From 434e11da5082caeeab390e7f7eee6fe58fba3ee1 Mon Sep 17 00:00:00 2001 From: Jonni Liljamo Date: Wed, 4 Sep 2024 20:03:35 +0300 Subject: [PATCH] feat: add auth --- .sops.yaml | 12 ++ hosts/auth/default.nix | 17 +++ secrets/auth/secrets.yaml | 51 +++++++ systems/hosts/auth/authelia-main.nix | 194 +++++++++++++++++++++++++++ systems/hosts/auth/default.nix | 13 ++ systems/hosts/auth/webfinger.nix | 22 +++ systems/hosts/default.nix | 5 + 7 files changed, 314 insertions(+) create mode 100644 hosts/auth/default.nix create mode 100644 secrets/auth/secrets.yaml create mode 100644 systems/hosts/auth/authelia-main.nix create mode 100644 systems/hosts/auth/default.nix create mode 100644 systems/hosts/auth/webfinger.nix diff --git a/.sops.yaml b/.sops.yaml index 0705802..9a31b20 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -1,9 +1,13 @@ keys: - &liljamo_gpg 848EEBCEE9F0D29D25C321A658577946A65EB712 + # desktops, laptops - &arwen age15hcszwfk0d6cu9ua6g4udj9tdq63jm8lja66ktxu0fjfuczczcwsm5kcxn - &alice age1pqjj62u9u3x658a5u47nf7uf0cfek2ht09ztqamjfl7j8s2xeduqx5cfnn + # LXCs + - &auth age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4 - &dns age1m5ktjargxxu04dn9c2uhvaw79z74mxsc4vdrkalxjn4aa8c86plqg0hyyw - &metrics age1m8u3a7rzyx2n6zjxjnfkla34yk3v77egxzd3lv9umt69lsynlaqqqfpt05 + # VMs - &sqbuilds age1wgzza5upq4tcpanmx3p9tg9swltz58ycufcapq9s45wpq8mtvepsr0lnzk creation_rules: - path_regex: secrets/arwen/[^/]+\.yaml$ @@ -18,6 +22,13 @@ creation_rules: - *liljamo_gpg age: - *alice + + - path_regex: secrets/auth/[^/]+\.yaml$ + key_groups: + - pgp: + - *liljamo_gpg + age: + - *auth - path_regex: secrets/dns/[^/]+\.yaml$ key_groups: - pgp: @@ -30,6 +41,7 @@ creation_rules: - *liljamo_gpg age: - *metrics + - path_regex: secrets/sqbuilds/[^/]+\.yaml$ key_groups: - pgp: diff --git a/hosts/auth/default.nix b/hosts/auth/default.nix new file mode 100644 index 0000000..d840393 --- /dev/null +++ b/hosts/auth/default.nix @@ -0,0 +1,17 @@ +{config, ...}: { + sops.secrets.rootPwd.neededForUsers = true; + sops.secrets.liljamoPwd.neededForUsers = true; + + roles.base = { + root.hashedPasswordFile = config.sops.secrets.rootPwd.path; + primaryUser = { + username = "liljamo"; + hashedPasswordFile = config.sops.secrets.liljamoPwd.path; + }; + }; + + roles.tailscale = { + enable = true; + enableSSH = true; + }; +} diff --git a/secrets/auth/secrets.yaml b/secrets/auth/secrets.yaml