M .sops.yaml => .sops.yaml +12 -0
@@ 1,9 1,13 @@
keys:
- &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712
+ # desktops, laptops
- &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn
- &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn
+ # LXCs
+ - &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4
- &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw
- &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05
+ # VMs
- &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk
creation_rules:
- path_regex: secrets/arwen/[^/]+\.yaml$
@@ 18,6 22,13 @@ creation_rules:
- *liljamo_gpg
age:
- *alice
+
+ - path_regex: secrets/auth/[^/]+\.yaml$
+ key_groups:
+ - pgp:
+ - *liljamo_gpg
+ age:
+ - *auth
- path_regex: secrets/dns/[^/]+\.yaml$
key_groups:
- pgp:
@@ 30,6 41,7 @@ creation_rules:
- *liljamo_gpg
age:
- *metrics
+
- path_regex: secrets/sqbuilds/[^/]+\.yaml$
key_groups:
- pgp:
A hosts/auth/default.nix => hosts/auth/default.nix +17 -0
@@ 0,0 1,17 @@
+{config, ...}: {
+ sops.secrets.rootPwd.neededForUsers = true;
+ sops.secrets.liljamoPwd.neededForUsers = true;
+
+ roles.base = {
+ root.hashedPasswordFile = config.sops.secrets.rootPwd.path;
+ primaryUser = {
+ username = "liljamo";
+ hashedPasswordFile = config.sops.secrets.liljamoPwd.path;
+ };
+ };
+
+ roles.tailscale = {
+ enable = true;
+ enableSSH = true;
+ };
+}
A secrets/auth/secrets.yaml => secrets/auth/secrets.yaml +51 -0
@@ 0,0 1,51 @@
+rootPwd: ENC[AES256_GCM,data:Vs3tM4HyK1QfvcoPP7ptyJs3XmZUN3F8WBXQgM0ZFZsb5S9+VESx/mL8bp95bsaDLNkGE0kme3sXhzo2JducsL9JNfPql2mD/pnYfne8A3YXm5lKfytw5Rq8vi2aKA7VcHnsh5WkT1n5Qg==,iv:3t848a3V/qi7FpZKPTKCPqbr2LhtoqBunEleVJfIBPc=,tag:k0XqROlLVy914+DKOROSlg==,type:str]
+liljamoPwd: ENC[AES256_GCM,data:JaV7iT6yFnmJvU3ZDajaJEw96BWg5QNf/IVFogWX16E7tmNABnBzvXDZgtxKBl4Ed9A2zeek3nciUzIN7r+ltK4ctp7XZrZ0buI88MEliVAMQeiG1hiHg5Uw5dJliwu+83L0og8plpeiSQ==,iv:6IwUHCWmAyyX759EueOu2kKD6OV5yxuu6+YFlQrf3O0=,tag:LBl8A3++fPmz8RzTNs00xw==,type:str]
+authelia-main:
+ #ENC[AES256_GCM,data:BG5UnHEY02vp0g4FiIpxaGA032UzWDJYiLmSkURil5Q0p1yoh6KAFolbEXDY2SFi8rY+ROqwGW4XZAxdsQ0CQGs=,iv:azzsXHDnFj3xTRBfCxmCBIPksADba36RyafNoW8YJ/s=,tag:JJxqB89WxR4vaTL7GehvKw==,type:comment]
