From 9869157c07e44aaf7283d675a6cc81981e75b0d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net> Date: Sat, 24 May 2025 07:26:11 +0800 Subject: [PATCH 1/2] WIP: feat(authelia): Add authentication with authelia --- configuration/default.nix | 1 + configuration/services/authelia.nix | 123 ++++++++++++++++++ .../services/metrics/victoriametrics.nix | 4 + configuration/services/postgres.nix | 12 +- configuration/sops.nix | 22 ++++ keys/staging.yaml | 18 +-- 6 files changed, 171 insertions(+), 9 deletions(-) create mode 100644 configuration/services/authelia.nix diff --git a/configuration/default.nix b/configuration/default.nix index 0377e9c..ffdf379 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -13,6 +13,7 @@ "${modulesPath}/profiles/minimal.nix" (import ../modules) + ./services/authelia.nix ./services/backups.nix ./services/battery-manager.nix ./services/conduit diff --git a/configuration/services/authelia.nix b/configuration/services/authelia.nix new file mode 100644 index 0000000..e47f101 --- /dev/null +++ b/configuration/services/authelia.nix @@ -0,0 +1,123 @@ +{ config, ... }: +{ + services = { + authelia.instances.tlaternet = { + enable = true; + + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = + config.sops.secrets."authelia/lldap-password".path; + AUTHELIA_NOTIFIER_SMTP_SENDER_FILE = config.sops.secrets."authelia/ntfy-topic".path; + }; + + settings = { + authentication_backend.ldap = { + # TODO(tlater): Enable when authelia has a webhook notifier: + # https://github.com/authelia/authelia/issues/7695 + password_reset.disable = true; + refresh_interval = "1m"; + address = "ldap://${config.services.lldap.settings.ldap_host}:${toString config.services.lldap.settings.ldap_port}"; + implementation = "lldap"; + base_dn = config.services.lldap.settings.ldap_base_dn; + user = "cn=authelia,ou=people,${config.services.lldap.settings.ldap_base_dn}"; + }; + + password_policy.zxcvbn.enabled = true; + + telemetry.metrics.enabled = true; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.${config.services.nginx.domain}"; + policy = "one_factor"; + } + ]; + }; + notifier.filesystem.filename = "/var/lib/authelia-tlaternet/notification.txt"; + + session = { + cookies = [ + { + domain = "${config.services.nginx.domain}"; + authelia_url = "https://auth.${config.services.nginx.domain}"; + } + ]; + redis.host = config.services.redis.servers.authelia.unixSocket; + }; + + storage = { + postgres = { + address = "/var/run/postgresql"; + username = config.services.authelia.instances.tlaternet.user; + database = config.services.authelia.instances.tlaternet.user; + }; + }; + + # Auth options + default_2fa_method = "totp"; + totp.issuer = "tlater.net"; + webauthn = { + display_name = "tlater.net"; + enable_passkey_login = true; + + attestation_conveyance_preference = "direct"; + filtering.prohibit_backup_eligibility = true; + metadata = { + enabled = true; + validate_trust_anchor = true; + validate_entry = true; + validate_status = true; + validate_entry_permit_zero_aaguid = false; + }; + }; + duo_api.disable = true; + }; + + secrets = { + storageEncryptionKeyFile = config.sops.secrets."authelia/storage-encryption-key".path; + jwtSecretFile = config.sops.secrets."authelia/jwt-secret".path; + sessionSecretFile = config.sops.secrets."authelia/session-secret".path; + }; + }; + + redis.servers.authelia = { + enable = true; + user = config.services.authelia.instances.tlaternet.user; + }; + + lldap = { + enable = true; + settings = { + ldap_base_dn = "dc=tlater,dc=net"; + database_url = "postgres://lldap:@localhost/lldap?host=/var/run/postgresql"; + ldap_host = "127.0.0.1"; + + http_host = "127.0.0.1"; + http_url = "https://lldap.