Add authelia sso
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
@@ -6,6 +6,7 @@
|
||||
config,
|
||||
inputs,
|
||||
system,
|
||||
pkgs,
|
||||
...
|
||||
}:
|
||||
let
|
||||
@@ -38,78 +39,96 @@ in
|
||||
|
||||
volumes.letsencrypt.volumeConfig = { };
|
||||
|
||||
containers.traefik = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${selfPkgs.docker-traefik}";
|
||||
networks = [ networks.traefik.ref ];
|
||||
volumes = [
|
||||
"/run/user/${
|
||||
builtins.toString config.users.users.${user}.uid
|
||||
}/podman/podman.sock:/var/run/docker.sock"
|
||||
"${volumes.letsencrypt.ref}:/letsencrypt"
|
||||
];
|
||||
exec = [
|
||||
"--api.dashboard=true"
|
||||
"--api.disabledashboardad=true"
|
||||
containers = {
|
||||
traefik = {
|
||||
containerConfig = {
|
||||
image = "docker-archive:${selfPkgs.docker-traefik}";
|
||||
networks = [ networks.traefik.ref ];
|
||||
volumes = [
|
||||
"/run/user/${
|
||||
builtins.toString config.users.users.${user}.uid
|
||||
}/podman/podman.sock:/var/run/docker.sock"
|
||||
"${volumes.letsencrypt.ref}:/letsencrypt"
|
||||
];
|
||||
exec = [
|
||||
"--api.dashboard=true"
|
||||
"--api.disabledashboardad=true"
|
||||
|
||||
"--global.sendAnonymousUsage=false"
|
||||
"--global.sendAnonymousUsage=false"
|
||||
|
||||
"--providers.docker=true"
|
||||
"--providers.docker.exposedbydefault=false"
|
||||
"--providers.docker=true"
|
||||
"--providers.docker.exposedbydefault=false"
|
||||
|
||||
"--entryPoints.web.address=:80"
|
||||
"--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
||||
"--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
||||
"--entryPoints.web.http3"
|
||||
"--entrypoints.web.forwardedHeaders.insecure=true"
|
||||
"--entryPoints.web.address=:80"
|
||||
"--entrypoints.web.http.redirections.entryPoint.to=websecure"
|
||||
"--entrypoints.web.http.redirections.entryPoint.scheme=https"
|
||||
"--entryPoints.web.http3"
|
||||
"--entrypoints.web.forwardedHeaders.insecure=true"
|
||||
|
||||
"--entryPoints.websecure.address=:443"
|
||||
"--entryPoints.websecure.asDefault=true"
|
||||
"--entrypoints.websecure.http.tls=true"
|
||||
"--entrypoints.websecure.http.tls.certResolver=letsencrypt"
|
||||
"--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com"
|
||||
"--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com"
|
||||
"--entrypoints.websecure.http.tls.domains[1].main=krlds.com"
|
||||
"--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com"
|
||||
"--entrypoints.websecure.http.middlewares=compress@docker"
|
||||
"--entryPoints.websecure.http3"
|
||||
"--entrypoints.websecure.forwardedHeaders.insecure=true"
|
||||
"--entryPoints.websecure.address=:443"
|
||||
"--entryPoints.websecure.asDefault=true"
|
||||
"--entrypoints.websecure.http.tls=true"
|
||||
"--entrypoints.websecure.http.tls.certResolver=letsencrypt"
|
||||
"--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com"
|
||||
"--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com"
|
||||
"--entrypoints.websecure.http.tls.domains[1].main=krlds.com"
|
||||
"--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com"
|
||||
"--entrypoints.websecure.http.middlewares=compress@docker"
|
||||
"--entryPoints.websecure.http3"
|
||||
"--entrypoints.websecure.forwardedHeaders.insecure=true"
|
||||
|
||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
||||
"--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com"
|
||||
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
||||
];
|
||||
labels = [
|
||||
"traefik.enable=true"
|
||||
"traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)"
|
||||
"traefik.http.routers.traefik.tls.certresolver=letsencrypt"
|
||||
"traefik.http.routers.traefik.service: 'api@internal'"
|
||||
"traefik.http.routers.traefik.middlewares: 'authelia@docker'"
|
||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
|
||||
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
|
||||
"--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com"
|
||||
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
|
||||
];
|
||||
labels = [
|
||||
"traefik.enable=true"
|
||||
"traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)"
|
||||
"traefik.http.routers.traefik.tls.certresolver=letsencrypt"
|
||||
"traefik.http.routers.traefik.service: 'api@internal'"
|
||||
"traefik.http.routers.traefik.middlewares: 'authelia@docker'"
|
||||
|
||||
"traefik.http.middlewares.compress.compress=true"
|
||||
# TODO: Middlewares: Headers
|
||||
];
|
||||
environmentFiles = [ hmConfig.sops.templates."traefik.env".path ];
|
||||
};
|
||||
"traefik.http.middlewares.compress.compress=true"
|
||||
# TODO: Middlewares: Headers
|
||||
];
|
||||
environmentFiles = [ hmConfig.sops.templates."traefik.env".path ];
|
||||
};
|
||||
|
||||
serviceConfig.Sockets = [
|
||||
"traefik-http.socket"
|
||||
"traefik-https.socket"
|
||||
];
|
||||
|
||||
unitConfig = {
|
||||
After = [
|
||||
"traefik-http.socket"
|
||||
"traefik-https.socket"
|
||||
"sops-nix.service"
|
||||
];
|
||||
|
||||
Requires = [
|
||||
serviceConfig.Sockets = [
|
||||
"traefik-http.socket"
|
||||
"traefik-https.socket"
|
||||
];
|
||||
|
||||
unitConfig = {
|
||||
After = [
|
||||
"traefik-http.socket"
|
||||
"traefik-https.socket"
|
||||
"sops-nix.service"
|
||||
];
|
||||
|
||||
Requires = [
|
||||
"traefik-http.socket"
|
||||
"traefik-https.socket"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
authelia.containerConfig.volumes =
|
||||
let
|
||||
config = (pkgs.formats.yaml { }).generate "traefik.yaml" {
|
||||
access_control.rules = [
|
||||
{
|
||||
domain = "proxy.karaolidis.com";
|
||||
policy = "two_factor";
|
||||
subject = [ "group:admins" ];
|
||||
}
|
||||
];
|
||||
};
|
||||
in
|
||||
[
|
||||
"${config}:/etc/authelia/conf.d/traefik.yaml:ro"
|
||||
];
|
||||
};
|
||||
};
|
||||
|
||||
|
||||
Reference in New Issue
Block a user