+ storage: ENC[AES256_GCM,data:VJEcroGQMlPMSyT1/aXg4jqogmNsnMxdLT9YGNzBHFIcbkeaGyO7VCBarSZcEeAQqhdvGFHafMMSIqo4ucnRPw==,iv:zxu3EOJh9LUHT1+EId3aQlkTw8NkZ7azgwt+W+Dgd8I=,tag:B3V/ZirT8+LN1ZM2ru8hOA==,type:str]
+ #ENC[AES256_GCM,data:SkBS4neIPB91zO4PdZLv9nFXx1QXlhtRBNvFwF1T5G/1HkmhIXmSb1hEOSvsWV89/I9/c/0IPAcFeAzyWd/S2gqa6GY=,iv:6tuSKN55UtduLhRwcSWuvMG/tnMT5hMM92kgX26CMp0=,tag:6jqbF4/w7upSbyydwu9dng==,type:comment]
+ session: ENC[AES256_GCM,data:dI00ArqaWpCYZC4voNdHWn5QcF8KCet/1fjeSCrRe+dBAW+qBdDks2x29NEp1INALzUrote6TMzgtGsxqwQpqw==,iv:o1aW5UvSCCZiMU8YcIUvA7yi3jlEoH+8Sg5GzbT0bRw=,tag:9BvvD/BSv08M6j2Dr0V+gQ==,type:str]
+ #ENC[AES256_GCM,data:vTSKZNfk9sxTUHmdOP9o+PVKlZCNnyhDT50qbdi1MbZCTJ2CQGWsqHGEWWcNA9o0QejGPayfEBkzHD4d+Fc536/HGGRRgTF6QQ729BUyx25fJRj7eidBTr8+7j7K5A==,iv:XBXE7vtYhqKvOkjCRgSNeist5jfxcIlhRVcB1ZkZxQQ=,tag:epKmJCA/NSjSfr3eC08f8g==,type:comment]
+ oidcIssuer: ENC[AES256_GCM,data:ga9l3DQSnxfdY/30VAtgoo3VkZu1d5Aa9hdcSRcObiBsawiHLOTI74YgCYLfrbApW8vI0MB9Ycb4qljSWFJVm+GnOhBJoOCoEpBBP+6nA4CGRZhwuqJS0PeZiTqcja2iCJTb+tOaaicmJF+Dik/wPb+gTnPbuDcKWtUMj9txWUKF66hSiplaY0jAVRcTs3mVw6M/FYKLv+CKnHgJ1jvNfxn2eqhaK4x6MKwBqRY7WGPNCoEuIF7pbQVq9TTVmMnF8mVfs7QXHHiFjm6s8MGCNJLkFaYpxilAUEE/mJ04ENlLhMyNrYJIK0Y7hjagvZ6hV42J2CP/g5bIpdqjK9dYC/Dgknp6okr6yApy7qWDKHFK2D1enTp+uFiiHfEFkiZpOe5fgrI955jMrXBG4ukd7NLCbNlRoxusOWVETCSCmcpUHlqgNSYqwXsJmJBGreFh2Fy/FoBPl2ild0X3iEjO4826xDOflBWzNKw9brImy0LjYDs8K9Zfku2ZH+78CIz7MD77c6fXxZT7aN/mNKyxc7w3F8OF/LXEzglOWvkIKraiP9c32bgtafL/mWyzhsq5NPnssZzTEGV7d4ob3bNZkP30X0369nE8V9swa0uVHQOB9mqiBJ6YAr8Gg+VSgd57qVZSyfszHzxduzbe2RdxjO4FtSi+h9xgYcyh8U5gywv/PtKcBOfaXAEWmwcbL8P2cemJloUgRit61H+0dif6DrTbs41Ar6VsFLMlwVjrJEVR7E0uYoxja5Qp7ajcCtxy/DQZ5RCZfEyPxUTuK9LJp4mFZcoqP2zdCG9o6DIbQWP3HjcmvEyVyfwwETGDxJof4OeComZtCbRgw98ngy5Z4cKRUPEac6stJbvHhnbFnSIT+i4CqqCJ+BKrZLLa9hujbpW8T89PRG05+G0EOw5BRIydZf0bASZiG1c8glaBgI2dClpcfYuaStDfwYh73X21i0H5Yfe7nN6jeFjTG3HAq+rJnbBVqwTv6CGA2sCkAMY01qaawMMeJYtLX4+CHIABaNxlx8uACPdebUj1czfYAaZlj1zhUtGsmmBuCiCFXvUHu30LBut7hd+IuTyGmJHt9NmIS4EtpF0bPwf18Q5ZpfdfQ8vkZ0uMEEwadcwU44P5wGibr6cTPiBzWMqunYETTh+HiIzELSaowJ4jkdPWyCoS+VoM4Q6++cv2FAiVrKTdhDns4HIuF3c+VDnL8n++xeoSxbFmey32sqQwKH9Gl1E6YffROOMk8Qbkl2vv5IOo8ES/BbTOrkwQPJyu/8aJkVnsk2U51Hb8JkAPAi2jXegNWpgtNt9W/euWlmv7nj+32L2euzqJ339MwfJ1FmtKK37tU7Fx62kLRjAZjFs7/6DdwAo+SBIzPDPGdgN0bblhcDXk8yFY7Xw8exOTrGugZoMZoWtazvWGpqXh361liTnmJ8MKdkOgedyOWDe1J8U04dq7jUs1nDEL28HoREIe2rhRFzSTFK9vl8Jc0K6jGPg3IpsSC2mLvZMTGmiXqHvlYxM8qncxVxVg4LZnVn1QW+MnXY9HrRUO7cHyvkvMMfxKDf7kDIvsbzKABw3+KQAa2Qbzvf1Byo3+66MDy952Vmt32pr1g+Hw3TqUIjvR9fvbaTr726GnD2G4nqtYRMJms+PwlRxNOHUR6026Kr5MEskIxijFSzKrk4s6DJX/bICI8cuH+5W5ArKtt0X6CgFnXwQ6dgq+MMptYZqYJl1E9Ias2ELH/5uC8ztm8iS07De65Z7Feyc7hnMF0GTHmg7J59kkLtU+CiqmOt1g1WZe4Sx0ZPc/DfFv55d9aoT0P4eKaIcR8aDc95j8UkTz0wo28qn4ZIjnGWHPJZtnX/4rhfFLQHJZogGpVbW5y0N/PMj8kG4lwDWIEgN0zF8FI/Dp0RfUGdTqDMDevQT3zeTNNCdhn5EgQZuEmqUyraZ0F2EWyTj8EFU8LuWrpnu9SCiMw7gtWDI+gqseWhHBic39etI0D3yhcO5mXGHn3axsZLFMU5rW7AOtQ1RBUADV1LbJD5A3wEDNxc3WuCx3mpSpljrZ+mAqCOSeRiiwak0jCEem0cKnjLxtbY1UWfnAR20+Gd0Hj+sx/g/HJcHjdgCf0bYPHJHlvdUDkoeeNIVhifGvmKvmnmX8IQM3QVQsDJUDmsxWvGw/iLHDpuqekVD9VDWLt8w/+ezveHN9vSSrNbtevHgVKGiEoLns7HBT8yde8N8OnV0AasR3/JIlr8Q=,iv:U5I3dBYCs7PLmVkYDv8bDfpYKj4bJce/Cks/M9YtgOU=,tag:n09/SjTDZK+sGIzdl+/k3w==,type:str]
+ oidcIssuerPublic: ENC[AES256_GCM,data:BkIKHXF7eBtMrB4mu3kkNjgXaVholOi2mXJ+bqvt1qKHiFmwYMFVmwioGYX2R8xoBUW/AwOTx03U78+tMoBGsmBxDP4wxLpw7eIoCCv8SLE3EGb3Z2PCv+RiY9IctKVXIf2C2FrIEszw8bzAT2wVgM5b15jR1rRqp59vfGUSUs8mbd5zDiGJFQUdlHGNtWhQ157oGEqs2rHOEAhL+OX4cnywMpG1k0IlMuQCH/bUIpAKTB2HJbij7qEUq3jwOikjkjFA7W2YjJZ2Dk/iR/kdR24wYTcH3VAlA6Q6zvP4eecuucyYE0b0sF/8TgJ/JyJMX/XAzeaOx5vEIfW91OfJnMx1au4q0sfttL43b0/lA9EkgbLCnFuY+tvLQKNoPevRnn+VT9YTpv5Foecy/Pymi3ubF/aGy0aR6LebtiEH5ToStz9A5Tr0EjG1phc9QFw0E3E+5If2+Lja0HMVJxoXfXIzZH7jIOjWvEdHb1rk0KLDteLy0cPaIhRE7XUEOXGB1lDQAqmWwDaW27oJXBhmrjGNNKC0f99fAQQree+24eLld/SZLHndEseM,iv:x3bfaj6XUdcGxAV038kWSGetTprY191IAhIFiWsiRFs=,tag:DN75k09Bg4oWNZK38iRHuA==,type:str]
+ #ENC[AES256_GCM,data:ww+fyk3qsB9E0WG041mOvdEklg7ni3ni00j+386XRFFjTqoOj/TgAyzDIc8mG0NrIreeSBqapRfdbgrR8OkE0SZIhTWOcJXr80rRy159F0qHvImc0yXO,iv:30/9/R+yibWskDVqAuVHhF54p2m4SfcedON9ghO2BSo=,tag:bqKUB6xmIw3uL4KoV59aKw==,type:comment]
+ oidcHmac: ENC[AES256_GCM,data:jaZOF0OPKbNU/g12mMSDozL0V5cEL/+zBPL/eyyUNS+p06PnQiBso07s0734a1ijZSEkeA2oXIHgfdQVNMV34w==,iv:QGsg5qHueWuRqc/LS7bKJJn5hRWV7v10oyOyI+u3Ofs=,tag:uCiYqGsk2W8CKTvEdQF4UA==,type:str]