new file mode 100644 index 0000000..33f961e --- /dev/null +++ b/secrets/auth/secrets.yaml @@ -0,0 +1,51 @@ +rootPwd: ENC[AES256_GCM,data:Vs3tM4HyK1QfvcoPP7ptyJs3XmZUN3F8WBXQgM0ZFZsb5S9+VESx/mL8bp95bsaDLNkGE0kme3sXhzo2JducsL9JNfPql2mD/pnYfne8A3YXm5lKfytw5Rq8vi2aKA7VcHnsh5WkT1n5Qg==,iv:3t848a3V/qi7FpZKPTKCPqbr2LhtoqBunEleVJfIBPc=,tag:k0XqROlLVy914+DKOROSlg==,type:str] +liljamoPwd: ENC[AES256_GCM,data:JaV7iT6yFnmJvU3ZDajaJEw96BWg5QNf/IVFogWX16E7tmNABnBzvXDZgtxKBl4Ed9A2zeek3nciUzIN7r+ltK4ctp7XZrZ0buI88MEliVAMQeiG1hiHg5Uw5dJliwu+83L0og8plpeiSQ==,iv:6IwUHCWmAyyX759EueOu2kKD6OV5yxuu6+YFlQrf3O0=,tag:LBl8A3++fPmz8RzTNs00xw==,type:str] +authelia-main: + #ENC[AES256_GCM,data:BG5UnHEY02vp0g4FiIpxaGA032UzWDJYiLmSkURil5Q0p1yoh6KAFolbEXDY2SFi8rY+ROqwGW4XZAxdsQ0CQGs=,iv:azzsXHDnFj3xTRBfCxmCBIPksADba36RyafNoW8YJ/s=,tag:JJxqB89WxR4vaTL7GehvKw==,type:comment] + storage: ENC[AES256_GCM,data:VJEcroGQMlPMSyT1/aXg4jqogmNsnMxdLT9YGNzBHFIcbkeaGyO7VCBarSZcEeAQqhdvGFHafMMSIqo4ucnRPw==,iv:zxu3EOJh9LUHT1+EId3aQlkTw8NkZ7azgwt+W+Dgd8I=,tag:B3V/ZirT8+LN1ZM2ru8hOA==,type:str] + #ENC[AES256_GCM,data:SkBS4neIPB91zO4PdZLv9nFXx1QXlhtRBNvFwF1T5G/1HkmhIXmSb1hEOSvsWV89/I9/c/0IPAcFeAzyWd/S2gqa6GY=,iv:6tuSKN55UtduLhRwcSWuvMG/tnMT5hMM92kgX26CMp0=,tag:6jqbF4/w7upSbyydwu9dng==,type:comment] + session: ENC[AES256_GCM,data:dI00ArqaWpCYZC4voNdHWn5QcF8KCet/1fjeSCrRe+dBAW+qBdDks2x29NEp1INALzUrote6TMzgtGsxqwQpqw==,iv:o1aW5UvSCCZiMU8YcIUvA7yi3jlEoH+8Sg5GzbT0bRw=,tag:9BvvD/BSv08M6j2Dr0V+gQ==,type:str] + #ENC[AES256_GCM,data:vTSKZNfk9sxTUHmdOP9o+PVKlZCNnyhDT50qbdi1MbZCTJ2CQGWsqHGEWWcNA9o0QejGPayfEBkzHD4d+Fc536/HGGRRgTF6QQ729BUyx25fJRj7eidBTr8+7j7K5A==,iv:XBXE7vtYhqKvOkjCRgSNeist5jfxcIlhRVcB1ZkZxQQ=,tag:epKmJCA/NSjSfr3eC08f8g==,type:comment] + oidcIssuer: ENC[AES256_GCM,data:ga9l3DQSnxfdY/30VAtgoo3VkZu1d5Aa9hdcSRcObiBsawiHLOTI74YgCYLfrbApW8vI0MB9Ycb4qljSWFJVm+GnOhBJoOCoEpBBP+6nA4CGRZhwuqJS0PeZiTqcja2iCJTb+tOaaicmJF+Dik/wPb+gTnPbuDcKWtUMj9txWUKF66hSiplaY0jAVRcTs3mVw6M/FYKLv+CKnHgJ1jvNfxn2eqhaK4x6MKwBqRY7WGPNCoEuIF7pbQVq9TTVmMnF8mVfs7QXHHiFjm6s8MGCNJLkFaYpxilAUEE/mJ04ENlLhMyNrYJIK0Y7hjagvZ6hV42J2CP/g5bIpdqjK9dYC/Dgknp6okr6yApy7qWDKHFK2D1enTp+uFiiHfEFkiZpOe5fgrI955jMrXBG4ukd7NLCbNlRoxusOWVETCSCmcpUHlqgNSYqwXsJmJBGreFh2Fy/FoBPl2ild0X3iEjO4826xDOflBWzNKw9brImy0LjYDs8K9Zfku2ZH+78CIz7MD77c6fXxZT7aN/mNKyxc7w3F8OF/LXEzglOWvkIKraiP9c32bgtafL/mWyzhsq5NPnssZzTEGV7d4ob3bNZkP30X0369nE8V9swa0uVHQOB9mqiBJ6YAr8Gg+VSgd57