diff --git a/.sops.yaml b/.sops.yaml index 04c9755..27e265d 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -78,3 +78,8 @@ creation_rules: - age: - *dominik - *home-assistant-server + - path_regex: utils/modules/authelia/[^/]+\.yaml$ + key_groups: + - age: + - *dominik + - *web-01-server diff --git a/hosts/web-01.cloonar.com/configuration.nix b/hosts/web-01.cloonar.com/configuration.nix index 735b981..257e49e 100644 --- a/hosts/web-01.cloonar.com/configuration.nix +++ b/hosts/web-01.cloonar.com/configuration.nix @@ -8,6 +8,7 @@ ./utils/modules/nginx.nix ./utils/modules/bitwarden/default.nix ./utils/modules/zammad/default.nix + ./utils/modules/authelia/default.nix # ./utils/modules/autoupgrade.nix ./utils/modules/borgbackup.nix diff --git a/utils/modules/authelia/default.nix b/utils/modules/authelia/default.nix new file mode 100644 index 0000000..23abfb9 --- /dev/null +++ b/utils/modules/authelia/default.nix @@ -0,0 +1,125 @@ +{ config, ... }: + +{ + sops.secrets.authelia-jwt-secret = { + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-backend-ldap-password = { + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-storage-encryption-key = { + sopsFile = ./secrets.yaml; + }; + sops.secrets.authelia-session-secret = { + sopsFile = ./secrets.yaml; + }; + + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; + sessionSecretFile = config.sops.secrets.authelia-session-secret.path; + authenticationBackendLDAPPasswordFile = config.sops.secrets.authelia-backend-ldap-password.path; + }; + settings = { + theme = "dark"; + default_redirection_url = "https://cloud.cloonar.com"; + + server = { + host = "127.0.0.1"; + port = 9091; + }; + + # log = { + # level = "debug"; + # format = "text"; + # }; + + authentication_backend = { + ldap = { + url = "ldaps://ldap.cloonar.com"; + timout = "5s"; + base_dn = "DC=cloonar,DC=com"; + additional_users_dn = "OU=users"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + username_attribute = "uid"; + mail_attribute = "mail"; + display_name_attribute = "displayName"; + additional_groups_dn = "OU=groups"; + groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + group_name_attribute = "cn"; + permit_referrals = false; + permit_unauthenticated_bind = false; + user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com"; + } + }; + + # access_control = { + # default_policy = "deny"; + # rules = [ + # { + # domain = ["auth.example.com"]; + # policy = "bypass"; + # } + # { + # domain = ["*.example.com"]; + # policy = "one_factor"; + # } + # ]; + # }; + + session = { + name = "authelia_session"; + expiration = "12h"; + inactivity = "45m"; + remember_me_duration = "1M"; + domain = "auth.cloonar.com"; + }; + + regulation = { + max_retries = 3; + find_time = "5m"; + ban_time = "15m"; + }; + + storage = { + mysql = { + host = "/run/mysqld/mysqld.sock'"; + database = "authelia"; + username = "authelia"; + timeout = "5s"; + }; + }; + + notifier = { + disable_startup_check = false; + filesystem = { + filename = "/var/lib/authelia-main/notification.txt"; + }; + }; + }; + }; + services.nginx.virtualHosts."auth.cloonar.com" = { + enableACME = true; + forceSSL = true; + acmeRoot = null; + + locations."/" = { + proxyPass = "http://127.0.0.1:9091"; + proxyWebsockets = true; + }; + }; + + config.services.mysql.ensureUsers = [ + { + name = "authelia"; + ensurePermissions = { + "authelia.*" = "ALL PRIVILEGES"; + }; + } + ]; + + config.services.mysql.ensureDatabases = [ "authelia" ]; + config.services.mysqlBackup.databases = [ "authelia" ]; +} diff --git a/utils/modules/authelia/secrets.yaml b/utils/modules/authelia/secrets.yaml new file mode 100644 index 0000000..66ce28b --- /dev/null +++ b/utils/modules/authelia/secrets.yaml @@ -0,0 +1,33 @@ +authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str] +authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str] +authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBU1E5VzRjNjZFS0V1eWNr + ZnFENWJUVXRRVmxoV0pqcWlXdlB6U1Q2a2hFCm1Ea0kvZ2pUdWhVdkgyVUt3dFRS + VEQ3UVhCMjdqLytOck9TU283Wjc5YzgKLS0tIGlobjd6UEczTnQ0N3d5M0V1UFBV + QWp3NWJMcnJxOXBDazFjc25oQlhNWDQKFvBV6QpP4/mlGr4d6NcY7u6FJcaZo/oc + jEb1ROMdrAfWm7r3BeyEzwAtciZ1HqqcIcM9hyT50KIA/M1nOVU6/Q== + -----END AGE ENCRYPTED FILE----- + - recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWWpVenhTSGo1UmVrTEg4 + ZVJldXI4QVBNWHRNVmFQMkR0RWhET1IycGxnCjZiNWpiUmhnWmo1UzZaQTliQXdR + c01XN1dldy9LdEFSVU9WUUxYeTk5dTQKLS0tIHVKYzFqT1hoeGVvYlNDamJvbHhF + cUtDM09Hc0pYalRka3JlZUZrSzgzbkUKuuJVITtogxhyRMIuYAGlL1u0RMlHGo5K + Bq5BvTxTwurfhf8Nl+Gy4JP1yZ5nhJDpuisHnNMtd0bQbdtWjf+kSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-08-16T22:59:09Z" + mac: ENC[AES256_GCM,data:SIh1QZz0QncmsqRAri+KridIgtg0QWDhLzhzrLvMeUVSzxWYY//MsDY365EEJDEYnAkj5A+MbbCEUZBRzfl4N1nB6bltrlFmFl0p2EEJYLxLh6u4gA4AxvHKX2JSVJ+lbbMponu3fEjAkE91RaeEd+4v36hUWJpKDMyUmF+BKf8=,iv:b+Yi+6lFBH0EG+zM9ZyH0j42/dzuribKre+UuUfrKgI=,tag:9EdwNDlzkVGXmKY0lSuEZQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3