+ #ENC[AES256_GCM,data:kNC9Ol2md+Ofc/5PfVEY/byabsiNqtMg0NIg8Nifu4xNEBU9fw5MaEAXqKP/KFQoVJMdFGztdKSa9wIKU5gIFC6529LFSUu/qjxJxe6J,iv:ZaEL7X9oYVk9u6fbgMbWFKJ6W/fC+/kMOgIHnWOJwgY=,tag:XHv1OMvfuOJXWfWGaAAP8w==,type:comment]
+ jwt: ENC[AES256_GCM,data:bAqHoEuUEMvMLdSV+T4xsH9S8yfivNZNV5dbSePrG3MFQBYqeE1e9ylIavxgYeNizlc3MF+EyfcWN1lIjhkSrw==,iv:7Chl6sFe7NgztQxd5QT1Imgx+yNA5fHnnxdxM0GB84k=,tag:TZ9xKjwZpqk1RP7qTPdpbQ==,type:str]
+ storagePwd: ENC[AES256_GCM,data:3OX+vh6GL5tuhDDu+b7WAHV3JLiuE3tapULF4z5SD0sIIyQMVIHu5OuJsQ2AuUZOuz43aXDhm0TWEYUGFwhvVQ==,iv:RCTIyK944SD4rX7QSYAX1asjGM4ZY1reV9UX6whCiQo=,tag:3NfRsBZjAel2w4D1tl9NAw==,type:str]
+ users: ENC[AES256_GCM,data:aIJfSlEzvnI0M8eyPc/Ea0fU0C9g+vuBCOIzfpvkE+HPleYfIqVgc2G8/wIA6zDV9714trq5ePLrwl4FNmOSgMS1/2BO/P0VuMYbHDZlMOaug1WUxrrKY2d1OAz7hYLySyZEXT+/3MfS7NkodoAKGv4P23IjLIUDAkKEYjbW/NEltj72fR/NZEuikIK31GMDOfQsqY2Ll28YDtOAWOaCi/fcPu6SB45c+hI0cYc58WcqgA/rBu43VvV/hLP6xcIblMzI60x2Z8BqpJPuuGLx9N35cTGKU99FhFFUcurVOweCkGXxLLG1j1TCJqhRGOSHeQqF2uhi9DU3BHnbyKEfOtl4VNEUALOC/tS2cXcOPyitNRAdyQwHr6MgfOZ50PfdTSs=,iv:mbuKhpUbQPH73bH3Hb7VOkUGhQFtDsCg9vQOcwwv2NI=,tag:mWfoaizmOrbYNqAj8gB4QQ==,type:str]
+ acl: ENC[AES256_GCM,data:9etsF4GCj9OBjDjEDfqQPMiU0NhSsfw6ATnwlFiWFiJcj7T9XDpPuLZ57ycZopbzUHeeDcxiBKN+5ZKSSRsgjomh7EVvodRFGDEP6nPW659PfCAbTW9Nzdiw4iNRKT9e0fcq3q4lZA6WjOj5F5zGAh8yN75hJ5tn4J/wkq81Ie707GWXOSXl/Zq5bBbH/InB0WlnY16tKseld3Xj+DK1XjYy/g/jA3LscQMhz8TT0z2hfERBZBIzRFg3RiuxOgCCVWxadHJDPRxi7O2vAQVEVLuOLI3NnFDy/17ASbgSA6XTIyCUePmTZ/wfdJ1B9puq9VHi03UUhTkXxdfIvSB5HrptH3rFXhlH6HmbwMsQi3fyf16EfBMa8KDY+QeZaLk=,iv:Y+Bs84dDcDDT3RbH/xWTPHgaSq/RcevY5N5LXvfEIqk=,tag:5DGUuhQsoGPhRS22Yd5fRg==,type:str]
+ notifier: ENC[AES256_GCM,data:Dyl7KTCC3M3tAs8vwuvnstUmiqufq1diuhcQmzZd7j/tJuTHNWQK8cqYg7hsUFWwLumZseM7pw73eBAARqu1x9Ebodx9MKO2erMYMDLTo+iUYD8dG00knnIJ12+23/JZvemdI0tfN2cuX3lPK/4JSWvrF1T4RzhM1bZpQinjzNXE2LV3Gj/IKyW20ExpuHjzI0JUwFk6CgBHiMOcPu1BUumUQEHykbnoNCXtHc89B5A0tsV6GloFJsK+YIWMwaCWIcgFXHA0ebBhbMPpdfeBqiRiIBwXZwa+2ezqsHzygjNxjIKnYUwAevit5pZzfn7aI0uTTfNmIGQbeNIlN63n0NdLi416Ky08ivrWnrXoBjGi7+PCxqaEbJ1oJ3ZN1fV+0Sx47cEFQN4gHa9ipcERIYXGgKwwvTp3Xp2RrQlhzndb5ikz5foxvgAkpY8toK6QjeeuBOSNxXtRiNfADQCWdYU9CAhg/nwh+qpHln5+ry+iPenybsFAASLIRaDlKJVt03r/9+CE6GrgHvdf6Uu7qlI3Eo10dIvKUXHNQdpRMtBrHJAhFfUVoVywF/ReN92WPtDFYk3wtJXzwXEIlmuPk8PeuTXuuA==,iv:a4CYoYFgqlIw+ZDBP5W1lAbQ+PqRvqCPeQH9qXIeqN4=,tag:BR1b36rd82Tiv8U/hI3QMw==,type:str]