qVZSyfszHzxduzbe2RdxjO4FtSi+h9xgYcyh8U5gywv/PtKcBOfaXAEWmwcbL8P2cemJloUgRit61H+0dif6DrTbs41Ar6VsFLMlwVjrJEVR7E0uYoxja5Qp7ajcCtxy/DQZ5RCZfEyPxUTuK9LJp4mFZcoqP2zdCG9o6DIbQWP3HjcmvEyVyfwwETGDxJof4OeComZtCbRgw98ngy5Z4cKRUPEac6stJbvHhnbFnSIT+i4CqqCJ+BKrZLLa9hujbpW8T89PRG05+G0EOw5BRIydZf0bASZiG1c8glaBgI2dClpcfYuaStDfwYh73X21i0H5Yfe7nN6jeFjTG3HAq+rJnbBVqwTv6CGA2sCkAMY01qaawMMeJYtLX4+CHIABaNxlx8uACPdebUj1czfYAaZlj1zhUtGsmmBuCiCFXvUHu30LBut7hd+IuTyGmJHt9NmIS4EtpF0bPwf18Q5ZpfdfQ8vkZ0uMEEwadcwU44P5wGibr6cTPiBzWMqunYETTh+HiIzELSaowJ4jkdPWyCoS+VoM4Q6++cv2FAiVrKTdhDns4HIuF3c+VDnL8n++xeoSxbFmey32sqQwKH9Gl1E6YffROOMk8Qbkl2vv5IOo8ES/BbTOrkwQPJyu/8aJkVnsk2U51Hb8JkAPAi2jXegNWpgtNt9W/euWlmv7nj+32L2euzqJ339MwfJ1FmtKK37tU7Fx62kLRjAZjFs7/6DdwAo+SBIzPDPGdgN0bblhcDXk8yFY7Xw8exOTrGugZoMZoWtazvWGpqXh361liTnmJ8MKdkOgedyOWDe1J8U04dq7jUs1nDEL28HoREIe2rhRFzSTFK9vl8Jc0K6jGPg3IpsSC2mLvZMTGmiXqHvlYxM8qncxVxVg4LZnVn1QW+MnXY9HrRUO7cHyvkvMMfxKDf7kDIvsbzKABw3+KQAa2Qbzvf1Byo3+66MDy952Vmt32pr1g+Hw3TqUIjvR9fvbaTr726GnD2G4nqtYRMJms+PwlRxNOHUR6026Kr5MEskIxijFSzKrk4s6DJX/bICI8cuH+5W5ArKtt0X6CgFnXwQ6dgq+MMptYZqYJl1E9Ias2ELH/5uC8ztm8iS07De65Z7Feyc7hnMF0GTHmg7J59kkLtU+CiqmOt1g1WZe4Sx0ZPc/DfFv55d9aoT0P4eKaIcR8aDc95j8UkTz0wo28qn4ZIjnGWHPJZtnX/4rhfFLQHJZogGpVbW5y0N/PMj8kG4lwDWIEgN0zF8FI/Dp0RfUGdTqDMDevQT3zeTNNCdhn5EgQZuEmqUyraZ0F2EWyTj8EFU8LuWrpnu9SCiMw7gtWDI+gqseWhHBic39etI0D3yhcO5mXGHn3axsZLFMU5rW7AOtQ1RBUADV1LbJD5A3wEDNxc3WuCx3mpSpljrZ+mAqCOSeRiiwak0jCEem0cKnjLxtbY1UWfnAR20+Gd0Hj+sx/g/HJcHjdgCf0bYPHJHlvdUDkoeeNIVhifGvmKvmnmX8IQM3QVQsDJUDmsxWvGw/iLHDpuqekVD9VDWLt8w/+ezveHN9vSSrNbtevHgVKGiEoLns7HBT8yde8N8OnV0AasR3/JIlr8Q=,iv:U5I3dBYCs7PLmVkYDv8bDfpYKj4bJce/Cks/M9YtgOU=,tag:n09/SjTDZK+sGIzdl+/k3w==,type:str] + oidcIssuerPublic: ENC[AES256_GCM,data:BkIKHXF7eBtMrB4mu3kkNjgXaVholOi2mXJ+bqvt1qKHiFmwYMFVmwioGYX2R8xoBUW/AwOTx03U78+tMoBGsmBxDP4wxLpw7eIoCCv8SLE3EGb3Z2PCv+RiY9IctKVXIf2C2FrIEszw8bzAT2wVgM5b15jR1rRqp59vfGUSUs8mbd5zDiGJFQUdlHGNtWhQ157oGEqs2rHOEAhL+OX4cnywMpG1k0IlMuQCH/bUIpAKTB2HJbij7qEUq3jwOikjkjFA7W2YjJZ2Dk/iR/kdR24wYTcH3VAlA6Q6zvP4eecuucyYE0b0sF/8TgJ/JyJMX/XAzeaOx5vEIfW91OfJnMx1au4q0sfttL43b0/lA9EkgbLCnFuY+tvLQKNoPevRnn+VT9YTpv5Foecy/Pymi3ubF/aGy0aR6LebtiEH5ToStz9A5Tr0EjG1phc9QFw0E3E+5If2+Lja0HMVJxoXfXIzZH7jIOjWvEdHb1rk0KLDteLy0cPaIhRE7XUEOXGB1lDQAqmWwDaW27oJXBhmrjGNNKC0f99fAQQree+24eLld/SZLHndEseM,iv:x3bfaj6XUdcGxAV038kWSGetTprY191IAhIFiWsiRFs=,tag:DN75k09Bg4oWNZK38iRHuA==,type:str] + #ENC[AES256_GCM,data:ww+fyk3qsB9E0WG041mOvdEklg7ni3ni00j+386XRFFjTqoOj/TgAyzDIc8mG0NrIreeSBqapRfdbgrR8OkE0SZIhTWOcJXr80rRy159F0qHvImc0yXO,iv:30/9/R+yibWskDVqAuVHhF54p2m4SfcedON9ghO2BSo=,tag:bqKUB6xmIw3uL4KoV59aKw==,type:comment] + oidcHmac: ENC[AES256_GCM,data:jaZOF0OPKbNU/g12mMSDozL0V5cEL/+zBPL/eyyUNS+p06PnQiBso07s0734a1ijZSEkeA2oXIHgfdQVNMV34w==,iv:QGsg5qHueWuRqc/LS7bKJJn5hRWV7v10oyOyI+u3Ofs=,tag:uCiYqGsk2W8CKTvEdQF4UA==,type:str] + #ENC[AES256_GCM,data:kNC9Ol2md+Ofc/5PfVEY/byabsiNqtMg0NIg8Nifu4xNEBU9fw5MaEAXqKP/KFQoVJMdFGztdKSa9wIKU5gIFC6529LFSUu/qjxJxe6J,iv:ZaEL7X9oYVk9u6fbgMbWFKJ6W/fC+/kMOgIHnWOJwgY=,tag:XHv1OMvfuOJXWfWGaAAP8w==,type:comment] + jwt: ENC[AES256_GCM,data:bAqHoEuUEMvMLdSV+T4xsH9S8yfivNZNV5dbSePrG3MFQBYqeE1e9ylIavxgYeNizlc3MF+EyfcWN1lIjhkSrw==,iv:7Chl6sFe7NgztQxd5QT1Imgx+yNA5fHnnxdxM0GB84k=,tag:TZ9xKjwZpqk1RP7qTPdpbQ==,type:str] + storagePwd: ENC[AES256_GCM,data:3OX+vh6GL5tuhDDu+b7WAHV3JLiuE3tapULF4z5SD0sIIyQMVIHu5OuJsQ2AuUZOuz43aXDhm0TWEYUGFwhvVQ==,iv:RCTIyK944SD4rX7QSYAX1asjGM4ZY1reV9UX6whCiQo=,tag:3NfRsBZjAel2w4D1tl9NAw==,type:str] + users: ENC[AES256_GCM,data:aIJfSlEzvnI0M8eyPc/Ea0fU0C9g+vuBCOIzfpvkE+HPleYfIqVgc2G8/wIA6zDV9714trq5ePLrwl4FNmOSgMS1/2BO/P0VuMYbHDZlMOaug1WUxrrKY2d1OAz7hYLySyZEXT+/3MfS7NkodoAKGv4P23IjLIUDAkKEYjbW/NEltj72fR/NZEuikIK31GMDOfQsqY2Ll28YDtOAWOaCi/fcPu6SB45c+hI0cYc58WcqgA/rBu43VvV/hLP6xcIblMzI60x2Z8BqpJPuuGLx9N35cTGKU99FhFFUcurVOweCkGXxLLG1j1TCJqhRGOSHeQqF2uhi9DU3BHnbyKEfOtl4VNEUALOC/tS2cXcOPyitNRAdyQwHr6MgfOZ50PfdTSs=,iv:mbuKhpUbQPH73bH3Hb7VOkUGhQFtDsCg9vQOcwwv2NI=,tag:mWfoaizmOrbYNqAj8gB4QQ==,type:str] + acl: ENC[AES256_GCM,data:9etsF4GCj9OBjDjEDfqQPMiU0NhSsfw6ATnwlFiWFiJcj7T9XDpPuLZ57ycZopbzUHeeDcxiBKN+5ZKSSRsgjomh7EVvodRFGDEP6nPW659PfCAbTW9Nzdiw4iNRKT9e0fcq3q4lZA6WjOj5F5zGAh8yN75hJ5tn4J/wkq81Ie707GWXOSXl/Zq5bBbH/InB0WlnY16tKseld3Xj+DK1XjYy/g/jA3LscQMhz8TT0z2hfERBZBIzRFg3RiuxOgCCVWxadHJDPRxi7O2vAQVEVLuOLI3NnFDy/17ASbgSA6XTIyCUePmTZ/wfdJ1B9puq9VHi03UUhTkXxdfIvSB5HrptH3rFXhlH6HmbwMsQi3fyf16EfBMa8KDY+QeZaLk=,iv:Y+Bs84dDcDDT3RbH/xWTPHgaSq/RcevY5N5LXvfEIqk=,tag:5DGUuhQsoGPhRS22Yd5fRg==,type:str] + notifier: