wiro.world / dotfiles
yep, more dotfiles
fork atom

server: add authelia

wiro.world 40e896fb 819b7973

verified
options
unified split
Changed files
+100
nixos
profiles
server.nix
secrets
authelia-jwt-secret.age
authelia-ldap-password.age
authelia-smtp-password.age
authelia-storage-enc-key.age
secrets.nix
+76
nixos/profiles/server.nix 
···

       
35

       
35

       
 

       
  lldap-port = 3006;


     

       
36

       
36

       
 

       
  lldap-hostname = "ldap.wiro.world";


     

       
37

       
37

       
 

       



     

       

       
38

       
+

       
  authelia-port = 3007;


     

       

       
39

       
+

       
  authelia-hostname = "auth.wiro.world";


     

       

       
40

       
+

       



     

       
38

       
41

       
 

       
  grafana-port = 9000;


     

       
39

       
42

       
 

       
  grafana-hostname = "console.wiro.world";


     

       
40

       
43

       
 

       
  prometheus-port = 9001;


     
···

       
164

       
167

       
 

       
      virtualHosts.${lldap-hostname}.extraConfig = ''


     

       
165

       
168

       
 

       
        reverse_proxy http://localhost:${toString lldap-port}


     

       
166

       
169

       
 

       
      '';


     

       

       
170

       
+

       



     

       

       
171

       
+

       
      virtualHosts.${authelia-hostname}.extraConfig = ''


     

       

       
172

       
+

       
        reverse_proxy http://localhost:${toString authelia-port}


     

       

       
173

       
+

       
      '';


     

       
167

       
174

       
 

       
    };


     

       
168

       
175

       
 

       



     

       
169

       
176

       
 

       
    security.sudo.wheelNeedsPassword = false;


     
···

       
267

       
274

       
 

       
        ldap_base_dn = "dc=wiro,dc=world";


     

       
268

       
275

       
 

       
      };


     

       
269

       
276

       
 

       
      environmentFile = config.age.secrets.lldap-env.path;


     

       

       
277

       
+

       
    };


     

       

       
278

       
+

       



     

       

       
279

       
+

       
    age.secrets.authelia-jwt-secret.file = ../../secrets/authelia-jwt-secret.age;


     

       

       
280

       
+

       
    age.secrets.authelia-jwt-secret.owner = config.services.authelia.instances.main.user;


     

       

       
281

       
+

       
    age.secrets.authelia-storage-enc-key.file = ../../secrets/authelia-storage-enc-key.age;


     

       

       
282

       
+

       
    age.secrets.authelia-storage-enc-key.owner = config.services.authelia.instances.main.user;


     

       

       
283

       
+

       
    age.secrets.authelia-ldap-password.file = ../../secrets/authelia-ldap-password.age;


     

       

       
284

       
+

       
    age.secrets.authelia-ldap-password.owner = config.services.authelia.instances.main.user;


     

       

       
285

       
+

       
    age.secrets.authelia-smtp-password.file = ../../secrets/authelia-smtp-password.age;


     

       

       
286

       
+

       
    age.secrets.authelia-smtp-password.owner = config.services.authelia.instances.main.user;


     

       

       
287

       
+

       
    services.authelia.instances.main = {


     

       

       
288

       
+

       
      enable = true;


     

       

       
289

       
+

       



     

       

       
290

       
+

       
      secrets = {


     

       

       
291

       
+

       
        jwtSecretFile = config.age.secrets.authelia-jwt-secret.path;


     

       

       
292

       
+

       
        # oidcHmacSecretFile = config.age.secrets.authelia-oidc-hmac-secret.path;


     

       

       
293

       
+

       
        # oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-pkey.path;


     

       

       
294

       
+

       
        # sessionSecretFile = config.age.secrets.authelia-session-secret.path;


     

       

       
295

       
+

       
        storageEncryptionKeyFile = config.age.secrets.authelia-storage-enc-key.path;


     

       

       
296

       
+

       
      };


     

       

       
297

       
+

       
      environmentVariables = {


     

       

       
298

       
+

       
        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-ldap-password.path;


     

       

       
299

       
+

       
        AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.authelia-smtp-password.path;


     

       

       
300

       
+

       
      };


     

       

       
301

       
+

       
      settings = {


     

       

       
302

       
+

       
        server.address = "localhost:${toString authelia-port}";


     

       

       
303

       
+

       



     

       

       
304

       
+

       
        storage.local.path = "/var/lib/authelia-main/db.sqlite3";


     

       

       
305

       
+

       



     

       

       
306

       
+

       
        session = {


     

       

       
307

       
+

       
          cookies = [{


     

       

       
308

       
+

       
            domain = "wiro.world";


     

       

       
309

       
+

       
            authelia_url = "https://${authelia-hostname}";


     

       

       
310

       
+

       
            default_redirection_url = "https://wiro.world";


     

       

       
311

       
+

       
          }];


     

       

       
312

       
+

       
        };


     

       

       
313

       
+

       



     

       

       
314

       
+

       
        authentication_backend = {


     

       

       
315

       
+

       
          ldap = {


     

       

       
316

       
+

       
            address = "ldap://localhost:3890";


     

       

       
317

       
+

       
            timeout = "5m"; # replace with systemd dependency


     

       

       
318

       
+

       



     

       

       
319

       
+

       
            base_dn = "dc=wiro,dc=world";


     

       

       
320

       
+

       
            users_filter = "(&({username_attribute}={input})(objectClass=person))";


     

       

       
321

       
+

       
            groups_filter = "(&(member={dn})(objectClass=groupOfNames))";


