diff --git a/nixos/common.nix b/nixos/common.nix index 970fc51..edfe5a0 100644 --- a/nixos/common.nix +++ b/nixos/common.nix @@ -99,7 +99,10 @@ in extraHosts = let - subdomains = [ "git" ]; + subdomains = [ + "git" + "auth" + ]; inherit (config.networking) fqdn; hosts = [ fqdn ] ++ map (sub: "${sub}.${fqdn}") subdomains; diff --git a/nixos/modules/authelia.nix b/nixos/modules/authelia.nix new file mode 100644 index 0000000..2e6d368 --- /dev/null +++ b/nixos/modules/authelia.nix @@ -0,0 +1,136 @@ +{ config, ... }: +let + inherit (config.networking) fqdn; + + acmeEnabled = config.acme.enable; +in +{ + services.authelia.instances.main = { + enable = true; + + secrets = { + jwtSecretFile = builtins.toFile "authelia-jwtSecret" "QWERTYUIOPASDFGHJKLZXCVBNM1234567890abcdefABCDEFGH"; + storageEncryptionKeyFile = builtins.toFile "authelia-storageEncryptionKeyFile" "supersecretkeyaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa"; + sessionSecretFile = builtins.toFile "aauthelia-sessionSecretFile" "supersecretkey"; + }; + + settings = { + theme = "dark"; + default_redirection_url = "https://${fqdn}"; # HAS to be httpS + + server.address = "127.0.0.1:3001"; + + log = { + level = "debug"; + format = "text"; + }; + + authentication_backend = { + file = { + path = "/var/lib/authelia-main/users_database.yml"; + }; + }; + + access_control = { + default_policy = "deny"; + rules = [ + { + domain = [ "auth.${fqdn}" ]; + policy = "bypass"; + } + { + domain = [ "*.${fqdn}" ]; + policy = "one_factor"; + } + ]; + }; + + session = { + name = "authelia_session"; + expiration = "12h"; + inactivity = "45m"; + remember_me = "1M"; + domain = "${fqdn}"; + redis.host = "/run/redis-authelia-main/redis.sock"; + }; + + regulation = { + max_retries = 3; + find_time = "5m"; + ban_time = "15m"; + }; + + storage = { + local = { + path = "/var/lib/authelia-main/db.sqlite3"; + }; + }; + + notifier = { + disable_startup_check = false; + filesystem = { + filename = "/var/lib/authelia-main/notification.txt"; + }; + }; + }; + }; + + services.redis.servers.authelia-main = { + enable = true; + user = "authelia-main"; + port = 0; + unixSocket = "/run/redis-authelia-main/redis.sock"; + unixSocketPerm = 600; + }; + + # services.openldap = { + # enable = true; + + # # enable plain connections only + # urlList = [ "ldap:///" ]; + + # settings = { + # attrs = { + # olcLogLevel = "conns config"; + # }; + + # children = { + # # "cn=schema".includes = [ + # # "${pkgs.openldap}/etc/schema/core.ldif" + # # "${pkgs.openldap}/etc/schema/cosine.ldif" + # # "${pkgs.openldap}/etc/schema/inetorgperson.ldif" + # # ]; + + # "olcDatabase={1}mdb".attrs = { + # objectClass = [ + # "olcDatabaseConfig" + # "olcMdbConfig" + # ]; + + # olcDatabase = "{1}mdb"; + # olcDbDirectory = "/var/lib/openldap/data"; + + # olcSuffix = "dc=example,dc=com"; + + # # your admin account, do not use writeText on a production system + # olcRootDN = "cn=admin,dc=example,dc=com"; + # olcRootPW.path = builtins.roFile "olcRootPW" "pass"; + + # olcAccess = [ + # # custom access rules for userPassword attributes + # '' + # {0}to attrs=userPassword + # by self write + # by anonymous auth + # by * none'' + + # # allow read on anything else + # '' + # {1}to * + # by * read'' + # ]; + # }; + # }; + # }; + # }; +} diff --git a/nixos/modules/default.nix b/nixos/modules/default.nix index 2593ae5..d659bdd 100644 --- a/nixos/modules/default.nix +++ b/nixos/modules/default.nix @@ -1,6 +1,7 @@ { imports = [ ./acme.nix + ./authelia.nix ./dns.nix ./fail2ban.nix ./gitea.nix diff --git a/nixos/modules/nginx.nix b/nixos/modules/nginx.nix index cbcc4c2..a9ab151 100644 --- a/nixos/modules/nginx.nix +++ b/nixos/modules/nginx.nix @@ -60,6 +60,10 @@ in "git.${fqdn}" = mkVhost { } { "/" = mkProxy config.services.gitea.settings.server.HTTP_PORT; }; + + "auth.${fqdn}" = mkVhost { } { + "/" = mkProxy 3001; + }; }; };