ENC[AES256_GCM,data:Dyl7KTCC3M3tAs8vwuvnstUmiqufq1diuhcQmzZd7j/tJuTHNWQK8cqYg7hsUFWwLumZseM7pw73eBAARqu1x9Ebodx9MKO2erMYMDLTo+iUYD8dG00knnIJ12+23/JZvemdI0tfN2cuX3lPK/4JSWvrF1T4RzhM1bZpQinjzNXE2LV3Gj/IKyW20ExpuHjzI0JUwFk6CgBHiMOcPu1BUumUQEHykbnoNCXtHc89B5A0tsV6GloFJsK+YIWMwaCWIcgFXHA0ebBhbMPpdfeBqiRiIBwXZwa+2ezqsHzygjNxjIKnYUwAevit5pZzfn7aI0uTTfNmIGQbeNIlN63n0NdLi416Ky08ivrWnrXoBjGi7+PCxqaEbJ1oJ3ZN1fV+0Sx47cEFQN4gHa9ipcERIYXGgKwwvTp3Xp2RrQlhzndb5ikz5foxvgAkpY8toK6QjeeuBOSNxXtRiNfADQCWdYU9CAhg/nwh+qpHln5+ry+iPenybsFAASLIRaDlKJVt03r/9+CE6GrgHvdf6Uu7qlI3Eo10dIvKUXHNQdpRMtBrHJAhFfUVoVywF/ReN92WPtDFYk3wtJXzwXEIlmuPk8PeuTXuuA==,iv:a4CYoYFgqlIw+ZDBP5W1lAbQ+PqRvqCPeQH9qXIeqN4=,tag:BR1b36rd82Tiv8U/hI3QMw==,type:str] + oidc: ENC[AES256_GCM,data:YqxIoBwNusb/QuJ2/FCevmlO5Dak82iepLMgd0DlB2tCV2oMH+GhAJZkDF2mLISL1xmq2bFMzwGHWv6lZDBMh1DQw+uxfdUmCxhk6Qwx/fXnextehywEVSEvxeOaK1i/dIrSIc+xG4Y/HCj9eqyEDWHoHLQx5zTsgzzI3Cuf0hF+50fP9PjdD/wVjgN//gR3eGWVxxBZRMO1FwRoNxMNTQSlErvuCCfHacxJzzIkIwlPYOEORWpw59cL7+PRQp2EkFqdKePLzhoC+PlLa3053kghQRhrs0thbmE843x7pQK88CmLJp4+WBuaGV2otSOBi7puqZTfmIQKPyoQkziscrOHozNAEfZg+cCkzFbC2MkyuBCV7tXbiXrZto4fX38iPBknWkWVhkn62eOqyXt97aJV4z/aLLAl666GC9Ve09V19fmrD0QzIsiMghQ4GWEQA0yJ/cFGBgReD4Ixank222YilJFm3yoFMxMRBXnaIvJod1sKygwy5Vhr2ERk1hnkU5hVGJ+2hCuLjQSUb3wRsoWbNXI8MxJpNdmu0m3di+D2wv5fzQGX6ST/qzQSBmxZvdhAO+F2WQmPKgSosy5SmWB8v6K9/AyN4dTC3TG2GCRvAPcZncah+c0sVlpHHTseLKqLYXVK97mSlWRzGmTGoMUtq0q1z87J2e3xB17gU97Uw+mgYs5epMMtAtxSTGdXfgl2SRTnQOO5X/uwjLv8NaP7+FfbFcTLCnwoitAvr60Pm7KGut3qm/qBCB42Jz8pLSin5ZMG7S+bNyuXyM3dpPMr7Lrx8S08gc8anazN9iDXwUwKHNqTHseQnuVQNb4RHhXsdXUGhumZq3Jn3pleRvBh9SIB6MdVLouQ2w0uRAO5Ma36bueUsPiWTOz0Mn90HDBE5JhqH/C39qR0Ty1tDfm+0aPHhoBUTf8ohaFaIVQKuALQ3owYdFsDptWY/yz5SWmFYNXMV1tNDzdfFcjoJZie/lZlNG/NGNV+OmG7++DfCey7CYHlHm02pbA/MnrXnoshHZSuO8vtKgDbh6Ov9+Nl2Etn9o/JLHPAVqfSe3jQzmUSRjiL4KKRi8beCOsMrDvbFBFwvyYqGJdD3zFf2tawFBjkvSCXzw5O+nmbo4OyDiGIkezOwsrjBE5iZzsqh3oeijTAVu03qgsS/c8Mljl3BXVglz7xoDh5vJb74z1zgfbOQHqryuw5Nd6ewzAVC/lKNt0DO2TD9cFV92glcCHAXW/+9VAgVwIpOtTJrhhPQGghHTQf63BYmGcLA/YTPDAysIEfV/guR0dG8SiBBNPgrdOwMPcdQaSVNZsZ6ny15zWgtMWZ4BTDK+sAMQgQgNoxUDS06No5AEQzY1BVqf8/LAjy/mnuPL37VPH6UkDk5mYWvqoscxe7PNOnm+7fOvbDmtEZEXy2OX8qxk6PIwWemEC/JlJPfDZs320HV3ZZ0KH+lFZixvEDPs0ADPn89rS8FLu7ozBkDuFEzqW9qxQE17veq/COA3dmtgIG/O7L7gYEXEDA/Nr92GQRDTUIvU9rIbXMO7AOEJi7dQbPFEmIDJjvcgu3G5iRQVbA4V+3MvRFRtfrQwDJyEtGOkmwfVtfoVIoVenKOdg4nmIR8E7Z5zqj+irD0QMIMKBxp+jLKy6teyiM1/EGNTBBF8hgGPE14vqopT+vE5u3Y+xQoZJ40cuDmbqQuKS0wf7QYZU3IBRo+07E9zrUqvIKKS1VSFWaIisGB1fP1T65aABOrwrj2kIu6d5Mo24w0SxOdKTqN2eXZSVjicZntlALo3ht2WTN5rd4bgpQ,iv:xRM/DtHDNfA3gI5lT8m7ujN+cIq8DLlL4ONWSngVw9U=,tag:IZzf3ophi+Amx44Ov+gvUQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1wu70y79zuqtk2z5q3t4vvwns2qmerwsy4gn4czf5f4xhch3yquksfwq0q4 