karaolidis/nix
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add authelia sso

Browse Source 
Signed-off-by: Nikolaos Karaolidis <nick@karaolidis.com>
This commit is contained in:
Nick Karaolidis
2025-03-12 17:49:04 +00:00
parent eb7fc4a122
commit 6ed4c4917a
2 changed files with 170 additions and 138 deletions
Download Patch File Download Diff File Expand all files Collapse all files

167
hosts/jupiter/users/storm/configs/console/podman/authelia/default.nix
View File

@@ -21,8 +21,10 @@ in
home-manager.users.${user} = { home-manager.users.${user} = {
sops = { sops = {
secrets = { secrets = {
"authelia/jwt".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/session".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/resetPasswordJwt".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/oidcHmac".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/oidcKey".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/storage".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/postgresql".sopsFile = ../../../../../../secrets/secrets.yaml;
"authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml; "authelia/smtp".sopsFile = ../../../../../../secrets/secrets.yaml;
@@ -34,6 +36,71 @@ in
POSTGRES_PASSWORD=${hmConfig.sops.placeholder."authelia/postgresql"} POSTGRES_PASSWORD=${hmConfig.sops.placeholder."authelia/postgresql"}
''; '';
"authelia-configuration.yaml".content = builtins.readFile (
(pkgs.formats.yaml { }).generate "configuration.yaml" {
theme = "auto";
telemetry.metrics.enabled = true;
authentication_backend = {
refresh_interval = "always";
file = {
path = "/etc/authelia/users.yaml";
watch = true;
};
};
password_policy.zxcvbn.enabled = true;
access_control.default_policy = "deny";
session = {
secret = hmConfig.sops.placeholder."authelia/session";
cookies = [
{
domain = "karaolidis.com";
authelia_url = "https://id.karaolidis.com";
}
];
redis = {
host = "authelia-redis";
port = 6379;
};
};
identity_validation.reset_password.jwt_secret =
hmConfig.sops.placeholder."authelia/resetPasswordJwt";
identity_providers.oidc = {
hmac_secret = hmConfig.sops.placeholder."authelia/oidcHmac";
jwks = [
{
key = hmConfig.sops.placeholder."authelia/oidcKey";
}
];
};
storage = {
encryption_key = hmConfig.sops.placeholder."authelia/storage";
postgres = {
address = "tcp://authelia-postgresql:5432";
database = "authelia";
username = "authelia";
password = hmConfig.sops.placeholder."authelia/postgresql";
};
};
notifier.smtp = {
address = "smtp://smtp.protonmail.ch:587";
username = "jupiter@karaolidis.com";
password = hmConfig.sops.placeholder."authelia/smtp";
sender = "jupiter@karaolidis.com";
};
}
);
"authelia-users.yaml".content = builtins.readFile ( "authelia-users.yaml".content = builtins.readFile (
(pkgs.formats.yaml { }).generate "users.yaml" { (pkgs.formats.yaml { }).generate "users.yaml" {
users.karaolidis = { users.karaolidis = {
