Commit 930f120

HPCesia <me@hpcesia.com>
2025-10-05 14:11:52
refactor: migrate authelia
1 parent 170eccd
hosts/chaser-pardofelis/authelia.nix
@@ -1,150 +0,0 @@
-{config, ...}: {
-  services.authelia.instances = {
-    main = {
-      enable = true;
-      settings = {
-        theme = "auto";
-        default_2fa_method = "totp";
-        log.level = "info";
-        server = {
-          address = "tcp://127.0.0.1:9091";
-          endpoints.authz.forward-auth = {
-            implementation = "ForwardAuth";
-            authn_strategies = [
-              {
-                name = "HeaderAuthorization";
-                schemes = ["Basic" "Bearer"];
-              }
-              {
-                name = "CookieSession";
-              }
-            ];
-          };
-        };
-        identity_validation.reset_password.jwt_algorithm = "HS512";
-        identity_providers.oidc = {
-          cors = {
-            endpoints = ["authorization" "token" "revocation" "introspection"];
-            allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
-          };
-          clients = [
-            {
-              # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
-              client_id = "forgejo";
-              client_name = "Forgejo";
-              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
-              public = false;
-              authorization_policy = "two_factor";
-              require_pkce = true;
-              pkce_challenge_method = "S256";
-              redirect_uris = [
-                "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
-              ];
-              scopes = ["openid" "email" "profile" "groups"];
-              response_types = ["code"];
-              grant_types = ["authorization_code"];
-              access_token_signed_response_alg = "none";
-              userinfo_signed_response_alg = "none";
-              token_endpoint_auth_method = "client_secret_basic";
-            }
-            {
-              # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
-              client_id = "gokapi";
-              client_name = "Tribios";
-              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
-              public = false;
-              authorization_policy = "one_factor";
-              redirect_uris = [
-                "https://send.hpcesia.com/oauth-callback"
-              ];
-              scopes = ["openid" "email" "profile" "groups"];
-              userinfo_signed_response_alg = "none";
-            }
-            {
-              # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
-              client_id = "gts-trinnon";
-              claims_policy = "gotosocial";
-              client_name = "Trinnon (GoToSocial)";
-              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
-              public = false;
-              authorization_policy = "two_factor";
-              require_pkce = false;
-              pkce_challenge_method = "";
-              redirect_uris = [
-                "https://trin.one/auth/callback"
-              ];
-              scopes = ["openid" "email" "profile" "groups"];
-              response_types = ["code"];
-              grant_types = ["authorization_code"];
-              access_token_signed_response_alg = "none";
-              userinfo_signed_response_alg = "none";
-              token_endpoint_auth_method = "client_secret_basic";
-            }
-          ];
-          claims_policies.gotosocial.id_token = ["preferred_username"];
-        };
-        authentication_backend.file = {
-          path = "/var/lib/authelia-main/users_database.yaml";
-          password.algorithm = "argon2";
-        };
-        storage.local.path = "/var/lib/authelia-main/db.sqlite3";
-        notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
-        totp = {
-          disable = false;
-          issuer = "hpcesia.com";
-        };
-        session.cookies = [
-          {
-            domain = "hpcesia.com";
-            authelia_url = "https://authelia.hpcesia.com";
-            expiration = "1 hour";
-            inactivity = "5 minutes";
-            remember_me = "2 week";
-          }
-          {
-            domain = "trin.one";
-            authelia_url = "https://auth.trin.one";
-            expiration = "1 hour";
-            inactivity = "5 minutes";
-            remember_me = "4 week";
-          }
-        ];
-        access_control = {
-          default_policy = "deny";
-          rules = [
-            {
-              domain = "*.hpcesia.com";
-              policy = "bypass";
-              resources = ["^/api$" "^/api/"];
-            }
-            {
-              domain = "*.trin.one";
-              policy = "bypass";
-              resources = ["^/api$" "^/api/"];
-            }
-            {
-              domain = "*.hpcesia.com";
-              policy = "one_factor";
-            }
-            {
-              domain = "*.trin.one";
-              policy = "one_factor";
-            }
-          ];
-        };
-        regulation = {
-          max_retries = 3;
-          find_time = "2 minutes";
-          ban_time = "5 minutes";
-        };
-      };
-      secrets = {
-        jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
-        oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
-        oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
-        sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
-        storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
-      };
-    };
-  };
-}
hosts/chaser-pardofelis/caddy.nix
@@ -15,11 +15,6 @@ in {
     virtualHosts = let
       localAddress = {
         atuin = "http://localhost:${builtins.toString config.services.atuin.port}";
-        authelia = "http://${
-          # Assuming address start with `tcp://`.