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYRkJ1MndmMzBRYm1PRTFa + dG9FZlViT1N5RVZXdFVhNWdQdy8xM3Fjc3hvCmxFdzY1dDN1cXpkV1dYT1ZyV3Vm + QTJTaHhkS2lvWXpMd3lNWmIyb1Z4Z2MKLS0tIEZ6S05qQU1SMEExc2ZtcDhBdlFq + TXlpbGtKdWdZWnBpNmhUSVBnTUdUa3MKsUaVRhGuwXjGHoEbfA8II6mPUuCAM1SP + D3VhdiJF0DgxN6jBpmUQSfVXE4COzfABoq25QRnVcWvxCzYzEoBGAg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-09-03T16:33:05Z" + mac: ENC[AES256_GCM,data:ZAPrmU5zrk7C8J8gHSlorTCInGK6n6zG559WxYbZWM9Qk5swKzsjuEGq9GLeYRHJBX30ObUYVUehzGUzlEzhmIc49MGtAlGKvboSlp5V17TqBw7thqtts2CQuBjk6TivwqsqJ93b5Y5//wuiV6WcxI4yQQdlHtiLBGP+joxviTc=,iv:dTqZYaWSOrKe9j8RSq3xqCQUarivzUBKNEVyY8DQrNY=,tag:SgnZe1JCWtOR54TEWnNYGg==,type:str] + pgp: + - created_at: "2024-09-03T16:24:42Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hF4D8ab0ENzkR4wSAQdAFwHfkv+5No84kUDwFPQdHX5GR17EoOiiERh6lYUIVlIw + mF8BCpm5juKmSQmSWtQ4//zgnszdLKANYUz7cD9qzAbi3Do87lO3glFMaFPTq+LZ + 1GgBCQIQJKyFhla8M+aGH3Yt0z03SQa/Ba7e9uCzCiyd4mBYz2Ha7fJmqrfcV+Tc + 112hxdn/C51RPyRc0eF9whXIAFoCNvsENMM32vi+BoVDvugBWMqfwhtSJ+OtWsAr + upFqsdy6I6ZmDQ== + =PNZI + -----END PGP MESSAGE----- + fp: 848EEBCEE9F0D29D25C321A658577946A65EB712 + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/systems/hosts/auth/authelia-main.nix b/systems/hosts/auth/authelia-main.nix new file mode 100644 index 0000000..72030d6 --- /dev/null +++ b/systems/hosts/auth/authelia-main.nix @@ -0,0 +1,194 @@ +{config, ...}: let + instance = { + secrets = "authelia-main"; + name = "main"; + user = "authelia-main"; + group = "authelia-main"; + port = 3001; + redisPath = "/run/redis-authelia-main/redis.sock"; + psql = { + schema = "public"; + db = "authelia-main"; + user = "authelia-main"; + }; + }; +in { + sops.secrets."${instance.secrets}/storage" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/session" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/oidcIssuer" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/oidcIssuerPublic" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/oidcHmac" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/jwt" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/storagePwd" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/users" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/acl" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/notifier" = { + owner = instance.user; + group = instance.group; + }; + sops.secrets."