Commit a66139a

HPCesia <me@hpcesia.com>
2025-07-17 08:52:37
feat(service): add authelia on pardo
1 parent 9304b0d
Changed files (4)
hosts
chaser-pardofelis
secrets
hosts/chaser-pardofelis/authelia.nix
@@ -0,0 +1,94 @@
+{config, ...}: {
+  services.authelia.instances = {
+    main = {
+      enable = true;
+      settings = {
+        theme = "auto";
+        default_2fa_method = "totp";
+        log.level = "info";
+        server = {
+          address = "tcp://127.0.0.1:9091";
+          endpoints.authz.forward-auth = {
+            implementation = "ForwardAuth";
+            authn_strategies = [
+              {
+                name = "HeaderAuthorization";
+                schemes = ["Basic" "Bearer"];
+              }
+              {
+                name = "CookieSession";
+              }
+            ];
+          };
+        };
+        identity_validation.reset_password.jwt_algorithm = "HS512";
+        identity_providers.oidc.clients = [
+          {
+            # TODO: Just a placeholder to run Authelia correctly,
+            # Because `identity_providers.oidc.clients` should note be empty.
+            client_id = "alist_example";
+            client_name = "Alist";
+            # The digest of 'insecure_secret'.
+            # In real deployment, it should be a secret managed by sops-nix.
+            client_secret = "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
+            public = false;
+            authorization_policy = "one_factor";
+            redirect_uris = [
+              "https://alist.example.com/api/auth/sso_callback?method=sso_get_token"
+              "https://alist.example.com/api/auth/sso_callback?method=get_sso_id"
+            ];
+            scopes = ["openid" "profile"];
+            userinfo_signed_response_alg = "none";
+            token_endpoint_auth_method = "client_secret_post";
+          }
+        ];
+        authentication_backend.file = {
+          path = "/var/lib/authelia-main/users_database.yaml";
+          password.algorithm = "argon2";
+        };
+        storage.local.path = "/var/lib/authelia-main/db.sqlite3";
+        notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+        totp = {
+          disable = false;
+          issuer = "hpcesia.com";
+        };
+        session.cookies = [
+          {
+            name = "authelia_session";
+            domain = "hpcesia.com";
+            authelia_url = "https://authelia.hpcesia.com";
+            expiration = "1 hour";
+            inactivity = "5 minutes";
+            remember_me = "2 week";
+          }
+        ];
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "*.hpcesia.com";
+              policy = "bypass";
+              resources = ["^/api$" "^/api/"];
+            }
+            {
+              domain = "*.hpcesia.com";
+              policy = "one_factor";
+            }
+          ];
+        };
+        regulation = {
+          max_retries = 3;
+          find_time = "2 minutes";
+          ban_time = "5 minutes";
+        };
+      };
+      secrets = {
+        jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
+        oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
+        oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
+        sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
+        storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
+      };
+    };
+  };
+}
hosts/chaser-pardofelis/caddy.nix
@@ -15,6 +15,13 @@
     '';
 
     virtualHosts = {
+      "authelia.hpcesia.com".extraConfig = ''
+        encode zstd gzip