     

       

       
322

       
+

       



     

       

       
323

       
+

       
            user = "uid=authelia,ou=people,dc=wiro,dc=world";


     

       

       
324

       
+

       
            # Set in `AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE`.


     

       

       
325

       
+

       
            # password = "";


     

       

       
326

       
+

       
          };


     

       

       
327

       
+

       
        };


     

       

       
328

       
+

       
        access_control = {


     

       

       
329

       
+

       
          default_policy = "deny";


     

       

       
330

       
+

       
          rules = [


     

       

       
331

       
+

       
            {


     

       

       
332

       
+

       
              domain = "*.wiro.world";


     

       

       
333

       
+

       
              policy = "one_factor";


     

       

       
334

       
+

       
            }


     

       

       
335

       
+

       
          ];


     

       

       
336

       
+

       
        };


     

       

       
337

       
+

       



     

       

       
338

       
+

       
        notifier.smtp = {


     

       

       
339

       
+

       
          address = "smtp://smtp.resend.com:2587";


     

       

       
340

       
+

       
          username = "resend";


     

       

       
341

       
+

       
          # Set in `AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE`.


     

       

       
342

       
+

       
          # password = "";


     

       

       
343

       
+

       
          sender = "authelia@wiro.world";


     

       

       
344

       
+

       
        };


     

       

       
345

       
+

       
      };


     

       
270

       
346

       
 

       
    };


     

       
271

       
347

       
 

       



     

       
272

       
348

       
 

       
    # port used is 6567
secrets/authelia-jwt-secret.age

This is a binary file and will not be displayed.

secrets/authelia-ldap-password.age

This is a binary file and will not be displayed.

+9
secrets/authelia-smtp-password.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 sMF1bg 0duJYaUlZd2G3tYi7CuV+c7KNaqWusLoMpoILvaajgc


     

       

       
3

       
+

       
AnAlDVzRdeoXGXvyllhSNCoDQjZ+nucLGHCfPWR8IBQ


     

       

       
4

       
+

       
-> ssh-ed25519 SmMcWg oX82fe4sQmKyjJqv9AFRY6Bww43V/8myNRsN9/M8Sho


     

       

       
5

       
+

       
Et6ycO8hm2XV36X5q7iO+nJCtjkYoq6mDBEssrjt/70


     

       

       
6

       
+

       
-> ssh-ed25519 Q8rMFA /gU1tIVjqExV8NXB1gSDsWIXpVfxm3zPJX7xOAqeqWM


     

       

       
7

       
+

       
szrd67kHWslLO+jMCuDmzYR0LPVVzd7idgl3AKt+USU


     

       

       
8

       
+

       
--- ojxyQVhx4rX+x5gzEEx8KFiorwywqEEyTNWUJY39jIk


     

       

       
9

       
+

       
�������ş*
l��1����=n�Ŏ��(�	�Iamz~B�����������鰦�.�.Z>�',p��
+11
secrets/authelia-storage-enc-key.age 
···

       

       
1

       
+

       
age-encryption.org/v1


     

       

       
2

       
+

       
-> ssh-ed25519 sMF1bg PYC6LaFo/DTQlRMewqbVtS4lzVtKyuFZQSqCrQwwEyg


     

       

       
3

       
+

       
kj0sHy8IpnBsMBQy/XYtj2pLXlk6wprF3MxjFTOiZ6E


     

       

       
4

       
+

       
-> ssh-ed25519 SmMcWg rvlLGzf6D96Dh1lL8as2vjc3PB7G/86U8AR7/lAELT0


     

       

       
5

       
+

       
qcdOqVV6o+5OfJYj5pfZ62hOnrBQwY0DAeIJkLoyYss


     

       

       
6

       
+

       
-> ssh-ed25519 Q8rMFA eALgQVN5OA0EuYYEyEbFnju/Yii71e+xcs98LkXnyyo


     

       

       
7

       
+

       
Rbxu60qvXKdFaJ7lfs7LeYx37TIKYK2Gxw2QcxF3soA


     

       

       
8

       
+

       
--- ryt5q5lXn1Cyn4T6RSU1IR7dHZOTbyanaG6ZqeYYGBQ


     

       

       
9

       
+

       
�G���*	\�ʕ�|���


     

       

       
10

       
+

       
�S�T���z�!
�FIG͍��,��2Q��+�s�76Z�D`��Q�hM�],��E7�2<Q�


     

       

       
11

       
+

       
?ׯ�t��u\���xpe/rrR��L}��S��g�%�:�Oj����{T%h��D�~�+DЫ��W%� �ŗ�r�v$%m$
+4
secrets/secrets.nix 
···

       
21

       
21

       
 

       
  "pds-env.age".publicKeys = deploy;


     

       
22

       
22

       
 

       
  # Defines `LLDAP_JWT_SECRET`, `LLDAP_KEY_SEED`.


     

       
23

       
23

       
 

       
  "lldap-env.age".publicKeys = deploy;


     

       

       
24

       
+

       
  "authelia-jwt-secret.age".publicKeys = deploy;


     

       

       
25

       
+

       
  "authelia-storage-enc-key.age".publicKeys = deploy;


     

       

       
26

       
+

       
  "authelia-ldap-password.age".publicKeys = deploy;


     

       

       
27

       
+

       
  "authelia-smtp-password.age".publicKeys = deploy;


     

       
24

       
28

       
 

       



     

       
25

       
29

       
 

       
  # Not used in config but useful


     

       
26

       
30

       
 

       
  "pgp-ca5e.age".publicKeys = users;