${instance.secrets}/oidc" = { + owner = instance.user; + group = instance.group; + }; + + users.users.${instance.user} = { + group = instance.group; + isSystemUser = true; + }; + users.groups.${instance.group} = {}; + + networking.firewall.allowedTCPPorts = [instance.port]; + + services = { + redis.servers."authelia-${instance.name}" = { + enable = true; + user = instance.user; + port = 0; + unixSocket = instance.redisPath; + unixSocketPerm = 600; + }; + postgresql = { + ensureDatabases = [instance.psql.db]; + ensureUsers = [ + { + name = instance.psql.user; + ensureDBOwnership = true; + } + ]; + }; + authelia.instances = { + ${instance.name} = { + enable = true; + user = instance.user; + group = instance.group; + secrets = { + storageEncryptionKeyFile = config.sops.secrets."${instance.secrets}/storage".path; + sessionSecretFile = config.sops.secrets."${instance.secrets}/session".path; + oidcIssuerPrivateKeyFile = config.sops.secrets."${instance.secrets}/oidcIssuer".path; + oidcHmacSecretFile = config.sops.secrets."${instance.secrets}/oidcHmac".path; + jwtSecretFile = config.sops.secrets."${instance.secrets}/jwt".path; + }; + environmentVariables = { + "AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE" = config.sops.secrets."${instance.secrets}/storagePwd".path; + }; + settingsFiles = [ + # config.sops.secrets."${instance.secrets}/users".path + config.sops.secrets."${instance.secrets}/acl".path + config.sops.secrets."${instance.secrets}/notifier".path + config.sops.secrets."${instance.secrets}/oidc".path + ]; + # https://github.com/authelia/authelia/blob/v4.37.5/config.template.yml + settings = { + theme = "light"; + default_2fa_method = "totp"; + server = { + host = "0.0.0.0"; + port = instance.port; + path = ""; + enable_pprof = false; + enable_expvars = false; + disable_healthcheck = true; + headers.csp_template = ""; + }; + log = { + level = "info"; + format = "text"; # json, text + }; + telemetry.metrics.enabled = false; + totp = { + disable = false; + issuer = "liljamo.com"; + algorithm = "sha512"; + digits = 8; + period = 30; + skew = 1; + secret_size = 32; + }; + webauthn.disable = true; + ntp = { + address = "time.cloudflare.com:123"; + version = 4; + max_desync = "3s"; + disable_startup_check = false; + disable_failure = false; + }; + authentication_backend = { + password_reset.disable = true; + refresh_interval = "5m"; + file = { + path = config.sops.secrets."