diff --git a/hosts/home-server.nix b/hosts/home-server.nix index 2e53b11..911410c 100644 --- a/hosts/home-server.nix +++ b/hosts/home-server.nix @@ -19,6 +19,7 @@ in { ../modules/systemdNotify.nix ../services/mail.nix ../services/lldap.nix + ../services/authelia.nix ../services/restic/home-server.nix ../services/samba/home-server.nix # ../services/kodi.nix @@ -72,6 +73,7 @@ in { "felschr.com" "openpgpkey.felschr.com" "ldap.felschr.com" + "auth.felschr.com" "home.felschr.com" "esphome.felschr.com" "matrix.felschr.com" diff --git a/secrets/authelia/jwt.age b/secrets/authelia/jwt.age new file mode 100644 index 0000000..5b80eb8 --- /dev/null +++ b/secrets/authelia/jwt.age @@ -0,0 +1,12 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBqUjlI +N2FkRHNQVzIzaTloRzZtMS9TdjlleTVkZFBpOXRkb3VSUmVudkFZClZVQmMvcTNP +bjNSV0lEZml5YmhvOEJ1aTFmYWd0TTBvUk02ckx4aUE0R28KLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IHBrNGxjOE9yMk15QTZKcjM4emFJWkZQTXBNWVhhcGFuVlUwTzdy +amV1R2MKaVhTU1ZaUHNuYlI3RzJ0TzczRXZHbVdQeHNZMUdjUjVaZE5jV0FrWEt2 +RQotPiAkPE0vJ1gzLWdyZWFzZSBDQwpBUWdkTmJDUDRKdkVyR3M3OHF5azVFcFBT +dkp1ZGE5OUt3Tzk4bk1JMHQ2UStzU2pSUHpGdnljR09ESW5HZ0l4ClRiU3pYLy9o +U1d0bWJ6Zzd3UQotLS0gVEJhWTRTNUxmd1BiL1h5V1VkMmxXS052RkFnUHJqb1gx +emIveTZOWFFSZwpgkghEp5SVY8DRLUMbbmVXNsm88CJK8g82lkJ/fMlhjzDgeNSx +FA93nyHHvs3QwDSIiMcBFhdMRLXHPi7PcEcXJ5qnFe7q+Ag8 +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/authelia/session.age b/secrets/authelia/session.age new file mode 100644 index 0000000..03b2a6e --- /dev/null +++ b/secrets/authelia/session.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBoWmpo +Nk03dkp2UTg2M2tRRUtrVGxDVXpTcXZVRkxiZ1M4RjRrV2JNb3g4CnBoZEp1TDRo +eDJXb0tXTys4S1gzS3JUb0VhdGo2RngzNjMzMzM1ZURwbjgKLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IDIzdGFRcCswSzJRUEFodWpsRGFXeVdISFFIYmw2YnR0MnRRdVNi +c0xFeVkKdGkvbUowRXZXMXB1L0FVNUl3UUhpR242TmdhdkdsRk1YMzRNZUdXOXdC +YwotPiA3SmxCW3VCLWdyZWFzZSBmeCAtVVdtICJjWTxtOWoKSGZWdFI5WDhvTmR3 +MTlVOWt2RGc4ODVDCi0tLSBjT1pjUmVHSUhpSFhweURYSHorRG1PaUpxREI3MHBU +aTYxZ3RlT2pQWWl3CgIourHwuRbayNbUqiu07zsONDg/TMmc/G0PQYvaVySx/cBT +BcHM/1oFscXXy48e3Bg0jUOUMtGdgQ1ipwZ0LALAxzWijuuhjqc= +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/authelia/storage.age b/secrets/authelia/storage.age new file mode 100644 index 0000000..02c9390 --- /dev/null +++ b/secrets/authelia/storage.age @@ -0,0 +1,11 @@ +-----BEGIN AGE ENCRYPTED FILE----- +YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSByNm1V +TmdWUFJFekRpWC84SVNteWF2R0tCOUxwQVNUVXgzOTVEUjhtdXhVCkdWNk9sT3lW +S25iZjYzY0Z1Ykx1VkRkTFQ0bzN6Y3cwYzNEQXVaNnVId3cKLT4gc3NoLWVkMjU1 +MTkgNzJpajd3IFd6dFRQYjhmVTBmYmFoUGo1VWhYQ2lmYmNDMG5yT0dRMTFBZ3RY +TmRqaTgKaFRCbjVCR25GY1ZRNEdXanpYNmQzN3NmN1RpZTVPQUtMWjczdFh0SWlP +NAotPiA7N0IsP0RLaC1ncmVhc2UKV0d0SGdlWWphSnREWjI5V29rKzlQQUJsUG13 +ZlRPMmtsdwotLS0gY3pONmpSWlFza3Bqa2lQaU9tVTRKNExlWjBNdEdzUEpaelE0 +Z3lTYnU5UQoKlBHBfgjaKZCdbeKTt8ueefQ3PmBTxuixThJKvUzyPq3+UPCRqmdI +ENCtKKxB57gI0WrqbnAP8OCNfTT+ZxqbnX6RDjtPgTR3 +-----END AGE ENCRYPTED FILE----- diff --git a/secrets/secrets.nix b/secrets/secrets.nix index 39ec069..0a9656a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -33,6 +33,9 @@ in { "lldap/key-seed.age".publicKeys = [ felschr home-server ]; "lldap/jwt.age".publicKeys = [ felschr home-server ]; "lldap/password.age".publicKeys = [ felschr home-server ]; + "authelia/jwt.age".publicKeys = [ felschr home-server ]; + "authelia/session.age".publicKeys = [ felschr home-server ]; + "authelia/storage.age".publicKeys = [ felschr home-server ]; "hass/secrets.age".publicKeys = [ felschr home-server ]; "esphome/password.age".publicKeys = [ felschr home-server ]; "focalboard/.env.age".publicKeys = [ felschr home-server ]; diff --git a/services/authelia.nix b/services/authelia.nix new file mode 100644 index 0000000..f241f89 --- /dev/null +++ b/services/authelia.nix @@ -0,0 +1,129 @@ +{ config, ... }: + +let + domain = "auth.felschr.com"; + port = 9091; + ldapHost = "localhost"; + ldapPort = config.services.lldap.settings.ldap_port; + redis = config.services.redis.servers.authelia; + cfg = config.services.authelia.instances.main; +in { + age.secrets.authelia-jwt = { + file = ../secrets/authelia/jwt.age; + owner = cfg.user; + }; + age.secrets.authelia-session = { + file = ../secrets/authelia/session.age; + owner = cfg.user; + }; + age.secrets.authelia-storage = { + file = ../secrets/authelia/storage.age; + owner = cfg.user; + }; + + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.age.secrets.authelia-jwt.path; + storageEncryptionKeyFile = config.age.secrets.authelia-storage.path; + sessionSecretFile = config.age.secrets.authelia-session.path; + }; + environmentVariables = { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = + config.age.secrets.lldap-password.path; + # AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.smtp.path; + }; + settings = { + theme = "dark"; + server = { + host = "::1"; + inherit port; + }; + default_2fa_method = "webauthn"; + default_redirection_url = "https://${domain}"; + log.level = "debug"; + authentication_backend = { + password_reset.disable = false; + refresh_interval = "1m"; + ldap = { + implementation = "custom"; + url = "ldap://${ldapHost}:${toString ldapPort}"; + timeout = "5m"; + start_tls = false; + base_dn = "dc=felschr,dc=com"; + username_attribute = "uid"; + additional_users_dn = "ou=people"; + users_filter = + "(&({username_attribute}={input})(objectClass=person))"; + additional_groups_dn = "ou=groups"; + groups_filter = "(member={dn})"; + group_name_attribute = "cn"; + mail_attribute = "mail"; + display_name_attribute = "displayName"; + user = "uid=admin,ou=people,dc=felschr,dc=com"; + }; + }; + access_control = { + default_policy = "deny"; + rules = [{ + domain = [ "*.felschr.com" ]; + policy = "one_factor"; + }]; + }; + session = { + domain = "felschr.com"; + redis = { + host = redis.unixSocket; + port = 0; + }; + }; + regulation = { + max_retries = 3; + find_time = "5m"; + ban_time = "15m"; + }; + storage.postgres = { + host = "/run/postgresql"; + inherit (config.services.postgresql) port; + username = cfg.user; + database = cfg.user; + # password not used since it uses peer auth + password = "dummy"; + }; + # TODO set up notifier + notifier.filesystem.filename = "/var/lib/authelia-main/notifications.log"; + # notifier.smtp = rec { + # username = "felschr@web.de"; + # sender = username; + # host = "smtp.web.de"; + # port = 587; + # }; + }; + }; + + systemd.services.authelia.requires = [ "postgresql.service" "lldap.service" ]; + systemd.services.authelia.after = [ "postgresql.service" "lldap.service" ]; + + services.postgresql = { + enable = true; + ensureDatabases = [ cfg.user ]; + ensureUsers = [{ + name = cfg.user; + ensurePermissions."DATABASE \"${cfg.user}\"" = "ALL PRIVILEGES"; + }]; + }; + + services.redis.servers.authelia = { + enable = true; + port = 31641; + inherit (cfg) user; + }; + + services.nginx.virtualHosts.${domain} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://[::1]:${toString port}"; + }; + + users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ]; +} diff --git a/services/lldap.nix b/services/lldap.nix index a164370..e796e7c 100644 --- a/services/lldap.nix +++ b/services/lldap.nix @@ -7,7 +7,11 @@ let in { age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age; age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age; - age.secrets.lldap-password.file = ../secrets/lldap/password.age; + age.secrets.lldap-password = { + file = ../secrets/lldap/password.age; + group = "ldap"; + mode = "440"; + }; services.lldap = { enable = true; @@ -37,4 +41,6 @@ in { locations."/".proxyPass = "http://[::1]:${toString port}"; }; }; + + users.groups.ldap = { gid = 979; }; } diff --git a/services/mail.nix b/services/mail.nix index df7cc5e..dda7586 100644 --- a/services/mail.nix +++ b/services/mail.nix @@ -1,7 +1,11 @@ -{ config, pkgs, ... }: +{ config, ... }: { - age.secrets.smtp.file = ../secrets/smtp.age; + age.secrets.smtp = { + file = ../secrets/smtp.age; + group = "smtp"; + mode = "440"; + }; programs.msmtp = { enable = true; @@ -21,4 +25,6 @@ from = user; }; }; + + users.groups.smtp = { gid = 983; }; }