@@ -79,83 +146,29 @@ in
}; };
authelia = { authelia = {
containerConfig = containerConfig = {
let image = "docker-archive:${selfPkgs.docker-authelia}";
config = (pkgs.formats.yaml { }).generate "configuration.yaml" { volumes = [
theme = "auto"; "${home}/.local/share/authelia/config:/etc/authelia"
telemetry.metrics.enabled = true; "${
hmConfig.sops.templates."authelia-configuration.yaml".path
}:/etc/authelia/conf.d/configuration.yaml:ro"
];
networks = [
networks.authelia.ref
networks.traefik.ref
];
exec = [ "--config /etc/authelia/conf.d/" ];
labels = [
"traefik.enable=true"
"traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)"
"traefik.http.routers.authelia.tls.certresolver=letsencrypt"
authentication_backend = { "traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
refresh_interval = "always"; "traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
file = { "traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name"
path = "/etc/authelia/users.yaml"; ];
watch = true; };
};
};
password_policy.zxcvbn.enabled = true;
access_control.default_policy = "two_factor";
session = {
cookies = [
{
domain = "karaolidis.com";
authelia_url = "https://id.karaolidis.com";
}
];
redis = {
host = "authelia-redis";
port = 6379;
};
};
storage.postgres = {
address = "tcp://authelia-postgresql:5432";
database = "authelia";
username = "authelia";
};
notifier.smtp = {
address = "smtp://smtp.protonmail.ch:587";
username = "jupiter@karaolidis.com";
sender = "jupiter@karaolidis.com";
};
};
in
{
image = "docker-archive:${selfPkgs.docker-authelia}";
environments = {
AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = "/secrets/SMTP_PASSWORD";
};
volumes = [
"${home}/.local/share/authelia/config:/etc/authelia"
"${config}:/etc/authelia/conf.d/configuration.yaml:ro"
"${hmConfig.sops.secrets."authelia/jwt".path}:/secrets/JWT_SECRET:ro"
"${hmConfig.sops.secrets."authelia/session".path}:/secrets/SESSION_SECRET:ro"
"${hmConfig.sops.secrets."authelia/storage".path}:/secrets/STORAGE_ENCRYPTION_KEY:ro"
"${hmConfig.sops.secrets."authelia/postgresql".path}:/secrets/STORAGE_PASSWORD:ro"
"${hmConfig.sops.secrets."authelia/smtp".path}:/secrets/SMTP_PASSWORD:ro"
];
networks = [
networks.authelia.ref
networks.traefik.ref
];
exec = [ "--config /etc/authelia/conf.d/" ];
labels = [
"traefik.enable=true"
"traefik.http.routers.authelia.rule=Host(`id.karaolidis.com`)"
"traefik.http.routers.authelia.tls.certresolver=letsencrypt"
"traefik.http.middlewares.authelia.forwardAuth.trustForwardHeader=true"
"traefik.http.middlewares.authelia.forwardAuth.address=http://authelia:9091/api/authz/forward-auth"
"traefik.http.middlewares.authelia.forwardAuth.authResponseHeaders=Remote-User,Remote-Groups,Remote-Email,Remote-Name"
];
};
unitConfig.After = [ unitConfig.After = [
"${containers."authelia-init"._serviceName}.service" "${containers."authelia-init"._serviceName}.service"

