
def query [operation: string, query: string, variables: list<string>] {
|
||||||
|
let body = {
|
||||||
|
query: $query,
|
||||||
|
operationName: $operation,
|
||||||
|
variables: $variables
|
||||||
|
}
|
||||||
|
|
||||||
|
let res = $body | to json | http post --headers [Authorization $'Bearer ($token)'] $'($url)/api/graphql'
|
||||||
|
|
||||||
|
if ("errors" in $res) {
|
||||||
|
let msg = "GraphQL query to LLDAP failed:\n" + ($res.errors | each {|e| $'- ($e)' | str join (char newline)})
|
||||||
|
|
||||||
|
error make {
|
||||||
|
msg: $msg,
|
||||||
|
label: {
|
||||||
|
text: "Query defined here",
|
||||||
|
span: (metadata $query).span
|
||||||
|
}
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
$res.data
|
||||||
|
}
|
||||||
|
}
|
64
configuration/services/auth/lldap.nix
Normal file
64
configuration/services/auth/lldap.nix
Normal file
|
@ -0,0 +1,64 @@
|
||||||
|
{
|
||||||
|
lib,
|
||||||
|
pkgs,
|
||||||
|
config,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
lldap = {
|
||||||
|
enable = true;
|
||||||
|
settings = {
|
||||||
|
ldap_base_dn = "dc=tlater,dc=net";
|
||||||
|
database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql";
|
||||||
|
ldap_host = "127.0.0.1";
|
||||||
|
|
||||||
|
http_host = "127.0.0.1";
|
||||||
|
http_url = "https://lldap.${config.services.nginx.domain}";
|
||||||
|
|
||||||
|
force_ldap_user_pass_reset = "always";
|
||||||
|
|
||||||
|
smtp_options.enable_password_reset = false;
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path;
|
||||||
|
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
||||||
|
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
nginx.virtualHosts = {
|
||||||
|
"lldap.${config.services.nginx.domain}" = {
|
||||||
|
useACMEHost = "tlater.net";
|
||||||
|
forceSSL = true;
|
||||||
|
enableHSTS = true;
|
||||||
|
|
||||||
|
locations."/".proxyPass =
|
||||||
|
"http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
systemd.services.lldap.after = [ config.systemd.services.postgresql.name ];
|
||||||
|
|
||||||
|
systemd.services.lldap-provisioning = {
|
||||||
|
requisite = [ config.systemd.services.lldap.name ];
|
||||||
|
wantedBy = [ config.systemd.services.lldap.name ];
|
||||||
|
after = [ config.systemd.services.lldap.name ];
|
||||||
|
|
||||||
|
path = [
|
||||||
|
pkgs.nushell
|
||||||
|
pkgs.lldap-cli
|
||||||
|
];
|
||||||
|
|
||||||
|
script = "exec nu ${./lldap-provisioning.nu}";
|
||||||
|
|
||||||
|
environment = {
|
||||||
|
LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path;
|
||||||
|
# LLDAP_CONFIG = ((pkgs.formats.toml { }).generate config.services.lldap.settings).outPath;
|
||||||
|
};
|
||||||
|
|
||||||
|
serviceConfig.Type = "oneshot";
|
||||||
|
};
|
||||||
|
}
|
|
@ -2,6 +2,7 @@ authelia:
|
||||||
storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
|
storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str]
|
||||||
jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
|
jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str]
|
||||||
session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
|
session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str]
|
||||||
|
lldap-password: ENC[AES256_GCM,data:cafjSRCUXAg=,iv:vZM/6efEhWjjTKNnDuS+Kj2i/eOkn20vT2JmtcHGcSU=,tag:P1GscnNwMoWCMMDbMVMPqA==,type:str]
|
||||||
porkbun:
|
porkbun:
|
||||||
api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
|
api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str]
|
||||||
secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
|
secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str]
|
||||||
|
@ -39,8 +40,8 @@ turn:
|
||||||
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
|
#ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment]
|
||||||
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
|
ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
lastmodified: "2025-05-25T18:42:33Z"
|
lastmodified: "2025-05-26T19:48:08Z"
|
||||||
mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str]
|
mac: ENC[AES256_GCM,data:dIuIJlkz6yUKt1MrOgwQTYm8DzwldN4o2E0B89p8c0WeCxgHwWVMtIHt8QsrIet9X7aHDx97/S67XzYEGSXI/9Btc+GCEFNcoVsgZzXy+d7r3io2gQxNrQ6yJwJvStW+ZeWPujg5nJ6NNfhcweLFdquwNwNJ4DC1sGvCl5/m/QY=,iv:n5f8urvZVLfIp46nysSJh3ngx+H8qxLuycmDZVYDOCk=,tag:5ccJtPdIRZmFXDVO1V6y3w==,type:str]
|
||||||
pgp:
|
pgp:
|
||||||
- created_at: "2025-01-21T17:55:30Z"
|
- created_at: "2025-01-21T17:55:30Z"
|
||||||
enc: |-
|
enc: |-
|
||||||
|
|
Loading…
Add table
Add a link
Reference in a new issue