Commit 930f120
Changed files (20)
hosts
chaser-pardofelis
modules
secrets
cache
pardofelis
hosts/chaser-pardofelis/authelia.nix
@@ -1,150 +0,0 @@
-{config, ...}: {
- services.authelia.instances = {
- main = {
- enable = true;
- settings = {
- theme = "auto";
- default_2fa_method = "totp";
- log.level = "info";
- server = {
- address = "tcp://127.0.0.1:9091";
- endpoints.authz.forward-auth = {
- implementation = "ForwardAuth";
- authn_strategies = [
- {
- name = "HeaderAuthorization";
- schemes = ["Basic" "Bearer"];
- }
- {
- name = "CookieSession";
- }
- ];
- };
- };
- identity_validation.reset_password.jwt_algorithm = "HS512";
- identity_providers.oidc = {
- cors = {
- endpoints = ["authorization" "token" "revocation" "introspection"];
- allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
- };
- clients = [
- {
- # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
- client_id = "forgejo";
- client_name = "Forgejo";
- client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
- public = false;
- authorization_policy = "two_factor";
- require_pkce = true;
- pkce_challenge_method = "S256";
- redirect_uris = [
- "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
- ];
- scopes = ["openid" "email" "profile" "groups"];
- response_types = ["code"];
- grant_types = ["authorization_code"];
- access_token_signed_response_alg = "none";
- userinfo_signed_response_alg = "none";
- token_endpoint_auth_method = "client_secret_basic";
- }
- {
- # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
- client_id = "gokapi";
- client_name = "Tribios";
- client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
- public = false;
- authorization_policy = "one_factor";
- redirect_uris = [
- "https://send.hpcesia.com/oauth-callback"
- ];
- scopes = ["openid" "email" "profile" "groups"];
- userinfo_signed_response_alg = "none";
- }
- {
- # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
- client_id = "gts-trinnon";
- claims_policy = "gotosocial";
- client_name = "Trinnon (GoToSocial)";
- client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
- public = false;
- authorization_policy = "two_factor";
- require_pkce = false;
- pkce_challenge_method = "";
- redirect_uris = [
- "https://trin.one/auth/callback"
- ];
- scopes = ["openid" "email" "profile" "groups"];
- response_types = ["code"];
- grant_types = ["authorization_code"];
- access_token_signed_response_alg = "none";
- userinfo_signed_response_alg = "none";
- token_endpoint_auth_method = "client_secret_basic";
- }
- ];
- claims_policies.gotosocial.id_token = ["preferred_username"];
- };
- authentication_backend.file = {
- path = "/var/lib/authelia-main/users_database.yaml";
- password.algorithm = "argon2";
- };
- storage.local.path = "/var/lib/authelia-main/db.sqlite3";
- notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
- totp = {
- disable = false;
- issuer = "hpcesia.com";
- };
- session.cookies = [
- {
- domain = "hpcesia.com";
- authelia_url = "https://authelia.hpcesia.com";
- expiration = "1 hour";
- inactivity = "5 minutes";
- remember_me = "2 week";
- }
- {
- domain = "trin.one";
- authelia_url = "https://auth.trin.one";
- expiration = "1 hour";
- inactivity = "5 minutes";
- remember_me = "4 week";
- }
- ];
- access_control = {
- default_policy = "deny";
- rules = [
- {
- domain = "*.hpcesia.com";
- policy = "bypass";
- resources = ["^/api$" "^/api/"];
- }
- {
- domain = "*.trin.one";
- policy = "bypass";
- resources = ["^/api$" "^/api/"];
- }
- {
- domain = "*.hpcesia.com";
- policy = "one_factor";
- }
- {
- domain = "*.trin.one";
- policy = "one_factor";
- }
- ];
- };
- regulation = {
- max_retries = 3;
- find_time = "2 minutes";
- ban_time = "5 minutes";
- };
- };
- secrets = {
- jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
- oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
- oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
- sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
- storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
- };
- };
- };
-}
hosts/chaser-pardofelis/caddy.nix
@@ -15,11 +15,6 @@ in {
virtualHosts = let
localAddress = {
atuin = "http://localhost:${builtins.toString config.services.atuin.port}";
- authelia = "http://${
- # Assuming address start with `tcp://`.
- builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
- }";
- goatcounter = "http://localhost:${builtins.toString config.services.goatcounter.port}";
gokapi = "http://localhost:${builtins.toString config.services.gokapi.environment.GOKAPI_PORT}";
grafana = "http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}";
homepage = "http://localhost:${builtins.toString config.services.homepage-dashboard.listenPort}";
@@ -30,11 +25,6 @@ in {
encode zstd gzip
reverse_proxy ${localAddress.atuin}
'';
- "auth.trin.one".extraConfig = config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
- "authelia.hpcesia.com".extraConfig = ''
- encode zstd gzip
- reverse_proxy ${localAddress.authelia}
- '';
"grafana.hpcesia.com".extraConfig = ''
encode zstd gzip
reverse_proxy ${localAddress.grafana}
modules/hosts/chaser-pardofelis/default.nix
@@ -21,6 +21,7 @@
(n: config.flake.modules.nixos."${config.flake.meta.service.prefix}${n}")
[
"artalk"
+ "authelia"
"caddy"
"fail2ban"
"forgejo"
modules/services/authelia/client-secrets-forgejo.age
Binary file
modules/services/authelia/client-secrets-gokapi.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 M0uzA6EUt0M0rQ42I4t3iB8LYXGWF5iv4Eg64+cmtkw
+MpVMiCjT+v+/KB8uwZBBwrjXbQ15OMj6WDIMfdE2yyg
+-> w-grease
+tMr2exB14rpBETo+0tTFh0ec2p6CASoRqnBZtVVIRvKS2bXbtmLO
+--- CmYLZzHF9gmnfRyoD0LBRPYLNDRD6w0PM9uWAhZcR10
+X&����
+6m��+�Z�k�O`>$��Pi�0����Po���v M?���U.�z]�.��4���жێ��W��,|�\��q0C�k�2qyT��ꂞ�Ye"���q�G��M5d��'#]إ���A��>���uf��dN��.��:<m��@��U�dIcB ����J.
\ No newline at end of file
modules/services/authelia/client-secrets-gts-trinnon.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 iQ/ogTDRAMQie35IEqF+/c3GJmXBOd3UoVnjSD1Z6wY
+abjChKfyxRPbFEn10yYLXFT59vfau0H7hqGQCPIkTsg
+-> 3RcmD'-grease U\;tUU
+
+--- wOgqYgm/A+Q9NhqFyXmrJXI0oTYZzNaCI5YzDjpw3m8
+ ���~^��i�p�qp��o�JG2D�-���k����y�5�H-�����7�D�r2/,#���ˍP��� @~c�Pd��6��� ���μ���{��7����Y�������!�:4�ڒ�8ُ%���&�sz���d!X8la���z9�#�!�M�
\ No newline at end of file
modules/services/authelia/jwt-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 k/ZkMm6yzYSfgibn3bSkvsy8g6iboqoBFkh7p2hXuxA
+aus68fvhKK59ExKJ7ZnGGTCCvJ4opkDGQv1DqEdX6TE
+-> v0eyAVXM-grease ~EJs 4 dt 8SljF2>
+QYWmceQOJMyQtkAFmWGQgrxiiDdTvCwHIEcyoBDrSXeAfTmchwffB2Q2
+--- qSoLul+jol/w26Xe/7IMN9egknBo1ILAuxLITZU35Mc
+�b*A
������UD�5z��X@0?r�>�M&�ضGk��s�\"9�4IF����V�3.�N=ό�y�����
+AR��R���e-�T�w���
\ No newline at end of file
modules/services/authelia/main.nix
@@ -0,0 +1,188 @@
+{lib, ...}: {
+ flake.modules.nixos."services/authelia" = {config, ...}: {
+ services.authelia.instances = {
+ main = {
+ enable = true;
+ settings = {
+ theme = "auto";
+ default_2fa_method = "totp";
+ log.level = "info";
+ server = {
+ address = "tcp://127.0.0.1:9091";
+ endpoints.authz.forward-auth = {
+ implementation = "ForwardAuth";
+ authn_strategies = [
+ {
+ name = "HeaderAuthorization";
+ schemes = ["Basic" "Bearer"];
+ }
+ {
+ name = "CookieSession";
+ }
+ ];
+ };
+ };
+ identity_validation.reset_password.jwt_algorithm = "HS512";
+ identity_providers.oidc = {
+ cors = {
+ endpoints = ["authorization" "token" "revocation" "introspection"];
+ allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+ };
+ clients = [
+ {
+ # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+ client_id = "forgejo";
+ client_name = "Forgejo";
