From 46a2f1f852cc4fe8d5c86757de4029d87ccb03af Mon Sep 17 00:00:00 2001 From: Franck Cuny Date: Sat, 22 Nov 2025 11:03:49 -0800 Subject: initial setup for authelia --- machines/nixos/x86_64-linux/argonath.nix | 10 +++++++- machines/nixos/x86_64-linux/rivendell.nix | 1 + profiles/authelia.nix | 38 ++++++++++++++++++++++++++++++ secrets/acme-cloudflare-env.age | Bin 600 -> 490 bytes secrets/argonath/wireguard.age | Bin 367 -> 367 bytes secrets/authelia-jwt-key.age | 8 +++++++ secrets/authelia-storage-key.age | Bin 0 -> 409 bytes secrets/authelia-users.yaml.age | Bin 0 -> 556 bytes secrets/nas_client.age | Bin 474 -> 474 bytes secrets/restic-pw.age | Bin 453 -> 453 bytes secrets/rivendell/wireguard.age | Bin 367 -> 367 bytes secrets/secrets.nix | 19 +++++++++++++++ secrets/ssh-remote-builder.age | Bin 831 -> 831 bytes secrets/vm-synology/wireguard.age | 12 +++++----- 14 files changed, 81 insertions(+), 7 deletions(-) create mode 100644 profiles/authelia.nix create mode 100644 secrets/authelia-jwt-key.age create mode 100644 secrets/authelia-storage-key.age create mode 100644 secrets/authelia-users.yaml.age diff --git a/machines/nixos/x86_64-linux/argonath.nix b/machines/nixos/x86_64-linux/argonath.nix index af70040..fa7855c 100644 --- a/machines/nixos/x86_64-linux/argonath.nix +++ b/machines/nixos/x86_64-linux/argonath.nix @@ -9,8 +9,8 @@ ../../../profiles/acme.nix ../../../profiles/cgroups.nix ../../../profiles/defaults.nix - ../../../profiles/hardware/do-droplet.nix ../../../profiles/disk/basic-vm.nix + ../../../profiles/hardware/do-droplet.nix ../../../profiles/home-manager.nix ../../../profiles/server.nix ]; @@ -62,6 +62,14 @@ proxyPass = "http://10.100.0.60"; }; }; + "auth.fcuny.net" = { + enableACME = true; + acmeRoot = null; + forceSSL = true; + locations."/" = { + proxyPass = "http://10.100.0.60:9092"; + }; + }; "fcuny.net" = { enableACME = true; acmeRoot = null; diff --git a/machines/nixos/x86_64-linux/rivendell.nix b/machines/nixos/x86_64-linux/rivendell.nix index df72474..88172dd 100644 --- a/machines/nixos/x86_64-linux/rivendell.nix +++ b/machines/nixos/x86_64-linux/rivendell.nix @@ -6,6 +6,7 @@ }: { imports = [ + ../../../profiles/authelia.nix ../../../profiles/cgroups.nix ../../../profiles/defaults.nix ../../../profiles/disk/btrfs-on-luks.nix diff --git a/profiles/authelia.nix b/profiles/authelia.nix new file mode 100644 index 0000000..ccc3d11 --- /dev/null +++ b/profiles/authelia.nix @@ -0,0 +1,38 @@ +{ config, ... }: +{ + age.secrets = { + authelia-storage-key = { + file = ../secrets/authelia-storage-key.age; + owner = "authelia-main"; + }; + authelia-jwt-key = { + file = ../secrets/authelia-jwt-key.age; + owner = "authelia-main"; + }; + authelia-users = { + file = ../secrets/authelia-users.yaml.age; + owner = "authelia-main"; + }; + }; + + services.authelia.instances.main = { + enable = true; + secrets.storageEncryptionKeyFile = config.age.secrets."authelia-storage-key".path; + secrets.jwtSecretFile = config.age.secrets."authelia-jwt-key".path; + settings = { + server.address = "tcp://:9092"; + default_2fa_method = "totp"; + notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt"; + authentication_backend = { + file.path = config.age.secrets."authelia-users".path; + }; + access_control.default_policy = "one_factor"; + session.domain = "fcuny.net"; + storage = { + local = { + path = "/var/lib/authelia-main/db.sqlite3"; + }; + }; + }; + }; +} diff --git a/secrets/acme-cloudflare-env.age b/secrets/acme-cloudflare-env.age