+ oidc: ENC[AES256_GCM,data:YqxIoBwNusb/QuJ2/FCevmlO5Dak82iepLMgd0DlB2tCV2oMH+GhAJZkDF2mLISL1xmq2bFMzwGHWv6lZDBMh1DQw+uxfdUmCxhk6Qwx/fXnextehywEVSEvxeOaK1i/dIrSIc+xG4Y/HCj9eqyEDWHoHLQx5zTsgzzI3Cuf0hF+50fP9PjdD/wVjgN//gR3eGWVxxBZRMO1FwRoNxMNTQSlErvuCCfHacxJzzIkIwlPYOEORWpw59cL7+PRQp2EkFqdKePLzhoC+PlLa3053kghQRhrs0thbmE843x7pQK88CmLJp4+WBuaGV2otSOBi7puqZTfmIQKPyoQkziscrOHozNAEfZg+cCkzFbC2MkyuBCV7tXbiXrZto4fX38iPBknWkWVhkn62eOqyXt97aJV4z/aLLAl666GC9Ve09V19fmrD0QzIsiMghQ4GWEQA0yJ/cFGBgReD4Ixank222YilJFm3yoFMxMRBXnaIvJod1sKygwy5Vhr2ERk1hnkU5hVGJ+2hCuLjQSUb3wRsoWbNXI8MxJpNdmu0m3di+D2wv5fzQGX6ST/qzQSBmxZvdhAO+F2WQmPKgSosy5SmWB8v6K9/AyN4dTC3TG2GCRvAPcZncah+c0sVlpHHTseLKqLYXVK97mSlWRzGmTGoMUtq0q1z87J2e3xB17gU97Uw+mgYs5epMMtAtxSTGdXfgl2SRTnQOO5X/uwjLv8NaP7+FfbFcTLCnwoitAvr60Pm7KGut3qm/qBCB42Jz8pLSin5ZMG7S+bNyuXyM3dpPMr7Lrx8S08gc8anazN9iDXwUwKHNqTHseQnuVQNb4RHhXsdXUGhumZq3Jn3pleRvBh9SIB6MdVLouQ2w0uRAO5Ma36bueUsPiWTOz0Mn90HDBE5JhqH/C39qR0Ty1tDfm+0aPHhoBUTf8ohaFaIVQKuALQ3owYdFsDptWY/yz5SWmFYNXMV1tNDzdfFcjoJZie/lZlNG/NGNV+OmG7++DfCey7CYHlHm02pbA/MnrXnoshHZSuO8vtKgDbh6Ov9+Nl2Etn9o/JLHPAVqfSe3jQzmUSRjiL4KKRi8beCOsMrDvbFBFwvyYqGJdD3zFf2tawFBjkvSCXzw5O+nmbo4OyDiGIkezOwsrjBE5iZzsqh3oeijTAVu03qgsS/c8Mljl3BXVglz7xoDh5vJb74z1zgfbOQHqryuw5Nd6ewzAVC/lKNt0DO2TD9cFV92glcCHAXW/+9VAgVwIpOtTJrhhPQGghHTQf63BYmGcLA/YTPDAysIEfV/guR0dG8SiBBNPgrdOwMPcdQaSVNZsZ6ny15zWgtMWZ4BTDK+sAMQgQgNoxUDS06No5AEQzY1BVqf8/LAjy/mnuPL37VPH6UkDk5mYWvqoscxe7PNOnm+7fOvbDmtEZEXy2OX8qxk6PIwWemEC/JlJPfDZs320HV3ZZ0KH+lFZixvEDPs0ADPn89rS8FLu7ozBkDuFEzqW9qxQE17veq/COA3dmtgIG/O7L7gYEXEDA/Nr92GQRDTUIvU9rIbXMO7AOEJi7dQbPFEmIDJjvcgu3G5iRQVbA4V+3MvRFRtfrQwDJyEtGOkmwfVtfoVIoVenKOdg4nmIR8E7Z5zqj+irD0QMIMKBxp+jLKy6teyiM1/EGNTBBF8hgGPE14vqopT+vE5u3Y+xQoZJ40cuDmbqQuKS0wf7QYZU3IBRo+07E9zrUqvIKKS1VSFWaIisGB1fP1T65aABOrwrj2kIu6d5Mo24w0SxOdKTqN2eXZSVjicZntlALo3ht2WTN5rd4bgpQ,iv:xRM/DtHDNfA3gI5lT8m7ujN+cIq8DLlL4ONWSngVw9U=,tag:IZzf3ophi+Amx44Ov+gvUQ==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age:
+ - recipient: age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4
+ enc: |
+ -----BEGIN AGE ENCRYPTED FILE-----
+ YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRkJ1MndmMzBRYm1PRTFa
