Add authelia sso
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
@@ -21,8 +21,10 @@ in
|
|||||||
home-manager.users.${user} = {
|
home-manager.users.${user} = {
|
||||||
sops = {
|
sops = {
|
||||||
secrets = {
|
secrets = {
|
||||||
"authelia/jwt".sopsFile = ../../../../../../secrets/secrets.yaml;
|
|
||||||
"authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml;
|
"authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
|
"authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
|
"authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
|
"authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
"authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml;
|
"authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
"authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
"authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
"authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
"authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
|
||||||
@@ -34,6 +36,71 @@ in
|
|||||||
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."authelia/postgresql"}
|
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."authelia/postgresql"}
|
||||||
'';
|
'';
|
||||||
|
|
||||||
|
"authelia-configuration.yaml".content = builtins.readFile (
|
||||||
|
(pkgs.formats.yaml { }).generate "configuration.yaml" {
|
||||||
|
theme = "auto";
|
||||||
|
telemetry.metrics.enabled = true;
|
||||||
|
|
||||||
|
authentication_backend = {
|
||||||
|
refresh_interval = "always";
|
||||||
|
file = {
|
||||||
|
path = "/etc/authelia/users.yaml";
|
||||||
|
watch = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
password_policy.zxcvbn.enabled = true;
|
||||||
|
access_control.default_policy = "deny";
|
||||||
|
|
||||||
|
session = {
|
||||||
|
secret = hmConfig.sops.placeholder."authelia/session";
|
||||||
|
|
||||||
|
cookies = [
|
||||||
|
{
|
||||||
|
domain = "karaolidis.com";
|
||||||
|
authelia_url = "https://id.karaolidis.com";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
|
||||||
|
redis = {
|
||||||
|
host = "authelia-redis";
|
||||||
|
port = 6379;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
identity_validation.reset_password.jwt_secret =
|
||||||
|
hmConfig.sops.placeholder."authelia/resetPasswordJwt";
|
||||||
|
|
||||||
|
identity_providers.oidc = {
|
||||||
|
hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
|
||||||
|
|
||||||
|
jwks = [
|
||||||
|
{
|
||||||
|
key = hmConfig.sops.placeholder."authelia/oidcKey";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
|
||||||
|
storage = {
|
||||||
|
encryption_key = hmConfig.sops.placeholder."authelia/storage";
|
||||||
|
|
||||||
|
postgres = {
|
||||||
|
address = "tcp://authelia-postgresql:5432";
|
||||||
|
database = "authelia";
|
||||||
|
username = "authelia";
|
||||||
|
password = hmConfig.sops.placeholder."authelia/postgresql";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
notifier.smtp = {
|
||||||
|
address = "smtp://smtp.protonmail.ch:587";
|
||||||
|
username = "jupiter@karaolidis.com";
|
||||||
|
password = hmConfig.sops.placeholder."authelia/smtp";
|
||||||
|
sender = "jupiter@karaolidis.com";
|
||||||
|
};
|
||||||
|
}
|
||||||
|
);
|
||||||
|
|
||||||
"authelia-users.yaml".content = builtins.readFile (
|
"authelia-users.yaml".content = builtins.readFile (
|
||||||
(pkgs.formats.yaml { }).generate "users.yaml" {
|
(pkgs.formats.yaml { }).generate "users.yaml" {
|
||||||
users.karaolidis = {
|
users.karaolidis = {
|
||||||
@@ -79,67 +146,13 @@ in
|
|||||||
};
|
};
|
||||||
|
|
||||||
authelia = {
|
authelia = {
|
||||||
containerConfig =
|
containerConfig = {
|
||||||
let
|
|
||||||
config = (pkgs.formats.yaml { }).generate "configuration.yaml" {
|
|
||||||
theme = "auto";
|
|
||||||
telemetry.metrics.enabled = true;
|
|