-          builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
-        }";
-        goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
         gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
         grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
         homepage = "http://localhost:${builtins.toString config.services.homepage-dashboard.listenPort}";
@@ -30,11 +25,6 @@ in {
         encode zstd gzip
         reverse_proxy ${localAddress.atuin}
       '';
-      "auth.trin.one".extraConfig = config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
-      "authelia.hpcesia.com".extraConfig = ''
-        encode zstd gzip
-        reverse_proxy ${localAddress.authelia}
-      '';
       "grafana.hpcesia.com".extraConfig = ''
         encode zstd gzip
         reverse_proxy ${localAddress.grafana}
modules/hosts/chaser-pardofelis/default.nix
@@ -21,6 +21,7 @@
         (n: config.flake.modules.nixos."${config.flake.meta.service.prefix}${n}")
         [
           "artalk"
+          "authelia"
           "caddy"
           "fail2ban"
           "forgejo"
modules/services/authelia/client-secrets-forgejo.age
Binary file
modules/services/authelia/client-secrets-gokapi.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 M0uzA6EUt0M0rQ42I4t3iB8LYXGWF5iv4Eg64+cmtkw
+MpVMiCjT+v+/KB8uwZBBwrjXbQ15OMj6WDIMfdE2yyg
+-> w-grease
+tMr2exB14rpBETo+0tTFh0ec2p6CASoRqnBZtVVIRvKS2bXbtmLO
+--- CmYLZzHF9gmnfRyoD0LBRPYLNDRD6w0PM9uWAhZcR10
+X&����
+6m��+�Z�k�O`>$��Pi�0����Po���v M?���U.�z]�.��4���жێ��W��,|�\��q0C�k�2qyT��ꂞ�Ye"���q�G��M5d��'#]إ���A��>���uf��dN��.��:<m��@��U�dIcB	����J.
\ No newline at end of file
modules/services/authelia/client-secrets-gts-trinnon.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 iQ/ogTDRAMQie35IEqF+/c3GJmXBOd3UoVnjSD1Z6wY
+abjChKfyxRPbFEn10yYLXFT59vfau0H7hqGQCPIkTsg
+-> 3RcmD'-grease U\;tUU
+
+--- wOgqYgm/A+Q9NhqFyXmrJXI0oTYZzNaCI5YzDjpw3m8
+	���~^��i�p�qp��o�JG2D�-���k����y�5�H-�����7�D�r2/,#���ˍP���	@~c�Pd��6��� ���μ���{��7����Y�������!�:4�ڒ�8ُ%���&�sz���d!X8la���z9�#�!�M�
\ No newline at end of file
modules/services/authelia/jwt-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 k/ZkMm6yzYSfgibn3bSkvsy8g6iboqoBFkh7p2hXuxA
+aus68fvhKK59ExKJ7ZnGGTCCvJ4opkDGQv1DqEdX6TE
+-> v0eyAVXM-grease ~EJs 4 dt 8SljF2>
+QYWmceQOJMyQtkAFmWGQgrxiiDdTvCwHIEcyoBDrSXeAfTmchwffB2Q2
+--- qSoLul+jol/w26Xe/7IMN9egknBo1ILAuxLITZU35Mc
+�b*A
������UD�5z��X@0?r�>�M&�ضGk��s�\"9�4IF����V�3.�N=ό�y�����
+AR��R���e-�T�w���
\ No newline at end of file
modules/services/authelia/main.nix
@@ -0,0 +1,188 @@
+{lib, ...}: {
+  flake.modules.nixos."services/authelia" = {config, ...}: {
+    services.authelia.instances = {
+      main = {
+        enable = true;
+        settings = {
+          theme = "auto";
+          default_2fa_method = "totp";
+          log.level = "info";
+          server = {
+            address = "tcp://127.0.0.1:9091";
+            endpoints.authz.forward-auth = {
+              implementation = "ForwardAuth";
+              authn_strategies = [
+                {
+                  name = "HeaderAuthorization";
+                  schemes = ["Basic" "Bearer"];
+                }
+                {
+                  name = "CookieSession";
+                }
+              ];
+            };
+          };
+          identity_validation.reset_password.jwt_algorithm = "HS512";
+          identity_providers.oidc = {
+            cors = {
+              endpoints = ["authorization" "token" "revocation" "introspection"];
+              allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+            };
+            clients = [
+              {
+                # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+                client_id = "forgejo";
+                client_name = "Forgejo";
+                client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
+                public = false;
+                authorization_policy = "two_factor";
+                require_pkce = true;
+                pkce_challenge_method = "S256";
+                redirect_uris = [
+                  "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
+                ];
+                scopes = ["openid" "email" "profile" "groups"];
+                response_types = ["code"];
+                grant_types = ["authorization_code"];