+ dG9FZlViT1N5RVZXdFVhNWdQdy8xM3Fjc3hvCmxFdzY1dDN1cXpkV1dYT1ZyV3Vm
+ QTJTaHhkS2lvWXpMd3lNWmIyb1Z4Z2MKLS0tIEZ6S05qQU1SMEExc2ZtcDhBdlFq
+ TXlpbGtKdWdZWnBpNmhUSVBnTUdUa3MKsUaVRhGuwXjGHoEbfA8II6mPUuCAM1SP
+ D3VhdiJF0DgxN6jBpmUQSfVXE4COzfABoq25QRnVcWvxCzYzEoBGAg==
+ -----END AGE ENCRYPTED FILE-----
+ lastmodified: "2024-09-03T16:33:05Z"
+ mac: ENC[AES256_GCM,data:ZAPrmU5zrk7C8J8gHSlorTCInGK6n6zG559WxYbZWM9Qk5swKzsjuEGq9GLeYRHJBX30ObUYVUehzGUzlEzhmIc49MGtAlGKvboSlp5V17TqBw7thqtts2CQuBjk6TivwqsqJ93b5Y5//wuiV6WcxI4yQQdlHtiLBGP+joxviTc=,iv:dTqZYaWSOrKe9j8RSq3xqCQUarivzUBKNEVyY8DQrNY=,tag:SgnZe1JCWtOR54TEWnNYGg==,type:str]
+ pgp:
+ - created_at: "2024-09-03T16:24:42Z"
+ enc: |-
+ -----BEGIN PGP MESSAGE-----
+
+ hF4D8ab0ENzkR4wSAQdAFwHfkv+5No84kUDwFPQdHX5GR17EoOiiERh6lYUIVlIw
+ mF8BCpm5juKmSQmSWtQ4//zgnszdLKANYUz7cD9qzAbi3Do87lO3glFMaFPTq+LZ
+ 1GgBCQIQJKyFhla8M+aGH3Yt0z03SQa/Ba7e9uCzCiyd4mBYz2Ha7fJmqrfcV+Tc
+ 112hxdn/C51RPyRc0eF9whXIAFoCNvsENMM32vi+BoVDvugBWMqfwhtSJ+OtWsAr
+ upFqsdy6I6ZmDQ==
+ =PNZI
+ -----END PGP MESSAGE-----
+ fp: 848EEBCEE9F0D29D25C321A658577946A65EB712
+ unencrypted_suffix: _unencrypted
+ version: 3.8.1
A systems/hosts/auth/authelia-main.nix => systems/hosts/auth/authelia-main.nix +194 -0
@@ 0,0 1,194 @@
+{config, ...}: let
+ instance = {
+ secrets = "authelia-main";
+ name = "main";
+ user = "authelia-main";
+ group = "authelia-main";
+ port = 3001;
+ redisPath = "/run/redis-authelia-main/redis.sock";
+ psql = {
+ schema = "public";
+ db = "authelia-main";
+ user = "authelia-main";
+ };
+ };
+in {
+ sops.secrets."${instance.secrets}/storage" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/session" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/oidcIssuer" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/oidcIssuerPublic" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/oidcHmac" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/jwt" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/storagePwd" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/users" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/acl" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/notifier" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+ sops.secrets."${instance.secrets}/oidc" = {