||||||
|
|
||||||
authentication_backend = {
|
|
||||||
refresh_interval = "always";
|
|
||||||
file = {
|
|
||||||
path = "/etc/authelia/users.yaml";
|
|
||||||
watch = true;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
password_policy.zxcvbn.enabled = true;
|
|
||||||
access_control.default_policy = "two_factor";
|
|
||||||
|
|
||||||
session = {
|
|
||||||
cookies = [
|
|
||||||
{
|
|
||||||
domain = "karaolidis.com";
|
|
||||||
authelia_url = "https://id.karaolidis.com";
|
|
||||||
}
|
|
||||||
];
|
|
||||||
|
|
||||||
redis = {
|
|
||||||
host = "authelia-redis";
|
|
||||||
port = 6379;
|
|
||||||
};
|
|
||||||
};
|
|
||||||
|
|
||||||
storage.postgres = {
|
|
||||||
address = "tcp://authelia-postgresql:5432";
|
|
||||||
database = "authelia";
|
|
||||||
username = "authelia";
|
|
||||||
};
|
|
||||||
|
|
||||||
notifier.smtp = {
|
|
||||||
address = "smtp://smtp.protonmail.ch:587";
|
|
||||||
username = "jupiter@karaolidis.com";
|
|
||||||
sender = "jupiter@karaolidis.com";
|
|
||||||
};
|
|
||||||
};
|
|
||||||
in
|
|
||||||
{
|
|
||||||
image = "docker-archive:${selfPkgs.docker-authelia}";
|
image = "docker-archive:${selfPkgs.docker-authelia}";
|
||||||
environments = {
|
|
||||||
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
|
|
||||||
AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
|
|
||||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
|
|
||||||
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
|
|
||||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
|
|
||||||
};
|
|
||||||
volumes = [
|
volumes = [
|
||||||
"${home}/.local/share/authelia/config:/etc/authelia"
|
"${home}/.local/share/authelia/config:/etc/authelia"
|
||||||
"${config}:/etc/authelia/conf.d/configuration.yaml:ro"
|
"${
|
||||||
"${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro"
|
hmConfig.sops.templates."authelia-configuration.yaml".path
|
||||||
"${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro"
|
}:/etc/authelia/conf.d/configuration.yaml:ro"
|
||||||
"${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro"
|
|
||||||
"${hmConfig.sops.secrets."authelia/postgresql".path}:/secrets/STORAGE_PASSWORD:ro"
|
|
||||||
"${hmConfig.sops.secrets."authelia/smtp".path}:/secrets/SMTP_PASSWORD:ro"
|
|
||||||
];
|
];
|
||||||
networks = [
|
networks = [
|
||||||
networks.authelia.ref
|
networks.authelia.ref
|
||||||
|
|||||||
@@ -6,6 +6,7 @@
|
|||||||
config,
|
config,
|
||||||
inputs,
|
inputs,
|
||||||
system,
|
system,
|
||||||
|
pkgs,
|
||||||
...
|
...
|
||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
@@ -38,7 +39,8 @@ in
|
|||||||
|
|
||||||
volumes.letsencrypt.volumeConfig = { };
|
volumes.letsencrypt.volumeConfig = { };
|
||||||
|
|
||||||
containers.traefik = {
|
containers = {
|
||||||
|
traefik = {
|
||||||
containerConfig = {
|
containerConfig = {
|
||||||
image = "docker-archive:${selfPkgs.docker-traefik}";
|
image = "docker-archive:${selfPkgs.docker-traefik}";
|
||||||
networks = [ networks.traefik.ref ];
|
networks = [ networks.traefik.ref ];
|
||||||
@@ -111,6 +113,23 @@ in
|
|||||||
];
|
];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
|
authelia.containerConfig.volumes =
|
||||||
|
let
|
||||||
|
config = (pkgs.formats.yaml { }).generate "traefik.yaml" {
|
||||||
|
access_control.rules = [
|
||||||
|
{
|
||||||
|
domain = "proxy.karaolidis.com";
|
||||||
|
policy = "two_factor";
|
||||||
|
subject = [ "group:admins" ];
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
in
|
||||||
|
[
|
||||||
|
"${config}:/etc/authelia/conf.d/traefik.yaml:ro"
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
# https://github.com/eriksjolund/podman-traefik-socket-activation
|
# https://github.com/eriksjolund/podman-traefik-socket-activation
|
||||||
|
|||||||
Reference in New Issue
Block a user