aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorFranck Cuny <franck@fcuny.net>2025-11-22 11:03:49 -0800
committerFranck Cuny <franck@fcuny.net>2025-11-22 11:03:49 -0800
commit46a2f1f852cc4fe8d5c86757de4029d87ccb03af (patch)
tree3124a05e344b56ded5211a57baba7192548925e3
parentdelete do-rproxy (diff)
downloadinfra-46a2f1f852cc4fe8d5c86757de4029d87ccb03af.tar.gz
initial setup for authelia
Diffstat (limited to '')
-rw-r--r--machines/nixos/x86_64-linux/argonath.nix10
-rw-r--r--machines/nixos/x86_64-linux/rivendell.nix1
-rw-r--r--profiles/authelia.nix38
-rw-r--r--secrets/acme-cloudflare-env.agebin600 -> 490 bytes
-rw-r--r--secrets/argonath/wireguard.agebin367 -> 367 bytes
-rw-r--r--secrets/authelia-jwt-key.age8
-rw-r--r--secrets/authelia-storage-key.agebin0 -> 409 bytes
-rw-r--r--secrets/authelia-users.yaml.agebin0 -> 556 bytes
-rw-r--r--secrets/nas_client.agebin474 -> 474 bytes
-rw-r--r--secrets/restic-pw.agebin453 -> 453 bytes
-rw-r--r--secrets/rivendell/wireguard.agebin367 -> 367 bytes
-rw-r--r--secrets/secrets.nix19
-rw-r--r--secrets/ssh-remote-builder.agebin831 -> 831 bytes
-rw-r--r--secrets/vm-synology/wireguard.age12
14 files changed, 81 insertions, 7 deletions
diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix
index af70040..fa7855c 100644
--- a/machines/nixos/x86_64-linux/argonath.nix
+++ b/machines/nixos/x86_64-linux/argonath.nix
@@ -9,8 +9,8 @@
../../../profiles/acme.nix
../../../profiles/cgroups.nix
../../../profiles/defaults.nix
- ../../../profiles/hardware/do-droplet.nix
../../../profiles/disk/basic-vm.nix
+ ../../../profiles/hardware/do-droplet.nix
../../../profiles/home-manager.nix
../../../profiles/server.nix
];
@@ -62,6 +62,14 @@
proxyPass = "http://10.100.0.60";
};
};
+ "auth.fcuny.net" = {
+ enableACME = true;
+ acmeRoot = null;
+ forceSSL = true;
+ locations."/" = {
+ proxyPass = "http://10.100.0.60:9092";
+ };
+ };
"fcuny.net" = {
enableACME = true;
acmeRoot = null;
diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix
index df72474..88172dd 100644
--- a/machines/nixos/x86_64-linux/rivendell.nix
+++ b/machines/nixos/x86_64-linux/rivendell.nix
@@ -6,6 +6,7 @@
}:
{
imports = [
+ ../../../profiles/authelia.nix
../../../profiles/cgroups.nix
../../../profiles/defaults.nix
../../../profiles/disk/btrfs-on-luks.nix
diff --git a/profiles/authelia.nix b/profiles/authelia.nix
new file mode 100644
index 0000000..ccc3d11
--- /dev/null
+++ b/profiles/authelia.nix
@@ -0,0 +1,38 @@
+{ config, ... }:
+{
+ age.secrets = {
+ authelia-storage-key = {
+ file = ../secrets/authelia-storage-key.age;
+ owner = "authelia-main";
+ };
+ authelia-jwt-key = {
+ file = ../secrets/authelia-jwt-key.age;
+ owner = "authelia-main";
+ };
+ authelia-users = {
+ file = ../secrets/authelia-users.yaml.age;
+ owner = "authelia-main";
+ };
+ };
+
+ services.authelia.instances.main = {
+ enable = true;
+ secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path;
+ secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path;
+ settings = {
+ server.address = "tcp://:9092";
+ default_2fa_method = "totp";
+ notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
+ authentication_backend = {
+ file.path = config.age.secrets."authelia-users".path;
+ };
+ access_control.default_policy = "one_factor";
+ session.domain = "fcuny.net";
+ storage = {
+ local = {
+ path = "/var/lib/authelia-main/db.sqlite3";
+ };
+ };
+ };
+ };
+}
diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age
index 9892917..ead4006 100644
--- a/secrets/acme-cloudflare-env.age
