plasmagoat/homelab
1
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

moved mail
Some checks failed
Test / tests (push) Has been cancelled
Details

Browse source
This commit is contained in:
plasmagoat 2025-07-17 00:35:44 +02:00
parent c46903e3a0
commit 032072374b
35 changed files with 511 additions and 324 deletions
Download patch file Download diff file Expand all files Collapse all files

98
machines/auth/authelia.nix
View file

@ -14,21 +14,91 @@ in {
enable = true;
settings = {
theme = "auto";
server = {
buffers = {
read = 16384;
write = 16384;
};
};
authentication_backend.ldap = {
implementation = "lldap";
address = "ldap://localhost:3890";
base_dn = "dc=procopius,dc=dk";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(member={dn})";
user = "uid=authelia,ou=people,dc=procopius,dc=dk";
};
definitions = {
network = {
internal = [
"192.168.1.0/24"
];
};
};
access_control = {
default_policy = "deny";
# We want this rule to be low priority so it doesn't override the others
rules = lib.mkAfter [
{
domain = "*.procopius.dk";
domain = [
"proxmox.procopius.dk"
"traefik.procopius.dk"
"prometheus.procopius.dk"
"alertmanager.procopius.dk"
];
policy = "one_factor";
subject = [
["group:server-admin"]
];
}
# bypass /api and /ping
{
domain = ["*.procopius.dk"];
policy = "bypass";
resources = [
"^/api$"
"^/api/"
"^/ping$"
];
}
# media
{
domain = [
"sonarr.procopius.dk"
"radarr.procopius.dk"
"readarr.procopius.dk"
"lidarr.procopius.dk"
"bazarr.procopius.dk"
"prowlarr.procopius.dk"
];
policy = "one_factor";
subject = [
["group:media-admin"]
];
}
# authenticated
{
domain = [
"gatus.procopius.dk"
];
policy = "one_factor";
}
# bypass auth internally
# {
# domain = [
# "gatus.procopius.dk"
# "prometheus.procopius.dk"
# "alertmanager.procopius.dk"
# "sonarr.procopius.dk"
# "radarr.procopius.dk"
# "readarr.procopius.dk"
# "lidarr.procopius.dk"
# "bazarr.procopius.dk"
# "prowlarr.procopius.dk"
# ];
# policy = "bypass";
# networks = [
# "internal"
# ];
# }
];
};
storage.postgres = {
@ -58,8 +128,8 @@ in {
};
notifier.smtp = {
address = "smtp://mail.procopius.dk";
username = "admin@procopius.dk";
sender = "auth@procopius.dk";
username = "authelia@procopius.dk";
sender = "authelia@procopius.dk";
};
log.level = "info";
# identity_providers.oidc = {
@ -97,24 +167,9 @@ in {
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets.smtp-password_authelia.path;
};
};
# caddy = {
# virtualHosts."auth.procopius.cc".extraConfig = ''
# reverse_proxy :9091
# '';
# # A Caddy snippet that can be imported to enable Authelia in front of a service
# # Taken from https://www.authelia.com/integration/proxies/caddy/#subdomain
# extraConfig = ''
# (auth) {
# forward_auth :9091 {
# uri /api/authz/forward-auth
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
# }
# }
# '';
# };
};
# Give Authelia access to the Redis socket
@ -142,7 +197,6 @@ in {
"authelia/storage_encryption_key".owner = authelia;
# The password for the `authelia` LLDAP user
"authelia/lldap_authelia_password".owner = authelia;
"authelia/smtp_authelia_password".owner = authelia;
smtp-password_authelia = {
owner = authelia;
key = "service_accounts/authelia/password";