Commit a66139a
Changed files (4)
hosts
chaser-pardofelis
secrets
hosts
pardofelis
hosts/chaser-pardofelis/authelia.nix
@@ -0,0 +1,94 @@
+{config, ...}: {
+ services.authelia.instances = {
+ main = {
+ enable = true;
+ settings = {
+ theme = "auto";
+ default_2fa_method = "totp";
+ log.level = "info";
+ server = {
+ address = "tcp://127.0.0.1:9091";
+ endpoints.authz.forward-auth = {
+ implementation = "ForwardAuth";
+ authn_strategies = [
+ {
+ name = "HeaderAuthorization";
+ schemes = ["Basic" "Bearer"];
+ }
+ {
+ name = "CookieSession";
+ }
+ ];
+ };
+ };
+ identity_validation.reset_password.jwt_algorithm = "HS512";
+ identity_providers.oidc.clients = [
+ {
+ # TODO: Just a placeholder to run Authelia correctly,
+ # Because `identity_providers.oidc.clients` should note be empty.
+ client_id = "alist_example";
+ client_name = "Alist";
+ # The digest of 'insecure_secret'.
+ # In real deployment, it should be a secret managed by sops-nix.
+ client_secret = "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
+ public = false;
+ authorization_policy = "one_factor";
+ redirect_uris = [
+ "https://alist.example.com/api/auth/sso_callback?method=sso_get_token"
+ "https://alist.example.com/api/auth/sso_callback?method=get_sso_id"
+ ];
+ scopes = ["openid" "profile"];
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_post";
+ }
+ ];
+ authentication_backend.file = {
+ path = "/var/lib/authelia-main/users_database.yaml";
+ password.algorithm = "argon2";
+ };
+ storage.local.path = "/var/lib/authelia-main/db.sqlite3";
+ notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+ totp = {
+ disable = false;
+ issuer = "hpcesia.com";
+ };
+ session.cookies = [
+ {
+ name = "authelia_session";
+ domain = "hpcesia.com";
+ authelia_url = "https://authelia.hpcesia.com";
+ expiration = "1 hour";
+ inactivity = "5 minutes";
+ remember_me = "2 week";
+ }
+ ];
+ access_control = {
+ default_policy = "deny";
+ rules = [
+ {
+ domain = "*.hpcesia.com";
+ policy = "bypass";
+ resources = ["^/api$" "^/api/"];
+ }
+ {
+ domain = "*.hpcesia.com";
+ policy = "one_factor";
+ }
+ ];
+ };
+ regulation = {
+ max_retries = 3;
+ find_time = "2 minutes";
+ ban_time = "5 minutes";
+ };
+ };
+ secrets = {
+ jwtSecretFile = config.sops.secrets."authelia-main-jwt-secret".path;
+ oidcHmacSecretFile = config.sops.secrets."authelia-main-oidc-hmac-secret".path;
+ oidcIssuerPrivateKeyFile = config.sops.secrets."authelia-main-oidc-issuer-private-key".path;
+ sessionSecretFile = config.sops.secrets."authelia-main-session-secret".path;
+ storageEncryptionKeyFile = config.sops.secrets."authelia-main-storage-encryption-key".path;
+ };
+ };
+ };
+}
hosts/chaser-pardofelis/caddy.nix
@@ -15,6 +15,13 @@
'';
virtualHosts = {
+ "authelia.hpcesia.com".extraConfig = ''
+ encode zstd gzip
+ reverse_proxy http://${
+ # Assuming address start with `tcp://`.
