From 6ed4c4917a308e78f3694035560fb02b5ba7ed65 Mon Sep 17 00:00:00 2001 From: Nikolaos Karaolidis Date: Wed, 12 Mar 2025 17:49:04 +0000 Subject: [PATCH] Add authelia sso Signed-off-by: Nikolaos Karaolidis --- .../console/podman/authelia/default.nix | 167 ++++++++++-------- .../console/podman/traefik/default.nix | 141 ++++++++------- 2 files changed, 170 insertions(+), 138 deletions(-) diff --git a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix index 539c310..7f65d41 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix @@ -21,8 +21,10 @@ in home-manager.users.${user} = { sops = { secrets = { - "authelia/jwt".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml; + "authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml; + "authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml; + "authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; @@ -34,6 +36,71 @@ in POSTGRES_PASSWORD=${hmConfig.sops.placeholder."authelia/postgresql"} ''; + "authelia-configuration.yaml".content = builtins.readFile ( + (pkgs.formats.yaml { }).generate "configuration.yaml" { + theme = "auto"; + telemetry.metrics.enabled = true; + + authentication_backend = { + refresh_interval = "always"; + file = { + path = "/etc/authelia/users.yaml"; + watch = true; + }; + }; + + password_policy.zxcvbn.enabled = true; + access_control.default_policy = "deny"; + + session = { + secret = hmConfig.sops.placeholder."authelia/session"; + + cookies = [ + { + domain = "karaolidis.com"; + authelia_url = "https://id.karaolidis.com"; + } + ]; + + redis = { + host = "authelia-redis"; + port = 6379; + }; + }; + + identity_validation.reset_password.jwt_secret = + hmConfig.sops.placeholder."authelia/resetPasswordJwt"; + + identity_providers.oidc = { + hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac"; + + jwks = [ + { + key = hmConfig.sops.placeholder."authelia/oidcKey"; + } + ]; + }; + + storage = { + encryption_key = hmConfig.sops.placeholder."authelia/storage"; + + postgres = { + address = "tcp://authelia-postgresql:5432"; + database = "authelia"; + username = "authelia"; + password = hmConfig.sops.placeholder."authelia/postgresql"; + }; + }; + + notifier.smtp = { + address = "smtp://smtp.protonmail.ch:587"; + username = "jupiter@karaolidis.com"; + password = hmConfig.sops.placeholder."authelia/smtp"; + sender = "jupiter@karaolidis.com"; + }; + } + ); + "authelia-users.yaml".content = builtins.readFile ( (pkgs.formats.yaml { }).generate "users.yaml" { users.karaolidis = { @@ -79,83 +146,29 @@ in }; authelia = { - containerConfig = - let - config = (pkgs.formats.yaml { }).generate "configuration.yaml" { - theme = "auto"; - telemetry.metrics.enabled = true; + containerConfig = { + image = "docker-archive:${selfPkgs.docker-authelia}"; + volumes = [ + "${home}/.local/share/authelia/config:/etc/authelia" + "${ + hmConfig.sops.templates."authelia-configuration.yaml".path + }:/etc/authelia/conf.d/configuration.yaml:ro" + ]; + networks = [ + networks.authelia.ref + networks.traefik.ref + ]; + exec = [ "--config /etc/authelia/conf.d/" ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" + "traefik.http.routers.authelia.tls.certresolver=letsencrypt" - authentication_backend = { - refresh_interval = "always"; - file = { - path = "/etc/authelia/users.yaml"; - watch = true; - }; - }; - - password_policy.zxcvbn.enabled = true; - access_control.default_policy = "two_factor"; - - session = { - cookies = [ - { - domain = "karaolidis.com"; - authelia_url = "https://id.karaolidis.com"; - } - ]; - - redis = { - host = "authelia-redis"; - port = 6379; - }; - }; - - storage.postgres = { - address = "tcp://authelia-postgresql:5432"; - database = "authelia"; - username = "authelia"; - }; - - notifier.smtp = { - address = "smtp://smtp.protonmail.ch:587"; - username = "jupiter@karaolidis.com"; - sender = "jupiter@karaolidis.com"; - }; - }; - in - { - image = "docker-archive:${selfPkgs.docker-authelia}"; - environments = { - AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET"; - AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET"; - AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY"; - AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD"; - AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD"; - }; - volumes = [ - "${home}/.local/share/authelia/config:/etc/authelia" - "${config}:/etc/authelia/conf.d/configuration.yaml:ro" - "${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro" - "${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro" - "${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro" - "${hmConfig.sops.secrets."authelia/postgresql".path}:/secrets/STORAGE_PASSWORD:ro" - "${hmConfig.sops.secrets."authelia/smtp".path}:/secrets/SMTP_PASSWORD:ro" - ]; - networks = [ - networks.authelia.ref - networks.traefik.ref - ]; - exec = [ "--config /etc/authelia/conf.d/" ]; - labels = [ - "traefik.enable=true" - "traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)" - "traefik.http.routers.authelia.tls.certresolver=letsencrypt" - - "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true" - "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth" - "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name" - ]; - }; + "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true" + "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth" + "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name" + ]; + }; unitConfig.After = [ "${containers."authelia-init"._serviceName}.service" diff --git a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix index fec3472..4b81d70 100644 --- a/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix +++ b/hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix @@ -6,6 +6,7 @@ config, inputs, system, + pkgs, ... }: let @@ -38,78 +39,96 @@ in volumes.letsencrypt.volumeConfig = { }; - containers.traefik = { - containerConfig = { - image = "docker-archive:${selfPkgs.docker-traefik}"; - networks = [ networks.traefik.ref ]; - volumes = [ - "/run/user/${ - builtins.toString config.users.users.