+        reverse_proxy http://${
+          # Assuming address start with `tcp://`.
+          builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
+        }
+      '';
       "grafana.hpcesia.com".extraConfig = ''
         encode zstd gzip
         reverse_proxy http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}
secrets/hosts/pardofelis/default.nix
@@ -26,28 +26,71 @@ in
         lib.mkIf
         (config.modules.currentHost == "pardofelis")
         nvp.value;
-    }) [
-      {
-        name = "freshrss-admin-password";
-        value =
-          {
-            key = "services/freshrss/defaultUserPassword";
-            owner = "root";
-            group = "freshrss";
-            mode = "0440";
-          }
-          // secretFileConf;
-      }
-      {
-        name = "grafana-admin-password";
-        value =
-          {
-            key = "services/grafana/adminPassword";
-            owner = "root";
-            group = "grafana";
-            mode = "0440";
-          }
-          // secretFileConf;
-      }
-    ]
+    }) (
+      let
+        autheliaMainConf = {
+          owner = "root";
+          group = "authelia-main";
+          mode = "0440";
+        };
+      in [
+        {
+          name = "freshrss-admin-password";
+          value =
+            {
+              key = "services/freshrss/defaultUserPassword";
+              owner = "root";
+              group = "freshrss";
+              mode = "0440";
+            }
+            // secretFileConf;
+        }
+        {
+          name = "grafana-admin-password";
+          value =
+            {
+              key = "services/grafana/adminPassword";
+              owner = "root";
+              group = "grafana";
+              mode = "0440";
+            }
+            // secretFileConf;
+        }
+        {
+          name = "authelia-main-oidc-hmac-secret";
+          value =
+            {key = "services/authelia/main/oidcHmacSecret";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
+        {
+          name = "authelia-main-oidc-issuer-private-key";
+          value =
+            {key = "services/authelia/main/oidcIssuerPrivateKey";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
+        {
+          name = "authelia-main-session-secret";
+          value =
+            {key = "services/authelia/main/sessionSecret";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
+        {
+          name = "authelia-main-jwt-secret";
+          value =
+            {key = "services/authelia/main/jwtSecret";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
+        {
+          name = "authelia-main-storage-encryption-key";
+          value =
+            {key = "services/authelia/main/storageEncryptionKey";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
+      ]
+    )
   )
secrets/hosts/pardofelis/secrets.yaml
@@ -7,6 +7,13 @@ services:
         defaultUserPassword: ENC[AES256_GCM,data:go37FcBdkPaI3o9ufWWSe4csncSBXl7Sna1lOU9xCxc=,iv:uslyMRqDLmJp9al4kz+F/f8tcyAzpBtnRHRNaz5E+1U=,tag:cs/laSyPWy0GHN3bMO8FRQ==,type:str]
     grafana:
         adminPassword: ENC[AES256_GCM,data:GSD4lXMBxnzbmWluPp0J4Y7EDOnutCZq,iv:MqyKSHZk2RkPEo07SQxYYYZir+DPwWSjwwWVfeP8kqQ=,tag:VVJFT5HQquF6fOp7aOINSA==,type:str]
+    authelia:
+        main:
+            jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
+            oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