+ builtins.substring 6 (-1) config.services.authelia.instances.main.settings.server.address
+ }
+ '';
"grafana.hpcesia.com".extraConfig = ''
encode zstd gzip
reverse_proxy http://localhost:${builtins.toString config.services.grafana.settings.server.http_port}
secrets/hosts/pardofelis/default.nix
@@ -26,28 +26,71 @@ in
lib.mkIf
(config.modules.currentHost == "pardofelis")
nvp.value;
- }) [
- {
- name = "freshrss-admin-password";
- value =
- {
- key = "services/freshrss/defaultUserPassword";
- owner = "root";
- group = "freshrss";
- mode = "0440";
- }
- // secretFileConf;
- }
- {
- name = "grafana-admin-password";
- value =
- {
- key = "services/grafana/adminPassword";
- owner = "root";
- group = "grafana";
- mode = "0440";
- }
- // secretFileConf;
- }
- ]
+ }) (
+ let
+ autheliaMainConf = {
+ owner = "root";
+ group = "authelia-main";
+ mode = "0440";
+ };
+ in [
+ {
+ name = "freshrss-admin-password";
+ value =
+ {
+ key = "services/freshrss/defaultUserPassword";
+ owner = "root";
+ group = "freshrss";
+ mode = "0440";
+ }
+ // secretFileConf;
+ }
+ {
+ name = "grafana-admin-password";
+ value =
+ {
+ key = "services/grafana/adminPassword";
+ owner = "root";
+ group = "grafana";
+ mode = "0440";
+ }
+ // secretFileConf;
+ }
+ {
+ name = "authelia-main-oidc-hmac-secret";
+ value =
+ {key = "services/authelia/main/oidcHmacSecret";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
+ {
+ name = "authelia-main-oidc-issuer-private-key";
+ value =
+ {key = "services/authelia/main/oidcIssuerPrivateKey";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
+ {
+ name = "authelia-main-session-secret";
+ value =
+ {key = "services/authelia/main/sessionSecret";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
+ {
+ name = "authelia-main-jwt-secret";
+ value =
+ {key = "services/authelia/main/jwtSecret";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
+ {
+ name = "authelia-main-storage-encryption-key";
+ value =
+ {key = "services/authelia/main/storageEncryptionKey";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
+ ]
+ )
)
secrets/hosts/pardofelis/secrets.yaml
@@ -7,6 +7,13 @@ services:
defaultUserPassword: ENC[AES256_GCM,data:go37FcBdkPaI3o9ufWWSe4csncSBXl7Sna1lOU9xCxc=,iv:uslyMRqDLmJp9al4kz+F/f8tcyAzpBtnRHRNaz5E+1U=,tag:cs/laSyPWy0GHN3bMO8FRQ==,type:str]
grafana:
adminPassword: ENC[AES256_GCM,data:GSD4lXMBxnzbmWluPp0J4Y7EDOnutCZq,iv:MqyKSHZk2RkPEo07SQxYYYZir+DPwWSjwwWVfeP8kqQ=,tag:VVJFT5HQquF6fOp7aOINSA==,type:str]
+ authelia:
+ main:
+ jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
+ oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
+ oidcIssuerPrivateKey: ENC[AES256_GCM,data:TRui0p/mI93Rfi6SZuZFuanMTIpQx0ODvkMlgJ8aNsI2SNScAMy+nXcojUE1Fa/TYkKXdUmgol62PIsjXTWGl+onUiyvYC+gMcJUVcNNDbUGruELeUYLFKLCciF8iAO5iuef6rJJIrrb6AHCqoNGuNxy7PL9F4T7LiKNCAv/vn4MxRfS3OEO3svdrDFSNwTieRBvL5RW43LkKwiV4fRSPMDKng6/N5oIU10fslP2tnGa0S14M2EHE4GMbfm0FUlvudCQjVcWoWp9H2h7XGB5ykqUWli5oAJA8JV5wJdRp+ADtWJA2zyPEMTjwis0M1UBdvDZ1h13Kf5Rv07I0V+gKIWFaBgMLQ+Gm8HjHirmibLp1k/LSGy6gDtvNtU8Ps9hiEAAVIyX65O4t74HhtOaDuJl6twi4Olro+8P56oyV6JTTQ2MtwKpJh92rIhClb3vg7pN2Zgug6IwEImwc800iQaxNMBZIMOVEy3u1+TP6HWGHE5wDtqSSZfS7rM/bl5lIhCaeOixvjfj5nOZ7/VousIHpANDR8xi3HZn8AYLI9jx8YGgyjqTucqC9s/6V5LsGLw4hwUR6F+4RqSO1taswzVZv6D9rGDZciMnavvdrECePEz5iR8LnZ3gBvBl3g7rtO832R2aSNlEZZJU9uhi4nAZUUNW5/gDcmLjCJzaBLamwg4UW3IssNlXigoOLNUAkfinZBYetHs8WCx3g0WIxVpxhpPxkR3H80lTP4EP2tMmBh3XfXIdvGrc0UG6oN05D/lTurq3Yvso1r/DBzVkH/JKHENvNvxnKZ6HhDBDjZygYVCcUAWdge5LVq7y+4HpJC9nMjLFQnx0IzfdTcF1j4BDxjyx3m1MgjMUHjT9CnzpSvtyQ+OfDuSWM2s9XWQcxhqP/uzvviXBk5PChLVAQ+CeLXz5LvgbJ3S/AqkZLYsVmQHR90fkp82oRnbTRv8z/VHjazfc8AVXXF06hFTQ3y5F3XSU7ZsgLtk6cZwdOPITg8HGLjRXzciTh3eW/tAp5LcvEAbb9Gbz3tZNHw2ZtDKFmmHH2GYpAgaq/ZoEDYBjySpGddAb/xxWE9YdlPLRYIswYQkyLzCnpNTeCtu3CxYis7gk2p2cL90vWbdEO+XKi55j7oKB1OX8ARKyi6aY5U2lFrE1h4JGUlbF3hI9sY1KZRjkn5uQkuBItbYofOzEu7u3KjGZWdi9ZRnoSYyVpM3zJEr8GWEz6SvtdQCeND0stj7LkGXgmwK8/LG4aVX7qqGjMxe0Tv5B6FXIm9dwjcLVdr+49Eo7NgWxd+4YICk+iclF57xOCtsNAJpAEpyjxnANvRDII0b014g6EJiOR4OlQsGpWod0m3VM8dkCxiQOscONPFzv+P8sIYtCxSjROaFGxYbH1cfLnx6vdOK91A2scDkvUqBFThZK1r9FB2umKKjD9uXYsVy1y/sktPvVHleF/iYRnx2GzT1ZLePC3P9DlPXarqHm+ei3YTDVVeQTkeNMkGjKqH932hdWlWwCmlJAaZKaXzeeFunDAMVzDNUMaE/5QMff6sZwajhz44HJWgLjsYleeNrqsOIKtF5FqNA0/8MXkrZLqmBrctmAaE3VtWFBrtBkhcy4bKv9Nf120+jRsE35T4yKptuF18x+etdzVsJmmo8cDF0YhxV5fgQf9Xixs880DBTp/hXDt2NhvFzA9jaWKJPRXV5DErOYyfZRg99v7qos/dGaNS9U8XWkjpynd7U6iA5sKy8aqLaUsE3cjKpb/cTpL4JY+f+QA/SWf6/oeA+nyUnipIG5UQE1DdY9I9LP4l+3dQSGkTEs3ZQVF778vmDld2X1w3FdeQpmRqjkPkmZw874Iwv7u3b+yhzaYN/6p2Z0W1RHmUTMiuCqgFDNLQgZfXFu7P8kNohkBL2LuVJJcQ2S0xgtQMn4xnc5lBRVLUsTL1RR2pMQJJrmNxPJDUfogofV8DzYthtHMNjvDeK41oD7pk5QsKvtjbN/PuQEpbMBUzUnnDAEQ7QtobOKO/p5dv5JnTDd3tnxqkOYvEYJ90Z58zO7RMQYmeyVfWL3o2hEKTa8rUc62/6FFBw3/sSQSRXCnLKfF/wswP1hS6MdLDHLl30H6I1+pZU+tvU9D/r8VftvTg3wy80dPy9IrRfyYRQkST5EQ3JVD1tCeYkQ8laZ1fEFdWFM1keB3jfWHlEwUSsyLHiDD6ps4IkOqWAlXeO7RnWO2qk4YmU5jrEEtXwmyWXiAPlK1JxwO8YIFWut43t4OVM5XBVCTE4U,iv:SXeiK4/QCqmQpdoOuFZR2cFjoox44YPvw+eKkL9wT+I=,tag:KkdOkpIojnGmTZ0uJEvwcw==,type:str]
+ sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
+ storageEncryptionKey: ENC[AES256_GCM,data:Izqst2AzXvOG4qi3BYIp4BY2nGfuVEUro3mjrHRtMfY=,iv:CYqOylrTvPGvCTJ8ObCg9um4hWLY4cqRqMBruzCeAko=,tag:IQ9CAr9sGKaZKVbAOeFXVA==,type:str]
sops:
age:
- recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
@@ -27,8 +34,8 @@ sops:
MmVobitCNUxvUGJmRUtWWEhZekdHaEEKcx1nN+bR2wsexYV/B5PC+Pu9Yi9w+KE8
Kcy2S1Cyu7MEkE8it447yqixIA5l5mbFGRjfTvI8KZXZUGgLecAktQ==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-07-16T13:27:20Z"
- mac: ENC[AES256_GCM,data:0qpubROBFmFikgQLuBhOJXqfcwGJVHawpRcitXjrzpKCSGYktzH5k6dVDeuoV1gJy+aPNUr029kDaVg3r+yPSc3ouxjc8NbI8nkiZzrUWJdiRkfiDWbdePGrqCKlXdGLfVw5XXP5zIAhXKCQCsy1w0TwHXG3k8TZCp8pvoc9KTo=,iv:MT3BIx2YPX1wpWXz0xoDEUUyX2WBN8BEGm352ma65Ag=,tag:RxA+KKsOfXWPMVRgbN7MJw==,type:str]
+ lastmodified: "2025-07-17T07:12:32Z"
+ mac: ENC[AES256_GCM,data:VHPb4QiRZ+kw3QS7EAYIjOVnmHNetSuOY4VsZPmf/iOAcsfiq6Nab5gb+pXGMPUBmHLt85auagx4e9ZbpSFcOX2yHdZkQ/UxR3ZW27aRk08+5HuZjAYfKmQyMHSBjo2AfywUkdkeTawqm8s6rlOdLeqY0hyGfCmKjEVcq37Swl0=,iv:FJRCKrSJwEyolbXQzpoEhFgZeKE5ZTzL6KQWftJ1G/A=,tag:TJ+OZ8vUhixv94KG/hiFKg==,type:str]
pgp:
- created_at: "2025-07-15T13:47:27Z"
enc: |-