auth machine

2025-07-16 02:10:31 +02:00 · 2025-07-16 02:10:31 +02:00 · 851a9e18db
commit 851a9e18db
parent 98dce86882
34 changed files with 2383 additions and 99 deletions
--- a/machines/auth/authelia.nix
+++ b/machines/auth/authelia.nix
@ -0,0 +1,151 @@
+{
+  config,
+  lib,
+  ...
+}: let
+  authelia = "authelia-procopius";
+in {
+  networking.firewall.allowedTCPPorts = [
+    9091
+  ];
+
+  services = {
+    authelia.instances.procopius = {
+      enable = true;
+      settings = {
+        theme = "auto";
+        authentication_backend.ldap = {
+          address = "ldap://localhost:3890";
+          base_dn = "dc=procopius,dc=dk";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          groups_filter = "(member={dn})";
+          user = "uid=authelia,ou=people,dc=procopius,dc=dk";
+        };
+        access_control = {
+          default_policy = "deny";
+          # We want this rule to be low priority so it doesn't override the others
+          rules = lib.mkAfter [
+            {
+              domain = "*.procopius.dk";
+              policy = "one_factor";
+            }
+          ];
+        };
+        storage.postgres = {
+          address = "unix:///run/postgresql";
+          database = authelia;
+          username = authelia;
+          # I'm using peer authentication, so this doesn't actually matter, but Authelia
+          # complains if I don't have it.
+          # https://github.com/authelia/authelia/discussions/7646
+          password = authelia;
+        };
+        session = {
+          redis.host = "/var/run/redis-procopius/redis.sock";
+          cookies = [
+            {
+              domain = "procopius.dk";
+              authelia_url = "https://authelia.procopius.dk";
+              # The period of time the user can be inactive for before the session is destroyed
+              inactivity = "1M";
+              # The period of time before the cookie expires and the session is destroyed
+              expiration = "3M";
+              # The period of time before the cookie expires and the session is destroyed
+              # when the remember me box is checked
+              remember_me = "1y";
+            }
+          ];
+        };
+        notifier.smtp = {
+          address = "smtp://mail.procopius.dk";
+          username = "admin@procopius.dk";
+          sender = "auth@procopius.dk";
+        };
+        log.level = "info";
+        # identity_providers.oidc = {
+        #   # https://www.authelia.com/integration/openid-connect/openid-connect-1.0-claims/#restore-functionality-prior-to-claims-parameter
+        #   claims_policies = {
+        #     # karakeep.id_token = ["email"];
+        #   };
+        #   cors = {
+        #     endpoints = ["token"];
+        #     allowed_origins_from_client_redirect_uris = true;
+        #   };
+        #   authorization_policies.default = {
+        #     default_policy = "one_factor";
+        #     rules = [
+        #       {
+        #         policy = "deny";
+        #         subject = "group:lldap_strict_readonly";
+        #       }
+        #     ];
+        #   };
+        # };
+        # Necessary for Traefik integration
+        # See https://www.authelia.com/integration/proxies/traefik/#implementation
+        server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
+      };
+      # Templates don't work correctly when parsed from Nix, so our OIDC clients are defined here
+      # settingsFiles = [./oidc_clients.yaml];
+      secrets = with config.sops; {
+        jwtSecretFile = secrets."authelia/jwt_secret".path;
+        # oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
+        # oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
+        sessionSecretFile = secrets."authelia/session_secret".path;
+        storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
+      };
+      environmentVariables = with config.sops; {
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+          secrets."authelia/lldap_authelia_password".path;
+        AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_authelia_password".path;
+      };
+    };
+    # caddy = {
+    #   virtualHosts."auth.procopius.cc".extraConfig = ''
+    #     reverse_proxy :9091
+    #   '';
+    #   # A Caddy snippet that can be imported to enable Authelia in front of a service
+    #   # Taken from https://www.authelia.com/integration/proxies/caddy/#subdomain
+    #   extraConfig = ''
+    #     (auth) {
+    #         forward_auth :9091 {
+    #             uri /api/authz/forward-auth
+    #             copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+    #         }
+    #     }
+    #   '';
+    # };
+  };
+
+  # Give Authelia access to the Redis socket
+  users.users.${authelia}.extraGroups = ["redis-procopius"];
+
+  systemd.services.${authelia} = let
+    dependencies = [
+      "lldap.service"
+      "postgresql.service"
+      "redis-procopius.service"
+    ];
+  in {
+    # Authelia requires LLDAP, PostgreSQL, and Redis to be running
+    after = dependencies;
+    requires = dependencies;
+    # Required for templating
+    serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template";
+  };
+
+  sops.secrets = {
+    "authelia/hmac_secret".owner = authelia;
+    "authelia/jwks".owner = authelia;
+    "authelia/jwt_secret".owner = authelia;
+    "authelia/session_secret".owner = authelia;
+    "authelia/storage_encryption_key".owner = authelia;
+    # The password for the `authelia` LLDAP user
+    "authelia/lldap_authelia_password".owner = authelia;
+    "authelia/smtp_authelia_password".owner = authelia;
+    smtp-password_authelia = {
+      owner = authelia;
+      key = "service_accounts/authelia/password";
+    };
+  };
+}