feat(services): add authelia

services/authelia.nix

@@ -0,0 +1,129 @@
+{ config, ... }:
+
+let
+  domain = "auth.felschr.com";
+  port = 9091;
+  ldapHost = "localhost";
+  ldapPort = config.services.lldap.settings.ldap_port;
+  redis = config.services.redis.servers.authelia;
+  cfg = config.services.authelia.instances.main;
+in {
+  age.secrets.authelia-jwt = {
+    file = ../secrets/authelia/jwt.age;
+    owner = cfg.user;
+  };
+  age.secrets.authelia-session = {
+    file = ../secrets/authelia/session.age;
+    owner = cfg.user;
+  };
+  age.secrets.authelia-storage = {
+    file = ../secrets/authelia/storage.age;
+    owner = cfg.user;
+  };
+
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = config.age.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+      sessionSecretFile = config.age.secrets.authelia-session.path;
+    };
+    environmentVariables = {
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.age.secrets.lldap-password.path;
+      # AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.smtp.path;
+    };
+    settings = {
+      theme = "dark";
+      server = {
+        host = "::1";
+        inherit port;
+      };
+      default_2fa_method = "webauthn";
+      default_redirection_url = "https://${domain}";
+      log.level = "debug";
+      authentication_backend = {
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://${ldapHost}:${toString ldapPort}";
+          timeout = "5m";
+          start_tls = false;
+          base_dn = "dc=felschr,dc=com";
+          username_attribute = "uid";
+          additional_users_dn = "ou=people";
+          users_filter =
+            "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          display_name_attribute = "displayName";
+          user = "uid=admin,ou=people,dc=felschr,dc=com";
+        };
+      };
+      access_control = {
+        default_policy = "deny";
+        rules = [{
+          domain = [ "*.felschr.com" ];
+          policy = "one_factor";
+        }];
+      };
+      session = {
+        domain = "felschr.com";
+        redis = {
+          host = redis.unixSocket;
+          port = 0;
+        };
+      };
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+      storage.postgres = {
+        host = "/run/postgresql";
+        inherit (config.services.postgresql) port;
+        username = cfg.user;
+        database = cfg.user;
+        # password not used since it uses peer auth
+        password = "dummy";
+      };
+      # TODO set up notifier
+      notifier.filesystem.filename = "/var/lib/authelia-main/notifications.log";
+      # notifier.smtp = rec {
+      #   username = "felschr@web.de";
+      #   sender = username;
+      #   host = "smtp.web.de";
+      #   port = 587;
+      # };
+    };
+  };
+
+  systemd.services.authelia.requires = [ "postgresql.service" "lldap.service" ];
+  systemd.services.authelia.after = [ "postgresql.service" "lldap.service" ];
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ cfg.user ];
+    ensureUsers = [{
+      name = cfg.user;
+      ensurePermissions."DATABASE \"${cfg.user}\"" = "ALL PRIVILEGES";
+    }];
+  };
+
+  services.redis.servers.authelia = {
+    enable = true;
+    port = 31641;
+    inherit (cfg) user;
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://[::1]:${toString port}";
+  };
+
+  users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ];
+}

services/lldap.nix

@@ -7,7 +7,11 @@ let
 in {
   age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age;
   age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age;
-  age.secrets.lldap-password.file = ../secrets/lldap/password.age;
+  age.secrets.lldap-password = {
+    file = ../secrets/lldap/password.age;
+    group = "ldap";
+    mode = "440";
+  };
 
   services.lldap = {
     enable = true;
@@ -37,4 +41,6 @@ in {
       locations."/".proxyPass = "http://[::1]:${toString port}";
     };
   };
+
+  users.groups.ldap = { gid = 979; };
 }

services/mail.nix

@@ -1,7 +1,11 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 
 {
-  age.secrets.smtp.file = ../secrets/smtp.age;
+  age.secrets.smtp = {
+    file = ../secrets/smtp.age;
+    group = "smtp";
+    mode = "440";
+  };
 
   programs.msmtp = {
     enable = true;
@@ -21,4 +25,6 @@
       from = user;
     };
   };
+
+  users.groups.smtp = { gid = 983; };
 }