Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

initial authelia config

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2023-08-17 01:04:21 +02:00
parent 819c34ee7d
commit 7f05bc88e7
4 changed files with 164 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
.sops.yaml
View File

@@ -78,3 +78,8 @@ creation_rules:
- age:
- *dominik
- *home-assistant-server
- path_regex: utils/modules/authelia/[^/]+\.yaml$
key_groups:
- age:
- *dominik
- *web-01-server

1
hosts/web-01.cloonar.com/configuration.nix
View File

@@ -8,6 +8,7 @@
./utils/modules/nginx.nix
./utils/modules/bitwarden/default.nix
./utils/modules/zammad/default.nix
./utils/modules/authelia/default.nix
# ./utils/modules/autoupgrade.nix
./utils/modules/borgbackup.nix

125
utils/modules/authelia/default.nix Normal file
View File

@@ -0,0 +1,125 @@
{ config, ... }:
{
sops.secrets.authelia-jwt-secret = {
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-backend-ldap-password = {
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-storage-encryption-key = {
sopsFile = ./secrets.yaml;
};
sops.secrets.authelia-session-secret = {
sopsFile = ./secrets.yaml;
};
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
authenticationBackendLDAPPasswordFile = config.sops.secrets.authelia-backend-ldap-password.path;
};
settings = {
theme = "dark";
default_redirection_url = "https://cloud.cloonar.com";
server = {
host = "127.0.0.1";
port = 9091;
};
# log = {
# level = "debug";
# format = "text";
# };
authentication_backend = {
ldap = {
url = "ldaps://ldap.cloonar.com";
timout = "5s";
base_dn = "DC=cloonar,DC=com";
additional_users_dn = "OU=users";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
username_attribute = "uid";
mail_attribute = "mail";
display_name_attribute = "displayName";
additional_groups_dn = "OU=groups";
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
group_name_attribute = "cn";
permit_referrals = false;
permit_unauthenticated_bind = false;
user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
}
};
# access_control = {
# default_policy = "deny";
# rules = [
# {
# domain = ["auth.example.com"];
# policy = "bypass";
# }
# {
# domain = ["*.example.com"];
# policy = "one_factor";
# }
# ];
# };
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me_duration = "1M";
domain = "auth.cloonar.com";
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
mysql = {
host = "/run/mysqld/mysqld.sock'";
database = "authelia";
username = "authelia";
timeout = "5s";
};
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/notification.txt";
};
};
};
};
services.nginx.virtualHosts."auth.cloonar.com" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
};
};
config.services.mysql.ensureUsers = [
{
name = "authelia";
ensurePermissions = {
"authelia.*" = "ALL PRIVILEGES";
};
}
];
config.services.mysql.ensureDatabases = [ "authelia" ];
config.services.mysqlBackup.databases = [ "authelia" ];
}

33
utils/modules/authelia/secrets.yaml Normal file
View File

@@ -0,0 +1,33 @@
authelia-jwt-secret: ENC[AES256_GCM,data:+4mCRAbPYeuxZwPxIWdzym9M0soVRJGZOHpBLFp1dsienOes6PcF6DhkzLwx1g/2KYQBrWq5QtNyysLkl32mNg==,iv:3354Ww7D1fQAVZh8xlJo3W9VaLTC6sUxXpNzwFYGZPg=,tag:NjPuHi4R+I3CJ09ZbV1Cbw==,type:str]
authelia-backend-ldap-password: ENC[AES256_GCM,data:AJ5/lQxxQ0PjPpja4Lm7Qbn4rrZ/fapFeTO9nXsXpYC7cSgPDmGL4LG6QTFrgHpJU4FGEyFhWUYf/BZvHFLA2A==,iv:/w3SlYC74vSV/hkOdp2wb50beSTaokQC9C1ogs82nxo=,tag:b5M78WOUgHcydoJTKiAAOQ==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:I3ek+p0faJUUjS3ULeeLzsrsl03MKlHwrC+R3IqrJ2P9AbJmMBvvXnqLx2H2THkjGiqN3kLgrhnmInn+BnCgYg==,iv:EiZpXbkyC3tbdzcp20hV6ctAJdB9tlgxT3gI7wiqSZc=,tag:qqG02RJAizr2jlGV0JnStA==,type:str]
authelia-session-secret: ENC[AES256_GCM,data:+hljRSv4nABWg+vEOhYM27h9Gu1FCqcWWa51VqlN1r8AE79S78Uq2txWL7bZKql/fxmaguTLwk18xkHIAvIEsA==,iv:RoytV5jWIUDq6olp8rWAc0NRC4f1FLL43EpTzcXZ3eg=,tag:vIvDVRSqlVt/W/52vuDDZA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age16veg3fmvpfm7a89a9fc8dvvsxmsthlm70nfxqspr6t8vnf9wkcwsvdq38d
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBU1E5VzRjNjZFS0V1eWNr
ZnFENWJUVXRRVmxoV0pqcWlXdlB6U1Q2a2hFCm1Ea0kvZ2pUdWhVdkgyVUt3dFRS
VEQ3UVhCMjdqLytOck9TU283Wjc5YzgKLS0tIGlobjd6UEczTnQ0N3d5M0V1UFBV
QWp3NWJMcnJxOXBDazFjc25oQlhNWDQKFvBV6QpP4/mlGr4d6NcY7u6FJcaZo/oc
jEb1ROMdrAfWm7r3BeyEzwAtciZ1HqqcIcM9hyT50KIA/M1nOVU6/Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1y6lvl5jkwc47p5ae9yz9j9kuwhy7rtttua5xhygrgmr7ehd49svsszyt42
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlWWpVenhTSGo1UmVrTEg4
ZVJldXI4QVBNWHRNVmFQMkR0RWhET1IycGxnCjZiNWpiUmhnWmo1UzZaQTliQXdR
c01XN1dldy9LdEFSVU9WUUxYeTk5dTQKLS0tIHVKYzFqT1hoeGVvYlNDamJvbHhF
cUtDM09Hc0pYalRka3JlZUZrSzgzbkUKuuJVITtogxhyRMIuYAGlL1u0RMlHGo5K
Bq5BvTxTwurfhf8Nl+Gy4JP1yZ5nhJDpuisHnNMtd0bQbdtWjf+kSA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-16T22:59:09Z"
mac: ENC[AES256_GCM,data:SIh1QZz0QncmsqRAri+KridIgtg0QWDhLzhzrLvMeUVSzxWYY//MsDY365EEJDEYnAkj5A+MbbCEUZBRzfl4N1nB6bltrlFmFl0p2EEJYLxLh6u4gA4AxvHKX2JSVJ+lbbMponu3fEjAkE91RaeEd+4v36hUWJpKDMyUmF+BKf8=,iv:b+Yi+6lFBH0EG+zM9ZyH0j42/dzuribKre+UuUfrKgI=,tag:9EdwNDlzkVGXmKY0lSuEZQ==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3