${config.services.nginx.domain}"; + + force_ldap_user_pass_reset = "always"; + + smtp_options.enable_password_reset = false; + + environment = { + LLDAP_JWT_SECRET_FILE = config.sops.secrets."authelia/jwt-secret".path; + LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin-password".path; + LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/key".path; + }; + }; + }; + + nginx.virtualHosts = { + "lldap.${config.services.nginx.domain}" = { + useACMEHost = "tlater.net"; + forceSSL = true; + enableHSTS = true; + + locations."/".proxyPass = + "http://${config.services.lldap.settings.http_host}:${toString config.services.lldap.settings.http_port}"; + }; + }; + }; +} diff --git a/configuration/services/metrics/victoriametrics.nix b/configuration/services/metrics/victoriametrics.nix index f37b8b0..e362c49 100644 --- a/configuration/services/metrics/victoriametrics.nix +++ b/configuration/services/metrics/victoriametrics.nix @@ -9,6 +9,10 @@ in extraOptions = [ "-storage.minFreeDiskSpaceBytes=5GB" ]; scrapeConfigs = { + authelia = { + targets = [ "127.0.0.1:9959" ]; + }; + forgejo = { targets = [ "127.0.0.1:${toString config.services.forgejo.settings.server.HTTP_PORT}" ]; extraSettings.authorization.credentials_file = config.sops.secrets."forgejo/metrics-token".path; diff --git a/configuration/services/postgres.nix b/configuration/services/postgres.nix index 85a6843..9ac9ff3 100644 --- a/configuration/services/postgres.nix +++ b/configuration/services/postgres.nix @@ -1,4 +1,4 @@ -{ pkgs, ... }: +{ config, pkgs, ... }: { services.postgresql = { package = pkgs.postgresql_14; @@ -17,10 +17,18 @@ # that operation needs to be performed manually on the system as # well. ensureUsers = [ + { + name = config.services.authelia.instances.tlaternet.user; + ensureDBOwnership = true; + } { name = "grafana"; ensureDBOwnership = true; } + { + name = "lldap"; + ensureDBOwnership = true; + } { name = "nextcloud"; ensureDBOwnership = true; @@ -28,7 +36,9 @@ ]; ensureDatabases = [ + config.services.authelia.instances.tlaternet.user "grafana" + "lldap" "nextcloud" ]; }; diff --git a/configuration/sops.nix b/configuration/sops.nix index 0337438..cb16026 100644 --- a/configuration/sops.nix +++ b/configuration/sops.nix @@ -3,6 +3,24 @@ defaultSopsFile = ../keys/production.yaml; secrets = { + "authelia/storage-encryption-key" = { + owner = "authelia-tlaternet"; + group = "authelia-tlaternet"; + }; + "authelia/jwt-secret" = { + owner = "authelia-tlaternet"; + group = "authelia-tlaternet"; + }; + "authelia/session-secret" = { + owner = "authelia-tlaternet"; + group = "authelia-tlaternet"; + }; + "authelia/lldap-password" = { + owner = "authelia-tlaternet"; + group = "lldap"; + mode = "0440"; + }; + "battery-manager/email" = { }; "battery-manager/password" = { }; @@ -28,6 +46,10 @@ "heisenbridge/as-token" = { }; "heisenbridge/hs-token" = { }; + # lldap + "lldap/admin-password" = { }; + "lldap/key" = { }; + # Matrix-hookshot "matrix-hookshot/as-token" = { }; "matrix-hookshot/hs-token" = { }; diff --git a/keys/staging.yaml b/keys/staging.yaml index 876d60e..94692c6 100644 --- a/keys/staging.yaml +++ b/keys/staging.yaml @@ -1,3 +1,7 @@ +authelia: + storage-encryption-key: ENC[AES256_GCM,data:iMV4DGwvOOq+DZao+Jrc3i15HOPFXHv3m6dzrAb7n8zV8bdLz5c4MCpq61hQy/UfoXsRYJUxwCcj3B70JQn2Ngq6P9ik9U1ZfYrwUWIENSd/iG8CBfdasKqxEijS2F23Lj1rbB4ppTWD9lWqRoKOEaXDL9Rqn02tiLbR3OewOpwiwbzv0PkVlC6yUV+yS3Jx,iv:1V2cwoV4kG3i9e9dv7PWPCNoFPIgYiZ2m3A8Agf3Jpc=,tag:AiFLpQ7nqwx9xZ71sbCn2g==,type:str] + jwt-secret: ENC[AES256_GCM,data:QA64lfervZk=,iv:MtyCZrbGzX+oKTBPW9R+n/r8TaFkK0xSwjn/qUT6ntQ=,tag:z/XnDGiLDkJ0xPVveeR2cA==,type:str] + session-secret: ENC[AES256_GCM,data:lYk4FOO4sQM=,iv:z05n1zPt1ONNqN6sgITUTu+GSe6xev4cYm8c4xzp/Mg=,tag:TRQAbxjvaoo/tnLxO43KKg==,type:str] porkbun: api-key: ENC[AES256_GCM,data:A5J1sqwq6hs=,iv:77Mar3IX7mq7z7x6s9sSeGNVYc1Wv78HptJElEC7z3Q=,tag:eM/EF9TxKu+zcbJ1SYXiuA==,type:str] secret-api-key: ENC[AES256_GCM,data:8Xv+jWYaWMI=,iv:li4tdY0pch5lksftMmfMVS729caAwfaacoztaQ49az0=,tag:KhfElBGzVH4ByFPfuQsdhw==,type:str] @@ -9,6 +13,9 @@ forgejo: grafana: adminPassword: ENC[AES256_GCM,data:dYfaxUpQpzA=,iv:j5wSem8C5+V4c5qRzXQJhsU7/FOtpvrnaEyFBmW6zJ4=,tag:oc8n3TkEbjF2gjuOobZuLA==,type:str] secretKey: ENC[AES256_GCM,data:Atruvh2MsNY=,iv:y2MaCUCEzGIydHp6G0DJHfk289S1is0twKm2oUYwDhM=,tag:nAWeg+YqaYqk6k22oBkAhQ==,type:str] +lldap: + admin-password: ENC[AES256_GCM,data:s18N1fvXtzE=,iv:FGXF5+PwDZrQIJylx+pkjY4SO0mmfiGUPZeFAINmGnY=,tag:rpPSFdWzCHhyp4ITddRekg==,type:str] + key: ENC[AES256_GCM,data:spbrfjm4Ozhu6XAPxN1cuQ==,iv:QEDCGfl75aP0T68nbWmqkPem46FHrs8nj7zVkWYcHt4=,tag:P4p3rC5I2KqPm733wbTp9g==,type:str] nextcloud: tlater: ENC[AES256_GCM,data:91kDcO4hpng=,iv:ayuILRmRru4ZxTCur9H2xHuLjkDzwPdS/4lEog/tesU=,tag:qYhJxnNDcCwUM7xe7Tlcjw==,type:str] steam: @@ -32,13 +39,8 @@ turn: #ENC[AES256_GCM,data:bxhKzU5Tzezl749CDu8e8kxa7ahGuZFaPa9K3kxuD+4sg5Hi3apgDlC0n8oK0DeiK4Ks7+9Cyw==,iv:T/zVJUpNAv1rR0a9+6SDTG08ws2A1hFBs5Ia3TpT0uk=,tag:uGXb1VryM+lIJ8r0I5durA==,type:comment] ssl-cert: ENC[AES256_GCM,data:xHUr14CjKslgbGh/n5jYSOuCw9JRxS6YXE4fxS+aJzFcNeSeGNqoipPeuJupZGBnQP/FCqohiHY=,iv:/OEsVqRshGL9NIvntMC42EPZSNL0u6EfhtUBqgV7qog=,tag:4pxtNjuvy/ibm6nDtKdSkw==,type:str] sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: [] - lastmodified: "2025-02-07T17:43:24Z" - mac: ENC[AES256_GCM,data:akmD/bfgeTyFzW1quvM16cdj0fC6+CbJ8WyX9173H11yKGxvE1USQYcErpl1SHOx9Jk8LVb7f+MsUm2fjQF1MEq6xaWI74jem12lZ9CGXFaTL7e87JvfbK7pV+aKpxSBBNFyJgbYm30ibdUwxwKmNVfPb1e0HT9qwenvoV7RobM=,iv:mKqOW0ULXL711uczUbRf9NPo6uPTQoS/IbR46S+JID4=,tag:vE6NYzYLbQHDImov1XGTcg==,type:str] + lastmodified: "2025-05-25T18:42:33Z" + mac: ENC[AES256_GCM,data:psytbF+v/+B+lYWXmXqVlF3FZRwQISiuvcCqM6A4n87JcLIMP1YrRkyhmrxA3AAb829KUEXLc8fe58cRyO7f4VKYKR00hnI3ttrM3MuptfTD/7LmrIqsOSvqigoPoGG7AG+0UrFxYfB/0lFs3QEQQAWOdr4++DkmJEFJvk39bZ0=,iv:uE4cFjDsXJUkiyZSqyeAxrnD/NYBvo2vB1E6ea47fXk=,tag:XgazpbcPHlLhG1ZTWuprxA==,type:str] pgp: - created_at: "2025-01-21T17:55:30Z" enc: |- @@ -76,4 +78,4 @@ sops: -----END PGP MESSAGE----- fp: 2f5caa73e7ceea4fcc8d2881fde587e6737d2dbc unencrypted_suffix: _unencrypted - version: 3.9.2 + version: 3.10.2 From 8c89c377ba601f4f4cf46e3b4de687905a603f57 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tristan=20Dani=C3=ABl=20Maat?