${user}.uid - }/podman/podman.sock:/var/run/docker.sock" - "${volumes.letsencrypt.ref}:/letsencrypt" - ]; - exec = [ - "--api.dashboard=true" - "--api.disabledashboardad=true" + containers = { + traefik = { + containerConfig = { + image = "docker-archive:${selfPkgs.docker-traefik}"; + networks = [ networks.traefik.ref ]; + volumes = [ + "/run/user/${ + builtins.toString config.users.users.${user}.uid + }/podman/podman.sock:/var/run/docker.sock" + "${volumes.letsencrypt.ref}:/letsencrypt" + ]; + exec = [ + "--api.dashboard=true" + "--api.disabledashboardad=true" - "--global.sendAnonymousUsage=false" + "--global.sendAnonymousUsage=false" - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" + "--providers.docker=true" + "--providers.docker.exposedbydefault=false" - "--entryPoints.web.address=:80" - "--entrypoints.web.http.redirections.entryPoint.to=websecure" - "--entrypoints.web.http.redirections.entryPoint.scheme=https" - "--entryPoints.web.http3" - "--entrypoints.web.forwardedHeaders.insecure=true" + "--entryPoints.web.address=:80" + "--entrypoints.web.http.redirections.entryPoint.to=websecure" + "--entrypoints.web.http.redirections.entryPoint.scheme=https" + "--entryPoints.web.http3" + "--entrypoints.web.forwardedHeaders.insecure=true" - "--entryPoints.websecure.address=:443" - "--entryPoints.websecure.asDefault=true" - "--entrypoints.websecure.http.tls=true" - "--entrypoints.websecure.http.tls.certResolver=letsencrypt" - "--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com" - "--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com" - "--entrypoints.websecure.http.tls.domains[1].main=krlds.com" - "--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com" - "--entrypoints.websecure.http.middlewares=compress@docker" - "--entryPoints.websecure.http3" - "--entrypoints.websecure.forwardedHeaders.insecure=true" + "--entryPoints.websecure.address=:443" + "--entryPoints.websecure.asDefault=true" + "--entrypoints.websecure.http.tls=true" + "--entrypoints.websecure.http.tls.certResolver=letsencrypt" + "--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com" + "--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com" + "--entrypoints.websecure.http.tls.domains[1].main=krlds.com" + "--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com" + "--entrypoints.websecure.http.middlewares=compress@docker" + "--entryPoints.websecure.http3" + "--entrypoints.websecure.forwardedHeaders.insecure=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" - "--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com" - "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" - ]; - labels = [ - "traefik.enable=true" - "traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)" - "traefik.http.routers.traefik.tls.certresolver=letsencrypt" - "traefik.http.routers.traefik.service: 'api@internal'" - "traefik.http.routers.traefik.middlewares: 'authelia@docker'" + "--certificatesresolvers.letsencrypt.acme.dnschallenge=true" + "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" + "--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com" + "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" + ]; + labels = [ + "traefik.enable=true" + "traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)" + "traefik.http.routers.traefik.tls.certresolver=letsencrypt" + "traefik.http.routers.traefik.service: 'api@internal'" + "traefik.http.routers.traefik.middlewares: 'authelia@docker'" - "traefik.http.middlewares.compress.compress=true" - # TODO: Middlewares: Headers - ]; - environmentFiles = [ hmConfig.sops.templates."traefik.env".path ]; - }; + "traefik.http.middlewares.compress.compress=true" + # TODO: Middlewares: Headers + ]; + environmentFiles = [ hmConfig.sops.templates."traefik.env".path ]; + }; - serviceConfig.Sockets = [ - "traefik-http.socket" - "traefik-https.socket" - ]; - - unitConfig = { - After = [ - "traefik-http.socket" - "traefik-https.socket" - "sops-nix.service" - ]; - - Requires = [ + serviceConfig.Sockets = [ "traefik-http.socket" "traefik-https.socket" ]; + + unitConfig = { + After = [ + "traefik-http.socket" + "traefik-https.socket" + "sops-nix.service" + ]; + + Requires = [ + "traefik-http.socket" + "traefik-https.socket" + ]; + }; }; + + authelia.containerConfig.volumes = + let + config = (pkgs.formats.yaml { }).generate "traefik.yaml" { + access_control.rules = [ + { + domain = "proxy.karaolidis.com"; + policy = "two_factor"; + subject = [ "group:admins" ]; + } + ]; + }; + in + [ + "${config}:/etc/authelia/conf.d/traefik.yaml:ro" + ]; }; };