+ client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
+ public = false;
+ authorization_policy = "two_factor";
+ require_pkce = true;
+ pkce_challenge_method = "S256";
+ redirect_uris = [
+ "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ response_types = ["code"];
+ grant_types = ["authorization_code"];
+ access_token_signed_response_alg = "none";
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_basic";
+ }
+ {
+ # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
+ client_id = "gokapi";
+ client_name = "Tribios";
+ client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
+ public = false;
+ authorization_policy = "one_factor";
+ redirect_uris = [
+ "https://send.hpcesia.com/oauth-callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ userinfo_signed_response_alg = "none";
+ }
+ {
+ # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
+ client_id = "gts-trinnon";
+ claims_policy = "gotosocial";
+ client_name = "Trinnon (GoToSocial)";
+ client_secret = ''{{ secret "${config.vaultix.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
+ public = false;
+ authorization_policy = "two_factor";
+ require_pkce = false;
+ pkce_challenge_method = "";
+ redirect_uris = [
+ "https://trin.one/auth/callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ response_types = ["code"];
+ grant_types = ["authorization_code"];
+ access_token_signed_response_alg = "none";
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_basic";
+ }
+ ];
+ claims_policies.gotosocial.id_token = ["preferred_username"];
+ };
+ authentication_backend.file = {
+ path = "/var/lib/authelia-main/users_database.yaml";
+ password.algorithm = "argon2";
+ };
+ storage.local.path = "/var/lib/authelia-main/db.sqlite3";
+ notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+ totp = {
+ disable = false;
+ issuer = "hpcesia.com";
+ };
+ session.cookies = [
+ {
+ domain = "hpcesia.com";
+ authelia_url = "https://authelia.hpcesia.com";
+ expiration = "1 hour";
+ inactivity = "5 minutes";
+ remember_me = "2 week";
+ }
+ {
+ domain = "trin.one";
+ authelia_url = "https://auth.trin.one";
+ expiration = "1 hour";
+ inactivity = "5 minutes";
+ remember_me = "4 week";
+ }
+ ];
+ access_control = {
+ default_policy = "deny";
+ rules = [
+ {
+ domain = "*.hpcesia.com";
+ policy = "bypass";
+ resources = ["^/api$" "^/api/"];
+ }
+ {
+ domain = "*.trin.one";
+ policy = "bypass";
+ resources = ["^/api$" "^/api/"];
+ }
+ {
+ domain = "*.hpcesia.com";
+ policy = "one_factor";
+ }
+ {
+ domain = "*.trin.one";
+ policy = "one_factor";
+ }
+ ];
+ };
+ regulation = {
+ max_retries = 3;
+ find_time = "2 minutes";
+ ban_time = "5 minutes";
+ };
+ };
+ secrets = {
+ jwtSecretFile = config.vaultix.secrets."authelia-main-jwt-secret".path;
+ oidcHmacSecretFile = config.vaultix.secrets."authelia-main-oidc-hmac-secret".path;
+ oidcIssuerPrivateKeyFile = config.vaultix.secrets."authelia-main-oidc-issuer-private-key".path;
+ sessionSecretFile = config.vaultix.secrets."authelia-main-session-secret".path;
+ storageEncryptionKeyFile = config.vaultix.secrets."authelia-main-storage-encryption-key".path;
+ };
+ };
+ };
+
+ services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig =
+ lib.mkIf config.services.caddy.enable
+ (let
+ localAddress = "http://${
+ # Assuming address start with `tcp://`.
+ builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
+ }";
+ in ''
+ encode zstd gzip
+ reverse_proxy ${localAddress}
+ '');
+ services.caddy.virtualHosts."auth.trin.one".extraConfig =
+ config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
+
+ vaultix.secrets = lib.mkMerge (
+ builtins.map
+ (s: {
+ "authelia-main-${s}" = {
+ file = lib.path.append ./. "${s}.age";
+ owner = "root";
+ group = "authelia-main";
+ mode = "0440";
+ };
+ })
+ [
+ "jwt-secret"
+ "oidc-hmac-secret"
+ "oidc-issuer-private-key"
+ "session-secret"
+ "storage-encryption-key"
+ "client-secrets-forgejo"
+ "client-secrets-gokapi"
+ "client-secrets-gts-trinnon"
+ ]
+ );
+ };
+}
modules/services/authelia/oidc-hmac-secret.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> X25519 qTFxzQeV6qFWhxnXICBPMio9NNcH9q/cwQ13rx4KElE
+XfwQ5oC11qTIYov3H/F14PPUnjFdX1BmmPoW2ln0jzI
+-> "?8Ws2o7-grease o0y ?7eq u|>&4,= pz?!
+7iVrq/Qp3t4XV6b5SqMqUGXRRQDSOHxibtYUPNIA9flbUideGF8SIso+2WEXUa0v
+GE2brreJoDjfVfjY+zcUCBxrE9xDVjDHnqAlGFU
+--- 526ty1nTIn+GXZ3v2iUG5VdWZYNfAes/0zuwnrpBvkQ
+���������.N)�����c�-Fr�jD-�DC|��%�i�B�Na˟H�r��G�(��s8[|�z�fD� �~²�w�F����8i?�H�@8f�CH`
\ No newline at end of file
modules/services/authelia/oidc-issuer-private-key.age
Binary file
modules/services/authelia/session-secret.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> X25519 VNDH77WFsaUkWysH2WCZflDDhk/9VCFFhmDTZZkB7XQ
+qXevCtKEv6Fiwrg8hxMy/VfeOXuQ1FmFMZhqhJrJ9zE
+-> qAeq-grease f"gk^B3 s
+LFzMuFag1pzoZ1td0Q11hIvM1WMYOHXTkYTE55Ed8SdCQguJ1tJcpRnSOX4CXMH1
+8Osctp5w1N0mO5Y02MD2EmumJqqJ1PvQuY8PVFApOrAj01jR7PwMkWHmVNI
+--- KMBPOi5+w0OHKSx4v/0P8rhUf6TIb+D5o8XCEZq7er4
+:��YP�LG;���9/�Q�
+�m�'Xԫ%�
�=��
�:���څ%KpX����t咰Ja�]�X=� ����D���o�N�bf�c6A�
\ No newline at end of file
modules/services/authelia/storage-encryption-key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> X25519 eFXmw7OroEzDaBIrk8o0/eHOmUGqtzZEu9WDGA+nPRc
+0Q2Uv5m2FGWPz9xc2kiegUJKO7ygf1+BfTzRfKK9i6E
+-> W-grease z`iyV8
+e1o
+--- KMuf+ki+h7eLFRXmeuioLMgSgaZeewq3Vgz9TRaKcC0
+�C�B��ޣp
�9�ʼ*��;��rR<��z4&��?3D�rU���4���IǴ�I`�t��d�ߗ�
\ No newline at end of file
secrets/cache/pardofelis/280cacb72c6574c785b429f2f7ddcfeb03a9a9a7e633b9cc83c9e318e4647f87
Binary file
secrets/cache/pardofelis/5431eeae2575b1dc3af42482de4cb010eddf8179268d8f79f63283639cb143f5
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw TuhB7H8/gKisKuznkf13XyVf3d+AtaYIsJ69hykdQmA
+D+N9U/9CvL3D05GZnlxPI4KHC6su6PE+RlpIrfSmJTg
+-> sWEJh*-grease 1&9B )U*4 2"ym"m
+VQbOfd6SmZsiaK+SIgUnsiMSd8t28CQizo42zYP62V4g9MW3/FdtZuqa8w4irdRd