= <tm@tlater.net> Date: Thu, 7 Nov 2024 20:26:43 +0100 Subject: [PATCH 2/2] WIP: feat: Add minecraft server --- configuration/default.nix | 6 +- configuration/services/minecraft.nix | 83 ++++++++++++++++++++++++++++ 2 files changed, 84 insertions(+), 5 deletions(-) create mode 100644 configuration/services/minecraft.nix diff --git a/configuration/default.nix b/configuration/default.nix index ffdf379..2231af5 100644 --- a/configuration/default.nix +++ b/configuration/default.nix @@ -22,6 +22,7 @@ ./services/gitea.nix ./services/immich.nix ./services/metrics + ./services/minecraft.nix ./services/nextcloud.nix ./services/webserver.nix ./services/wireguard.nix @@ -64,8 +65,6 @@ 8448 # starbound 21025 - # Minecraft - 25565 config.services.coturn.listening-port config.services.coturn.tls-listening-port @@ -74,9 +73,6 @@ ]; allowedUDPPorts = [ - # More minecraft - 25565 - config.services.coturn.listening-port config.services.coturn.tls-listening-port config.services.coturn.alt-listening-port diff --git a/configuration/services/minecraft.nix b/configuration/services/minecraft.nix new file mode 100644 index 0000000..0477f44 --- /dev/null +++ b/configuration/services/minecraft.nix @@ -0,0 +1,83 @@ +{ + pkgs, + lib, + config, + ... +}: +{ + services.minecraft-server = { + enable = true; + eula = true; + # jvmOpts are set using a file for forge + # jvmOpts = "-Xmx8G -Xms8G"; + openFirewall = true; + + declarative = true; + + whitelist = { + tlater = "140d177a-966f-41b8-a4c0-e305babd291b"; + romino25 = "59cd1648-14a4-4bcf-8f5a-2e1bde678f2c"; + lasi25 = "0ab6e3d1-544a-47e7-8538-2e6c248e49a4"; + }; + + serverProperties = { + allow-flight = true; + difficulty = "hard"; + motd = "tlater.net"; + spawn-protection = 1; + white-list = true; + enable-query = true; + enable-status = true; + + # Allows the server to write chunks without hogging the main + # thread... + sync-chunk-writes = false; + # Disables chat reporting, because we don't need any of that + # drama on a lil' friends-only server. + enforce-secure-profile = false; + }; + + package = pkgs.writeShellApplication { + name = "minecraft-server"; + runtimeInputs = with pkgs; [ jdk17_headless ]; + + text = '' + exec /var/lib/minecraft/run.sh $@ + ''; + }; + }; + + systemd.services.minecraft-server = { + path = with pkgs; [ jdk17_headless ]; + + # Since we read from our own HTTP server, we need to wait for it + # to be up + after = [ "nginx.service" ]; + + serviceConfig = { + # Use packwiz to install mods + ExecStartPre = [ + "${pkgs.jdk17_headless}/bin/java -jar ${config.services.minecraft-server.dataDir}/packwiz-installer-bootstrap.jar -g -s server 'https://minecraft.${config.services.nginx.domain}/cobblemon-pack/pack.toml'" + ]; + # Forge requires some bonus JVM options, which they include in a + # little `run.sh` script + ExecStart = lib.mkForce "${config.services.minecraft-server.dataDir}/run.sh --nogui"; + }; + }; + + systemd.tmpfiles.settings."10-minecraft" = { + "/srv/minecraft".d = { + user = "nginx"; + group = "minecraft"; + mode = "0775"; + }; + }; + + services.nginx.virtualHosts."minecraft.${config.services.nginx.domain}" = { + forceSSL = true; + useACMEHost = "tlater.net"; + enableHSTS = true; + + root = "/srv/minecraft"; + }; +}