141
hosts/jupiter/users/storm/configs/console/podman/traefik/default.nix
View File

@@ -6,6 +6,7 @@
config, config,
inputs, inputs,
system, system,
pkgs,
... ...
}: }:
let let
@@ -38,78 +39,96 @@ in
volumes.letsencrypt.volumeConfig = { }; volumes.letsencrypt.volumeConfig = { };
containers.traefik = { containers = {
containerConfig = { traefik = {
image = "docker-archive:${selfPkgs.docker-traefik}"; containerConfig = {
networks = [ networks.traefik.ref ]; image = "docker-archive:${selfPkgs.docker-traefik}";
volumes = [ networks = [ networks.traefik.ref ];
"/run/user/${ volumes = [
builtins.toString config.users.users.${user}.uid "/run/user/${
}/podman/podman.sock:/var/run/docker.sock" builtins.toString config.users.users.${user}.uid
"${volumes.letsencrypt.ref}:/letsencrypt" }/podman/podman.sock:/var/run/docker.sock"
]; "${volumes.letsencrypt.ref}:/letsencrypt"
exec = [ ];
"--api.dashboard=true" exec = [
"--api.disabledashboardad=true" "--api.dashboard=true"
"--api.disabledashboardad=true"
"--global.sendAnonymousUsage=false" "--global.sendAnonymousUsage=false"
"--providers.docker=true" "--providers.docker=true"
"--providers.docker.exposedbydefault=false" "--providers.docker.exposedbydefault=false"
"--entryPoints.web.address=:80" "--entryPoints.web.address=:80"
"--entrypoints.web.http.redirections.entryPoint.to=websecure" "--entrypoints.web.http.redirections.entryPoint.to=websecure"
"--entrypoints.web.http.redirections.entryPoint.scheme=https" "--entrypoints.web.http.redirections.entryPoint.scheme=https"
"--entryPoints.web.http3" "--entryPoints.web.http3"
"--entrypoints.web.forwardedHeaders.insecure=true" "--entrypoints.web.forwardedHeaders.insecure=true"
"--entryPoints.websecure.address=:443" "--entryPoints.websecure.address=:443"
"--entryPoints.websecure.asDefault=true" "--entryPoints.websecure.asDefault=true"
"--entrypoints.websecure.http.tls=true" "--entrypoints.websecure.http.tls=true"
"--entrypoints.websecure.http.tls.certResolver=letsencrypt" "--entrypoints.websecure.http.tls.certResolver=letsencrypt"
"--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com" "--entrypoints.websecure.http.tls.domains[0].main=karaolidis.com"
"--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com" "--entrypoints.websecure.http.tls.domains[0].sans=*.karaolidis.com"
"--entrypoints.websecure.http.tls.domains[1].main=krlds.com" "--entrypoints.websecure.http.tls.domains[1].main=krlds.com"
"--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com" "--entrypoints.websecure.http.tls.domains[1].sans=*.krlds.com"
"--entrypoints.websecure.http.middlewares=compress@docker" "--entrypoints.websecure.http.middlewares=compress@docker"
"--entryPoints.websecure.http3" "--entryPoints.websecure.http3"
"--entrypoints.websecure.forwardedHeaders.insecure=true" "--entrypoints.websecure.forwardedHeaders.insecure=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge=true" "--certificatesresolvers.letsencrypt.acme.dnschallenge=true"
"--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare" "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
"--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com" "--certificatesresolvers.letsencrypt.acme.email=nick@karaolidis.com"
"--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json" "--certificatesresolvers.letsencrypt.acme.storage=/letsencrypt/acme.json"
]; ];
labels = [ labels = [
"traefik.enable=true" "traefik.enable=true"
"traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)" "traefik.http.routers.traefik.rule=Host(`proxy.karaolidis.com`)"
"traefik.http.routers.traefik.tls.certresolver=letsencrypt" "traefik.http.routers.traefik.tls.certresolver=letsencrypt"
"traefik.http.routers.traefik.service: 'api@internal'" "traefik.http.routers.traefik.service: 'api@internal'"
"traefik.http.routers.traefik.middlewares: 'authelia@docker'" "traefik.http.routers.traefik.middlewares: 'authelia@docker'"
"traefik.http.middlewares.compress.compress=true" "traefik.http.middlewares.compress.compress=true"
# TODO: Middlewares: Headers # TODO: Middlewares: Headers
]; ];
environmentFiles = [ hmConfig.sops.templates."traefik.env".path ]; environmentFiles = [ hmConfig.sops.templates."traefik.env".path ];
}; };
serviceConfig.Sockets = [ serviceConfig.Sockets = [
"traefik-http.socket"
"traefik-https.socket"
];
unitConfig = {
After = [
"traefik-http.socket"
"traefik-https.socket"
"sops-nix.service"
];
Requires = [
"traefik-http.socket" "traefik-http.socket"
"traefik-https.socket" "traefik-https.socket"
]; ];
unitConfig = {
After = [
"traefik-http.socket"
"traefik-https.socket"
"sops-nix.service"
];
Requires = [
"traefik-http.socket"
"traefik-https.socket"
];
};
}; };
authelia.containerConfig.volumes =
let
config = (pkgs.formats.yaml { }).generate "traefik.yaml" {
access_control.rules = [
{
domain = "proxy.karaolidis.com";
policy = "two_factor";
subject = [ "group:admins" ];
}
];
};
in
[
"${config}:/etc/authelia/conf.d/traefik.yaml:ro"
];
}; };
}; };