+                access_token_signed_response_alg = "none";
+                userinfo_signed_response_alg = "none";
+                token_endpoint_auth_method = "client_secret_basic";
+              }
+              {
+                # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
+                client_id = "gokapi";
+                client_name = "Tribios";
+                client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
+                public = false;
+                authorization_policy = "one_factor";
+                redirect_uris = [
+                  "https://send.hpcesia.com/oauth-callback"
+                ];
+                scopes = ["openid" "email" "profile" "groups"];
+                userinfo_signed_response_alg = "none";
+              }
+              {
+                # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
+                client_id = "gts-trinnon";
+                claims_policy = "gotosocial";
+                client_name = "Trinnon (GoToSocial)";
+                client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
+                public = false;
+                authorization_policy = "two_factor";
+                require_pkce = false;
+                pkce_challenge_method = "";
+                redirect_uris = [
+                  "https://trin.one/auth/callback"
+                ];
+                scopes = ["openid" "email" "profile" "groups"];
+                response_types = ["code"];
+                grant_types = ["authorization_code"];
+                access_token_signed_response_alg = "none";
+                userinfo_signed_response_alg = "none";
+                token_endpoint_auth_method = "client_secret_basic";
+              }
+            ];
+            claims_policies.gotosocial.id_token = ["preferred_username"];
+          };
+          authentication_backend.file = {
+            path = "/var/lib/authelia-main/users_database.yaml";
+            password.algorithm = "argon2";
+          };
+          storage.local.path = "/var/lib/authelia-main/db.sqlite3";
+          notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+          totp = {
+            disable = false;
+            issuer = "hpcesia.com";
+          };
+          session.cookies = [
+            {
+              domain = "hpcesia.com";
+              authelia_url = "https://authelia.hpcesia.com";
+              expiration = "1 hour";
+              inactivity = "5 minutes";
+              remember_me = "2 week";
+            }
+            {
+              domain = "trin.one";
+              authelia_url = "https://auth.trin.one";
+              expiration = "1 hour";
+              inactivity = "5 minutes";
+              remember_me = "4 week";
+            }
+          ];
+          access_control = {
+            default_policy = "deny";
+            rules = [
+              {
+                domain = "*.hpcesia.com";
+                policy = "bypass";
+                resources = ["^/api$" "^/api/"];
+              }
+              {
+                domain = "*.trin.one";
+                policy = "bypass";
+                resources = ["^/api$" "^/api/"];
+              }
+              {
+                domain = "*.hpcesia.com";
+                policy = "one_factor";
+              }
+              {
+                domain = "*.trin.one";
+                policy = "one_factor";
+              }
+            ];
+          };
+          regulation = {
+            max_retries = 3;
+            find_time = "2 minutes";
+            ban_time = "5 minutes";
+          };
+        };
+        secrets = {
+          jwtSecretFile = config.vaultix.secrets."authelia-main-jwt-secret".path;
+          oidcHmacSecretFile = config.vaultix.secrets."authelia-main-oidc-hmac-secret".path;
+          oidcIssuerPrivateKeyFile = config.vaultix.secrets."authelia-main-oidc-issuer-private-key".path;
+          sessionSecretFile = config.vaultix.secrets."authelia-main-session-secret".path;
+          storageEncryptionKeyFile = config.vaultix.secrets."authelia-main-storage-encryption-key".path;
+        };
+      };
+    };
+
+    services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig =
+      lib.mkIf config.services.caddy.enable
+      (let
+        localAddress = "http://${
+          # Assuming address start with `tcp://`.