+K2am+ijwUsKcAIMAchSGoNZzQeBttzxgifuOYJKAA9aoxw
+--- apWJpWA7Z5gn6TYI4VD1u5RDdJ/ome4TYwKNrNurKLE
+`�b^�x�������Ak�^��7�����L��F�U2́���rUmsE�F@���6ƳP�|%<���:��I�����E�$�S,PT�V@����T5�!�`�EWp�А=AK��@������Qv�y0].�҈ E�����Dp���|fC1uN:��W�q
\ No newline at end of file
secrets/cache/pardofelis/574fb7e6e4aa94f327a3d08e18ecc0271cd3cfe66996c557b96ce5deaa54bf86
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw muCSbU32lFqluYYcJk/oepJtndeV3lckMYvIXL3KoHA
+ybkKv1motSBq+T6EhHhqv7c4xYi6OHxOH0dJEsROc1I
+-> jI,.o('-grease Z iQC|Dh< ayW
+UT2fSuPOQP1itNn/du9WHSOvByw+KmTXhDh7G8taFXmErTkXCkZhyJ2RPoRvFE8d
+vFILFUe7uCu/q/045AivLdVQfkwG28EsLPZX8w
+--- Iv/TVxhSU2u3618M6rL5q5GoV+1GxzKVX26eJiQv6wM
+yA��CY("(] ��=��E�+H�ʞA]��Qȇ���;�O���eÞM��2p�0���]�тۮ����<�T)�nKX7���nQ#�|/)���z��y����]M<�f1$ˎ�|�*<j�h��j\��,FJ���K��k��Ч��d�;G�G<���
��
\ No newline at end of file
secrets/cache/pardofelis/633c56617c6f36501f405fc80f8a913ed121992a9047c968c012065267cc29eb
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw YLbwhi5R1fi4NnK1UypBs/paLo10ZwGyCZCB/UCGs2w
+k8gFmEfsxa9L2/okTABpdEz2Sud0yRv1otO0xUESAmo
+-> >[vrB-grease } !t Qoh
+GNDPpd9wpnh8cicTHeum9Hm1TdblzNX9U4fb9ad+wlEUqTsdwU1MYVAchuiIkxdM
+6L2snkZAREJ9
+--- HjXYZ0NF6oKEQRxZIDWgAltAz+GkzNPBPHmiagMZDiI
+Q�������ľ���02�Z�FI�
+MhG�&��?�V�H���M�s�N֜���>}������!��8:����V&���f����
�wF�8�3��a�
\ No newline at end of file
secrets/cache/pardofelis/85ed37a8cf9dd7c526417f7608285d058683accba7cbfb8cbb979e5fca4dbef9
Binary file
secrets/cache/pardofelis/96140335a96601dbe908c13a0875f6827ae86289f0a0b3e069dc34da87f82cc2
Binary file
secrets/cache/pardofelis/e38c3047bc726ee0bfe2fb78026db828caab1c8ef65976461e978110afca3d6c
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw Md5hv5fPj0+v3LDnQifGVBMeBwgXsYdGa5ZC57935QU
+dBw7g6Oo+4jyZmwxV+xeXl2b7BQEuP7yZbnb9wqItLk
+-> W-grease <th5dI nz0"Wiv
+o3vSsExz8pYB4JxiQUmN97QWITbyNxN1ho/jUiJEgv76RA
+--- d+rutXN9d6pvTTcd49xrBxkrePxBaf3DLu56BzIpIhg
+���k���v��O�A�ӥY��>NE��k�N�JC�����?]���cy�X�������y��)�Ɯ�P̒ ;��jx�&���c9V:�C�A�0��
\ No newline at end of file
secrets/cache/pardofelis/ff8012c3482215c9f859de9c5ba974c0399d6be01acd7b041fce21c17fa380ca
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 B1HLiw KxmwEVTCe9ezab43DYEMMVTuXSQ9ow8iSUhWoUP1Zhg
+ksGyD9M7I/Juo8F4zPR0R71Q4sT2d3TRnGI7hL9dxvU
+-> "-grease Gvyq K=J4okJ 3tL@k
+ejcO7eYkZh9Ly/7MP/hfm56OG9U5Bs0z9z6ULuoJCzuCTVWb2jUjjsHgIhhAaxPh
+k4m6jw
+--- fdTuUjBaijRvV/kAsxsg+ZxcNO+s8fu9Wf/aunReuCs
+r���U���������+�h�]M6��~�Ov�*U
���WP��Ky�z��k�I��!��6'vo�{
\ No newline at end of file