${instance.secrets}/users".path; + watch = false; + search = { + email = false; + case_insensitive = false; + }; + password = { + algorithm = "argon2"; + argon2 = { + variant = "argon2id"; + iterations = 3; + memory = 65536; + parallelism = 4; + key_length = 32; + salt_length = 16; + }; + }; + }; + }; + session = { + name = "authelia_session"; + domain = "liljamo.com"; + same_site = "lax"; + expiration = "1h"; + inactivity = "5m"; + remember_me_duration = "1M"; + redis = { + host = instance.redisPath; + }; + }; + regulation = { + max_retries = 3; + find_time = "2m"; + ban_time = "5m"; + }; + storage = { + postgres = { + host = "127.0.0.1"; + port = 5432; + database = instance.psql.db; + schema = instance.psql.schema; + username = instance.psql.user; + }; + }; + }; + }; + }; + }; +} diff --git a/systems/hosts/auth/default.nix b/systems/hosts/auth/default.nix new file mode 100644 index 0000000..591b324 --- /dev/null +++ b/systems/hosts/auth/default.nix @@ -0,0 +1,13 @@ +{pkgs, ...}: { + imports = [ + ./authelia-main.nix + ./webfinger.nix + ]; + + services.postgresql = { + package = pkgs.postgresql_14; + enable = true; + enableTCPIP = true; + }; + system.stateVersion = "23.05"; +} diff --git a/systems/hosts/auth/webfinger.nix b/systems/hosts/auth/webfinger.nix new file mode 100644 index 0000000..2cb713d --- /dev/null +++ b/systems/hosts/auth/webfinger.nix @@ -0,0 +1,22 @@ +{...}: { + networking.firewall.allowedTCPPorts = [80]; + + services.nginx = { + enable = true; + virtualHosts."liljamo.com" = { + default = true; + locations."/.well-known/webfinger" = { + # https://www.authelia.com/integration/openid-connect/tailscale/ + extraConfig = '' + set $jlres '{"subject": "acct:jonni@liljamo.com", "links": [{"rel": "http://openid.net/specs/connect/1.0/issuer", "href": "https://auth.liljamo.com"}]}'; + if ($request_uri ~ 'resource=acct:jonni@liljamo.com') { + return 200 $jlres; + } + if ($request_uri ~ 'resource=acct%3Ajonni%40liljamo.com') { + return 200 $jlres; + } + ''; + }; + }; + }; +} diff --git a/systems/hosts/default.nix b/systems/hosts/default.nix index 4aa0c96..b767fa6 100644 --- a/systems/hosts/default.nix +++ b/systems/hosts/default.nix @@ -17,6 +17,11 @@ }; # LXCs + auth = { + system = "x86_64-linux"; + profile = lxc; + modules = []; + }; dns = { system = "x86_64-linux"; profile = lxc; -- 2.44.1