+          builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
+        }";
+      in ''
+        encode zstd gzip
+        reverse_proxy ${localAddress}
+      '');
+    services.caddy.virtualHosts."auth.trin.one".extraConfig =
+      config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
+
+    vaultix.secrets = lib.mkMerge (
+      builtins.map
+      (s: {
+        "authelia-main-${s}" = {
+          file = lib.path.append ./. "${s}.age";
+          owner = "root";
+          group = "authelia-main";
+          mode = "0440";
+        };
+      })
+      [
+        "jwt-secret"
+        "oidc-hmac-secret"
+        "oidc-issuer-private-key"
+        "session-secret"
+        "storage-encryption-key"
+        "client-secrets-forgejo"
+        "client-secrets-gokapi"
+        "client-secrets-gts-trinnon"
+      ]
+    );
+  };
+}
modules/services/authelia/oidc-hmac-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 qTFxzQeV6qFWhxnXICBPMio9NNcH9q/cwQ13rx4KElE
+XfwQ5oC11qTIYov3H/F14PPUnjFdX1BmmPoW2ln0jzI
+-> "?8Ws2o7-grease o0y ?7eq u|>&4,= pz?!
+7iVrq/Qp3t4XV6b5SqMqUGXRRQDSOHxibtYUPNIA9flbUideGF8SIso+2WEXUa0v
+GE2brreJoDjfVfjY+zcUCBxrE9xDVjDHnqAlGFU
+--- 526ty1nTIn+GXZ3v2iUG5VdWZYNfAes/0zuwnrpBvkQ
+���������.N)�����c�-Fr�jD-�DC|��%�i�B�Na˟H�r��G�(��s8[|�z�fD� �~²�w�F����8i?�H�@8f�CH`
\ No newline at end of file
modules/services/authelia/oidc-issuer-private-key.age
Binary file
modules/services/authelia/session-secret.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 VNDH77WFsaUkWysH2WCZflDDhk/9VCFFhmDTZZkB7XQ
+qXevCtKEv6Fiwrg8hxMy/VfeOXuQ1FmFMZhqhJrJ9zE
+-> qAeq-grease f"gk^B3 s
+LFzMuFag1pzoZ1td0Q11hIvM1WMYOHXTkYTE55Ed8SdCQguJ1tJcpRnSOX4CXMH1
+8Osctp5w1N0mO5Y02MD2EmumJqqJ1PvQuY8PVFApOrAj01jR7PwMkWHmVNI
+--- KMBPOi5+w0OHKSx4v/0P8rhUf6TIb+D5o8XCEZq7er4
+:��YP�LG;���9/�Q�
+�m�'Xԫ%�
�=��
�:���څ%KpX����t咰Ja�]�X=� ����D���o�N�bf�c6A�
\ No newline at end of file
modules/services/authelia/storage-encryption-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 eFXmw7OroEzDaBIrk8o0/eHOmUGqtzZEu9WDGA+nPRc
+0Q2Uv5m2FGWPz9xc2kiegUJKO7ygf1+BfTzRfKK9i6E
+-> W-grease z`iyV8
+e1o
+--- KMuf+ki+h7eLFRXmeuioLMgSgaZeewq3Vgz9TRaKcC0
+�C�B��ޣp
�9�ʼ*��;��rR<��z4&��?3D�rU���4���IǴ�I`�t��d�ߗ�
\ No newline at end of file
secrets/cache/pardofelis/280cacb72c6574c785b429f2f7ddcfeb03a9a9a7e633b9cc83c9e318e4647f87
Binary file
secrets/cache/pardofelis/5431eeae2575b1dc3af42482de4cb010eddf8179268d8f79f63283639cb143f5
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw TuhB7H8/gKisKuznkf13XyVf3d+AtaYIsJ69hykdQmA
+D+N9U/9CvL3D05GZnlxPI4KHC6su6PE+RlpIrfSmJTg