+++ b/secrets/acme-cloudflare-env.age
Binary files differ
diff --git a/secrets/argonath/wireguard.age b/secrets/argonath/wireguard.age
index b7b559d..7177521 100644
--- a/secrets/argonath/wireguard.age
+++ b/secrets/argonath/wireguard.age
Binary files differ
diff --git a/secrets/authelia-jwt-key.age b/secrets/authelia-jwt-key.age
new file mode 100644
index 0000000..ec41112
--- /dev/null
+++ b/secrets/authelia-jwt-key.age
@@ -0,0 +1,8 @@
+age-encryption.org/v1
+-> ssh-ed25519 pFjJaA zWhimvWW6S4oLnJhqrMx0DjviiheTzhWCVuQ8KL6RXk
+rWuEyS5uKyNp5dKQ6CEcwwbBSI+xcqqOGFvisc48Z3g
+-> ssh-ed25519 Y5h84Q M6frkfxdJpGLwR82Ft/8xDSHQalKw9c8rvRuaNrG81Q
+jAEqR/UytglKruPatIlLmY/OGSHDQxtbetLaZntpk7g
+--- LEkei2sBzMxV/Utl0VUt0rTRuurEuLSXYYVr5SKiLDc
+Q6&h9•TҍA(C9OMN"x>彶#kY/I/X|
+%ey!f}udܯjfx{~5鵣v]>鲨qjB븄 \ No newline at end of file
diff --git a/secrets/authelia-storage-key.age b/secrets/authelia-storage-key.age
new file mode 100644
index 0000000..ee1d6b1
--- /dev/null
+++ b/secrets/authelia-storage-key.age
Binary files differ
diff --git a/secrets/authelia-users.yaml.age b/secrets/authelia-users.yaml.age
new file mode 100644
index 0000000..4a0f38d
--- /dev/null
+++ b/secrets/authelia-users.yaml.age
Binary files differ
diff --git a/secrets/nas_client.age b/secrets/nas_client.age
index adebe58..3666c35 100644
--- a/secrets/nas_client.age
+++ b/secrets/nas_client.age
Binary files differ
diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age
index 1113b31..467e611 100644
--- a/secrets/restic-pw.age
+++ b/secrets/restic-pw.age
Binary files differ
diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age
index c4d59be..3ba9a11 100644
--- a/secrets/rivendell/wireguard.age
+++ b/secrets/rivendell/wireguard.age
Binary files differ
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index 4820af3..5d5dac2 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -35,6 +35,25 @@ in
hosts.mba
];
+ # generated with:
+ # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
+ "authelia-storage-key.age".publicKeys = [
+ users.fcuny
+ hosts.rivendell
+ ];
+
+ # generated with:
+ # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '='
+ "authelia-jwt-key.age".publicKeys = [
+ users.fcuny
+ hosts.rivendell
+ ];
+
+ "authelia-users.yaml.age".publicKeys = [
+ users.fcuny
+ hosts.rivendell
+ ];
+
"vm-synology/wireguard.age".publicKeys = [
users.fcuny
hosts.vm-synology
diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age
index 9b51059..d83bb7d 100644
--- a/secrets/ssh-remote-builder.age
+++ b/secrets/ssh-remote-builder.age
Binary files differ
diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age
index 1a7f680..b12c816 100644
--- a/secrets/vm-synology/wireguard.age
+++ b/secrets/vm-synology/wireguard.age
@@ -1,7 +1,7 @@
age-encryption.org/v1
--> ssh-ed25519 pFjJaA ljrCAO401wZ8bYZien6MWqztXrQNUT10d4dUAN2GyHE
-+R8Yw6l2QV0fYgDUolDmxgyFrKmRRv9CPn0KMWbiUYU
--> ssh-ed25519 qRUWSw zh4xQ9TIwDCZee8q18Jxxuav4abJnt1wgK5HLdzO8Xs
-crSr+JuaUsqvaLSsZo6C2PhLxZgaBctZeMe19hUWJmk
---- yck0Rm4YmN8iYAsx1FkfNiLtHGgmjdY3L69XH3A5cvA
-8^hx &5!G;}w4PaX 8E^ƾN%R/u$bg] \ No newline at end of file
+-> ssh-ed25519 pFjJaA zk/q9O4FfhQKjzVrL1zK0h97Vu2vPgrfhlFSJyvrClA
+txm5lizEGN7VH+wWI2+6TjpGRPK3g5UnsSNrDPIshQ4
+-> ssh-ed25519 qRUWSw 0pqNpcBK9h8JCh906PB5zN4kuJs6yV3q1/75Gibg+T4
+FLYhwYz72hazErOZBVqUaLNW7M+zHXWCWZo5zQ7jQFk
+--- jqpYy1uh4q4KN7BaiBRFdTRssZ429m1FL4lrLHl1xmM
+qRp[ x}A.aB<qEB@^Qs?Fbs[Z`R4% d֌ X5 \ No newline at end of file
generated by cgit v1.2.3 (git 2.25.1) at 2025-12-06 10:53:38 +0000