+ owner = instance.user;
+ group = instance.group;
+ };
+
+ users.users.${instance.user} = {
+ group = instance.group;
+ isSystemUser = true;
+ };
+ users.groups.${instance.group} = {};
+
+ networking.firewall.allowedTCPPorts = [instance.port];
+
+ services = {
+ redis.servers."authelia-${instance.name}" = {
+ enable = true;
+ user = instance.user;
+ port = 0;
+ unixSocket = instance.redisPath;
+ unixSocketPerm = 600;
+ };
+ postgresql = {
+ ensureDatabases = [instance.psql.db];
+ ensureUsers = [
+ {
+ name = instance.psql.user;
+ ensureDBOwnership = true;
+ }
+ ];
+ };
+ authelia.instances = {
+ ${instance.name} = {
+ enable = true;
+ user = instance.user;
+ group = instance.group;
+ secrets = {
+ storageEncryptionKeyFile = config.sops.secrets."${instance.secrets}/storage".path;
+ sessionSecretFile = config.sops.secrets."${instance.secrets}/session".path;
+ oidcIssuerPrivateKeyFile = config.sops.secrets."${instance.secrets}/oidcIssuer".path;
+ oidcHmacSecretFile = config.sops.secrets."${instance.secrets}/oidcHmac".path;
+ jwtSecretFile = config.sops.secrets."${instance.secrets}/jwt".path;
+ };
+ environmentVariables = {
+ "AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE" = config.sops.secrets."${instance.secrets}/storagePwd".path;
+ };
+ settingsFiles = [
+ # config.sops.secrets."${instance.secrets}/users".path
+ config.sops.secrets."${instance.secrets}/acl".path
+ config.sops.secrets."${instance.secrets}/notifier".path
+ config.sops.secrets."${instance.secrets}/oidc".path
+ ];
+ # https://github.com/authelia/authelia/blob/v4.37.5/config.template.yml
+ settings = {
+ theme = "light";
+ default_2fa_method = "totp";
+ server = {
+ host = "0.0.0.0";
+ port = instance.port;
+ path = "";
+ enable_pprof = false;
+ enable_expvars = false;
+ disable_healthcheck = true;
+ headers.csp_template = "";
+ };
+ log = {
+ level = "info";
+ format = "text"; # json, text
+ };
+ telemetry.metrics.enabled = false;
+ totp = {
+ disable = false;
+ issuer = "liljamo.com";
+ algorithm = "sha512";
+ digits = 8;
+ period = 30;
+ skew = 1;
+ secret_size = 32;
+ };
+ webauthn.disable = true;
+ ntp = {
+ address = "time.cloudflare.com:123";
+ version = 4;
+ max_desync = "3s";