+-> sWEJh*-grease 1&9B )U*4 2"ym"m
+VQbOfd6SmZsiaK+SIgUnsiMSd8t28CQizo42zYP62V4g9MW3/FdtZuqa8w4irdRd
+K2am+ijwUsKcAIMAchSGoNZzQeBttzxgifuOYJKAA9aoxw
+--- apWJpWA7Z5gn6TYI4VD1u5RDdJ/ome4TYwKNrNurKLE
+`�b^�x�������Ak�^��7�����L��F�U2́���rUmsE�F@���6ƳP�|%<���:��I�����E�$�S,PT�V@����T5�!�`�EWp�А=AK��@������Qv�y0].�҈ E�����Dp���|fC1uN:��W�q
\ No newline at end of file
secrets/cache/pardofelis/574fb7e6e4aa94f327a3d08e18ecc0271cd3cfe66996c557b96ce5deaa54bf86
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw muCSbU32lFqluYYcJk/oepJtndeV3lckMYvIXL3KoHA
+ybkKv1motSBq+T6EhHhqv7c4xYi6OHxOH0dJEsROc1I
+-> jI,.o('-grease Z iQC|Dh< ayW
+UT2fSuPOQP1itNn/du9WHSOvByw+KmTXhDh7G8taFXmErTkXCkZhyJ2RPoRvFE8d
+vFILFUe7uCu/q/045AivLdVQfkwG28EsLPZX8w
+--- Iv/TVxhSU2u3618M6rL5q5GoV+1GxzKVX26eJiQv6wM
+yA��CY("(]	��=��E�+H�ʞA]��Qȇ���;�O���eÞM��2p�0���]�тۮ����<�T)�nKX7���nQ#�|/)���z��y����]M<�f1$ˎ�|�*<j�h��j\��,FJ���K��k��Ч��d�;G�G<���
��
\ No newline at end of file
secrets/cache/pardofelis/633c56617c6f36501f405fc80f8a913ed121992a9047c968c012065267cc29eb
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw YLbwhi5R1fi4NnK1UypBs/paLo10ZwGyCZCB/UCGs2w
+k8gFmEfsxa9L2/okTABpdEz2Sud0yRv1otO0xUESAmo
+-> >[vrB-grease } !t Qoh
+GNDPpd9wpnh8cicTHeum9Hm1TdblzNX9U4fb9ad+wlEUqTsdwU1MYVAchuiIkxdM
+6L2snkZAREJ9
+--- HjXYZ0NF6oKEQRxZIDWgAltAz+GkzNPBPHmiagMZDiI
+Q�������ľ���02�Z�FI�
+MhG�&��?�V�H���M�s�N֜���>}������!��8:����V&���f����
�wF�8�3��a�
\ No newline at end of file
secrets/cache/pardofelis/85ed37a8cf9dd7c526417f7608285d058683accba7cbfb8cbb979e5fca4dbef9
Binary file
secrets/cache/pardofelis/96140335a96601dbe908c13a0875f6827ae86289f0a0b3e069dc34da87f82cc2
Binary file
secrets/cache/pardofelis/e38c3047bc726ee0bfe2fb78026db828caab1c8ef65976461e978110afca3d6c
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw Md5hv5fPj0+v3LDnQifGVBMeBwgXsYdGa5ZC57935QU
+dBw7g6Oo+4jyZmwxV+xeXl2b7BQEuP7yZbnb9wqItLk
+-> W-grease <th5dI nz0"Wiv
+o3vSsExz8pYB4JxiQUmN97QWITbyNxN1ho/jUiJEgv76RA
+--- d+rutXN9d6pvTTcd49xrBxkrePxBaf3DLu56BzIpIhg
+���k���v��O�A�ӥY��>NE��k�N�JC�����?]���cy�X�������y��)�Ɯ�P̒ ;��jx�&���c9V:�C�A�0��
\ No newline at end of file
secrets/cache/pardofelis/ff8012c3482215c9f859de9c5ba974c0399d6be01acd7b041fce21c17fa380ca
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw KxmwEVTCe9ezab43DYEMMVTuXSQ9ow8iSUhWoUP1Zhg
+ksGyD9M7I/Juo8F4zPR0R71Q4sT2d3TRnGI7hL9dxvU
+-> "-grease Gvyq K=J4okJ 3tL@k
+ejcO7eYkZh9Ly/7MP/hfm56OG9U5Bs0z9z6ULuoJCzuCTVWb2jUjjsHgIhhAaxPh
+k4m6jw
+--- fdTuUjBaijRvV/kAsxsg+ZxcNO+s8fu9Wf/aunReuCs
+r���U���������+�h�]M6��~�Ov�*U
���WP��Ky�z��k�I��!��6'vo�{
\ No newline at end of file