+            oidcIssuerPrivateKey: ENC[AES256_GCM,data:TRui0p/mI93Rfi6SZuZFuanMTIpQx0ODvkMlgJ8aNsI2SNScAMy+nXcojUE1Fa/TYkKXdUmgol62PIsjXTWGl+onUiyvYC+gMcJUVcNNDbUGruELeUYLFKLCciF8iAO5iuef6rJJIrrb6AHCqoNGuNxy7PL9F4T7LiKNCAv/vn4MxRfS3OEO3svdrDFSNwTieRBvL5RW43LkKwiV4fRSPMDKng6/N5oIU10fslP2tnGa0S14M2EHE4GMbfm0FUlvudCQjVcWoWp9H2h7XGB5ykqUWli5oAJA8JV5wJdRp+ADtWJA2zyPEMTjwis0M1UBdvDZ1h13Kf5Rv07I0V+gKIWFaBgMLQ+Gm8HjHirmibLp1k/LSGy6gDtvNtU8Ps9hiEAAVIyX65O4t74HhtOaDuJl6twi4Olro+8P56oyV6JTTQ2MtwKpJh92rIhClb3vg7pN2Zgug6IwEImwc800iQaxNMBZIMOVEy3u1+TP6HWGHE5wDtqSSZfS7rM/bl5lIhCaeOixvjfj5nOZ7/VousIHpANDR8xi3HZn8AYLI9jx8YGgyjqTucqC9s/6V5LsGLw4hwUR6F+4RqSO1taswzVZv6D9rGDZciMnavvdrECePEz5iR8LnZ3gBvBl3g7rtO832R2aSNlEZZJU9uhi4nAZUUNW5/gDcmLjCJzaBLamwg4UW3IssNlXigoOLNUAkfinZBYetHs8WCx3g0WIxVpxhpPxkR3H80lTP4EP2tMmBh3XfXIdvGrc0UG6oN05D/lTurq3Yvso1r/DBzVkH/JKHENvNvxnKZ6HhDBDjZygYVCcUAWdge5LVq7y+4HpJC9nMjLFQnx0IzfdTcF1j4BDxjyx3m1MgjMUHjT9CnzpSvtyQ+OfDuSWM2s9XWQcxhqP/uzvviXBk5PChLVAQ+CeLXz5LvgbJ3S/AqkZLYsVmQHR90fkp82oRnbTRv8z/VHjazfc8AVXXF06hFTQ3y5F3XSU7ZsgLtk6cZwdOPITg8HGLjRXzciTh3eW/tAp5LcvEAbb9Gbz3tZNHw2ZtDKFmmHH2GYpAgaq/ZoEDYBjySpGddAb/xxWE9YdlPLRYIswYQkyLzCnpNTeCtu3CxYis7gk2p2cL90vWbdEO+XKi55j7oKB1OX8ARKyi6aY5U2lFrE1h4JGUlbF3hI9sY1KZRjkn5uQkuBItbYofOzEu7u3KjGZWdi9ZRnoSYyVpM3zJEr8GWEz6SvtdQCeND0stj7LkGXgmwK8/LG4aVX7qqGjMxe0Tv5B6FXIm9dwjcLVdr+49Eo7NgWxd+4YICk+iclF57xOCtsNAJpAEpyjxnANvRDII0b014g6EJiOR4OlQsGpWod0m3VM8dkCxiQOscONPFzv+P8sIYtCxSjROaFGxYbH1cfLnx6vdOK91A2scDkvUqBFThZK1r9FB2umKKjD9uXYsVy1y/sktPvVHleF/iYRnx2GzT1ZLePC3P9DlPXarqHm+ei3YTDVVeQTkeNMkGjKqH932hdWlWwCmlJAaZKaXzeeFunDAMVzDNUMaE/5QMff6sZwajhz44HJWgLjsYleeNrqsOIKtF5FqNA0/8MXkrZLqmBrctmAaE3VtWFBrtBkhcy4bKv9Nf120+jRsE35T4yKptuF18x+etdzVsJmmo8cDF0YhxV5fgQf9Xixs880DBTp/hXDt2NhvFzA9jaWKJPRXV5DErOYyfZRg99v7qos/dGaNS9U8XWkjpynd7U6iA5sKy8aqLaUsE3cjKpb/cTpL4JY+f+QA/SWf6/oeA+nyUnipIG5UQE1DdY9I9LP4l+3dQSGkTEs3ZQVF778vmDld2X1w3FdeQpmRqjkPkmZw874Iwv7u3b+yhzaYN/6p2Z0W1RHmUTMiuCqgFDNLQgZfXFu7P8kNohkBL2LuVJJcQ2S0xgtQMn4xnc5lBRVLUsTL1RR2pMQJJrmNxPJDUfogofV8DzYthtHMNjvDeK41oD7pk5QsKvtjbN/PuQEpbMBUzUnnDAEQ7QtobOKO/p5dv5JnTDd3tnxqkOYvEYJ90Z58zO7RMQYmeyVfWL3o2hEKTa8rUc62/6FFBw3/sSQSRXCnLKfF/wswP1hS6MdLDHLl30H6I1+pZU+tvU9D/r8VftvTg3wy80dPy9IrRfyYRQkST5EQ3JVD1tCeYkQ8laZ1fEFdWFM1keB3jfWHlEwUSsyLHiDD6ps4IkOqWAlXeO7RnWO2qk4YmU5jrEEtXwmyWXiAPlK1JxwO8YIFWut43t4OVM5XBVCTE4U,iv:SXeiK4/QCqmQpdoOuFZR2cFjoox44YPvw+eKkL9wT+I=,tag:KkdOkpIojnGmTZ0uJEvwcw==,type:str]
+            sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
+            storageEncryptionKey: ENC[AES256_GCM,data:Izqst2AzXvOG4qi3BYIp4BY2nGfuVEUro3mjrHRtMfY=,iv:CYqOylrTvPGvCTJ8ObCg9um4hWLY4cqRqMBruzCeAko=,tag:IQ9CAr9sGKaZKVbAOeFXVA==,type:str]
 sops:
     age:
         - recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
@@ -27,8 +34,8 @@ sops:
             MmVobitCNUxvUGJmRUtWWEhZekdHaEEKcx1nN+bR2wsexYV/B5PC+Pu9Yi9w+KE8
             Kcy2S1Cyu7MEkE8it447yqixIA5l5mbFGRjfTvI8KZXZUGgLecAktQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-16T13:27:20Z"
-    mac: ENC[AES256_GCM,data:0qpubROBFmFikgQLuBhOJXqfcwGJVHawpRcitXjrzpKCSGYktzH5k6dVDeuoV1gJy+aPNUr029kDaVg3r+yPSc3ouxjc8NbI8nkiZzrUWJdiRkfiDWbdePGrqCKlXdGLfVw5XXP5zIAhXKCQCsy1w0TwHXG3k8TZCp8pvoc9KTo=,iv:MT3BIx2YPX1wpWXz0xoDEUUyX2WBN8BEGm352ma65Ag=,tag:RxA+KKsOfXWPMVRgbN7MJw==,type:str]
+    lastmodified: "2025-07-17T07:12:32Z"
+    mac: ENC[AES256_GCM,data:VHPb4QiRZ+kw3QS7EAYIjOVnmHNetSuOY4VsZPmf/iOAcsfiq6Nab5gb+pXGMPUBmHLt85auagx4e9ZbpSFcOX2yHdZkQ/UxR3ZW27aRk08+5HuZjAYfKmQyMHSBjo2AfywUkdkeTawqm8s6rlOdLeqY0hyGfCmKjEVcq37Swl0=,iv:FJRCKrSJwEyolbXQzpoEhFgZeKE5ZTzL6KQWftJ1G/A=,tag:TJ+OZ8vUhixv94KG/hiFKg==,type:str]
     pgp:
         - created_at: "2025-07-15T13:47:27Z"
           enc: |-