index 9892917..ead4006 100644 Binary files a/secrets/acme-cloudflare-env.age and b/secrets/acme-cloudflare-env.age differ diff --git a/secrets/argonath/wireguard.age b/secrets/argonath/wireguard.age index b7b559d..7177521 100644 Binary files a/secrets/argonath/wireguard.age and b/secrets/argonath/wireguard.age differ diff --git a/secrets/authelia-jwt-key.age b/secrets/authelia-jwt-key.age new file mode 100644 index 0000000..ec41112 --- /dev/null +++ b/secrets/authelia-jwt-key.age @@ -0,0 +1,8 @@ +age-encryption.org/v1 +-> ssh-ed25519 pFjJaA zWhimvWW6S4oLnJhqrMx0DjviiheTzhWCVuQ8KL6RXk +rWuEyS5uKyNp5dKQ6CEcwwbBSI+xcqqOGFvisc48Z3g +-> ssh-ed25519 Y5h84Q M6frkfxdJpGLwR82Ft/8xDSHQalKw9c8rvRuaNrG81Q +jAEqR/UytglKruPatIlLmY/OGSHDQxtbetLaZntpk7g +--- LEkei2sBzMxV/Utl0VUt0rTRuurEuLSXYYVr5SKiLDc +Q6&h9•TҍA(C9OMN"x>彶#kY/I/X| +%ey!f}udܯjfx{~5鵣v]>鲨qjB븄 \ No newline at end of file diff --git a/secrets/authelia-storage-key.age b/secrets/authelia-storage-key.age new file mode 100644 index 0000000..ee1d6b1 Binary files /dev/null and b/secrets/authelia-storage-key.age differ diff --git a/secrets/authelia-users.yaml.age b/secrets/authelia-users.yaml.age new file mode 100644 index 0000000..4a0f38d Binary files /dev/null and b/secrets/authelia-users.yaml.age differ diff --git a/secrets/nas_client.age b/secrets/nas_client.age index adebe58..3666c35 100644 Binary files a/secrets/nas_client.age and b/secrets/nas_client.age differ diff --git a/secrets/restic-pw.age b/secrets/restic-pw.age index 1113b31..467e611 100644 Binary files a/secrets/restic-pw.age and b/secrets/restic-pw.age differ diff --git a/secrets/rivendell/wireguard.age b/secrets/rivendell/wireguard.age index c4d59be..3ba9a11 100644 Binary files a/secrets/rivendell/wireguard.age and b/secrets/rivendell/wireguard.age differ diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 4820af3..5d5dac2 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -35,6 +35,25 @@ in hosts.mba ]; + # generated with: + # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '=' + "authelia-storage-key.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + + # generated with: + # openssl rand 64 | openssl base64 -A | tr '+/' '-_' | tr -d '=' + "authelia-jwt-key.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + + "authelia-users.yaml.age".publicKeys = [ + users.fcuny + hosts.rivendell + ]; + "vm-synology/wireguard.age".publicKeys = [ users.fcuny hosts.vm-synology diff --git a/secrets/ssh-remote-builder.age b/secrets/ssh-remote-builder.age index 9b51059..d83bb7d 100644 Binary files a/secrets/ssh-remote-builder.age and b/secrets/ssh-remote-builder.age differ diff --git a/secrets/vm-synology/wireguard.age b/secrets/vm-synology/wireguard.age index 1a7f680..b12c816 100644 --- a/secrets/vm-synology/wireguard.age +++ b/secrets/vm-synology/wireguard.age @@ -1,7 +1,7 @@ age-encryption.org/v1 --> ssh-ed25519 pFjJaA ljrCAO401wZ8bYZien6MWqztXrQNUT10d4dUAN2GyHE -+R8Yw6l2QV0fYgDUolDmxgyFrKmRRv9CPn0KMWbiUYU --> ssh-ed25519 qRUWSw zh4xQ9TIwDCZee8q18Jxxuav4abJnt1wgK5HLdzO8Xs -crSr+JuaUsqvaLSsZo6C2PhLxZgaBctZeMe19hUWJmk ---- yck0Rm4YmN8iYAsx1FkfNiLtHGgmjdY3L69XH3A5cvA -8^hx &5!G;}w4PaX 8E^ƾN%R/u$bg] \ No newline at end of file +-> ssh-ed25519 pFjJaA zk/q9O4FfhQKjzVrL1zK0h97Vu2vPgrfhlFSJyvrClA +txm5lizEGN7VH+wWI2+6TjpGRPK3g5UnsSNrDPIshQ4 +-> ssh-ed25519 qRUWSw 0pqNpcBK9h8JCh906PB5zN4kuJs6yV3q1/75Gibg+T4 +FLYhwYz72hazErOZBVqUaLNW7M+zHXWCWZo5zQ7jQFk +--- jqpYy1uh4q4KN7BaiBRFdTRssZ429m1FL4lrLHl1xmM +qRp[ x}A.aB