+ disable_startup_check = false;
+ disable_failure = false;
+ };
+ authentication_backend = {
+ password_reset.disable = true;
+ refresh_interval = "5m";
+ file = {
+ path = config.sops.secrets."${instance.secrets}/users".path;
+ watch = false;
+ search = {
+ email = false;
+ case_insensitive = false;
+ };
+ password = {
+ algorithm = "argon2";
+ argon2 = {
+ variant = "argon2id";
+ iterations = 3;
+ memory = 65536;
+ parallelism = 4;
+ key_length = 32;
+ salt_length = 16;
+ };
+ };
+ };
+ };
+ session = {
+ name = "authelia_session";
+ domain = "liljamo.com";
+ same_site = "lax";
+ expiration = "1h";
+ inactivity = "5m";
+ remember_me_duration = "1M";
+ redis = {
+ host = instance.redisPath;
+ };
+ };
+ regulation = {
+ max_retries = 3;
+ find_time = "2m";
+ ban_time = "5m";
+ };
+ storage = {
+ postgres = {
+ host = "127.0.0.1";
+ port = 5432;
+ database = instance.psql.db;
+ schema = instance.psql.schema;
+ username = instance.psql.user;
+ };
+ };
+ };
+ };
+ };
+ };
+}
A systems/hosts/auth/default.nix => systems/hosts/auth/default.nix +13 -0
@@ 0,0 1,13 @@
+{pkgs, ...}: {
+ imports = [
+ ./authelia-main.nix
+ ./webfinger.nix
+ ];
+
+ services.postgresql = {
+ package = pkgs.postgresql_14;
+ enable = true;
+ enableTCPIP = true;
+ };
+ system.stateVersion = "23.05";
+}
A systems/hosts/auth/webfinger.nix => systems/hosts/auth/webfinger.nix +22 -0
@@ 0,0 1,22 @@
+{...}: {
+ networking.firewall.allowedTCPPorts = [80];
+
+ services.nginx = {
+ enable = true;
+ virtualHosts."liljamo.com" = {
+ default = true;
+ locations."/.well-known/webfinger" = {
+ # https://www.authelia.com/integration/openid-connect/tailscale/
+ extraConfig = ''
+ set $jlres '{"subject": "acct:jonni@liljamo.com", "links": [{"rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://auth.liljamo.com"}]}';
+ if ($request_uri ~ 'resource=acct:jonni@liljamo.com') {
+ return 200 $jlres;
+ }
+ if ($request_uri ~ 'resource=acct%3Ajonni%40liljamo.com') {
+ return 200 $jlres;
+ }
+ '';
+ };
+ };
+ };
+}
M systems/hosts/default.nix => systems/hosts/default.nix +5 -0
@@ 17,6 17,11 @@
};
# LXCs
+ auth = {
+ system = "x86_64-linux";
+ profile = lxc;
+ modules = [];
+ };
dns = {
system = "x86_64-linux";
profile = lxc;