feat(services): add authelia

hosts/home-server.nix

@@ -19,6 +19,7 @@ in {
     ../modules/systemdNotify.nix
     ../services/mail.nix
     ../services/lldap.nix
+    ../services/authelia.nix
     ../services/restic/home-server.nix
     ../services/samba/home-server.nix
     # ../services/kodi.nix
@@ -72,6 +73,7 @@ in {
     "felschr.com"
     "openpgpkey.felschr.com"
     "ldap.felschr.com"
+    "auth.felschr.com"
     "home.felschr.com"
     "esphome.felschr.com"
     "matrix.felschr.com"

secrets/authelia/jwt.age

@@ -0,0 +1,12 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBqUjlI
+N2FkRHNQVzIzaTloRzZtMS9TdjlleTVkZFBpOXRkb3VSUmVudkFZClZVQmMvcTNP
+bjNSV0lEZml5YmhvOEJ1aTFmYWd0TTBvUk02ckx4aUE0R28KLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IHBrNGxjOE9yMk15QTZKcjM4emFJWkZQTXBNWVhhcGFuVlUwTzdy
+amV1R2MKaVhTU1ZaUHNuYlI3RzJ0TzczRXZHbVdQeHNZMUdjUjVaZE5jV0FrWEt2
+RQotPiAkPE0vJ1gzLWdyZWFzZSBDQwpBUWdkTmJDUDRKdkVyR3M3OHF5azVFcFBT
+dkp1ZGE5OUt3Tzk4bk1JMHQ2UStzU2pSUHpGdnljR09ESW5HZ0l4ClRiU3pYLy9o
+U1d0bWJ6Zzd3UQotLS0gVEJhWTRTNUxmd1BiL1h5V1VkMmxXS052RkFnUHJqb1gx
+emIveTZOWFFSZwpgkghEp5SVY8DRLUMbbmVXNsm88CJK8g82lkJ/fMlhjzDgeNSx
+FA93nyHHvs3QwDSIiMcBFhdMRLXHPi7PcEcXJ5qnFe7q+Ag8
+-----END AGE ENCRYPTED FILE-----

secrets/authelia/session.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSBoWmpo
+Nk03dkp2UTg2M2tRRUtrVGxDVXpTcXZVRkxiZ1M4RjRrV2JNb3g4CnBoZEp1TDRo
+eDJXb0tXTys4S1gzS3JUb0VhdGo2RngzNjMzMzM1ZURwbjgKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IDIzdGFRcCswSzJRUEFodWpsRGFXeVdISFFIYmw2YnR0MnRRdVNi
+c0xFeVkKdGkvbUowRXZXMXB1L0FVNUl3UUhpR242TmdhdkdsRk1YMzRNZUdXOXdC
+YwotPiA3SmxCW3VCLWdyZWFzZSBmeCAtVVdtICJjWTxtOWoKSGZWdFI5WDhvTmR3
+MTlVOWt2RGc4ODVDCi0tLSBjT1pjUmVHSUhpSFhweURYSHorRG1PaUpxREI3MHBU
+aTYxZ3RlT2pQWWl3CgIourHwuRbayNbUqiu07zsONDg/TMmc/G0PQYvaVySx/cBT
+BcHM/1oFscXXy48e3Bg0jUOUMtGdgQ1ipwZ0LALAxzWijuuhjqc=
+-----END AGE ENCRYPTED FILE-----

secrets/authelia/storage.age

@@ -0,0 +1,11 @@
+-----BEGIN AGE ENCRYPTED FILE-----
+YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IHNzaC1lZDI1NTE5IE9BWlFoQSByNm1V
+TmdWUFJFekRpWC84SVNteWF2R0tCOUxwQVNUVXgzOTVEUjhtdXhVCkdWNk9sT3lW
+S25iZjYzY0Z1Ykx1VkRkTFQ0bzN6Y3cwYzNEQXVaNnVId3cKLT4gc3NoLWVkMjU1
+MTkgNzJpajd3IFd6dFRQYjhmVTBmYmFoUGo1VWhYQ2lmYmNDMG5yT0dRMTFBZ3RY
+TmRqaTgKaFRCbjVCR25GY1ZRNEdXanpYNmQzN3NmN1RpZTVPQUtMWjczdFh0SWlP
+NAotPiA7N0IsP0RLaC1ncmVhc2UKV0d0SGdlWWphSnREWjI5V29rKzlQQUJsUG13
+ZlRPMmtsdwotLS0gY3pONmpSWlFza3Bqa2lQaU9tVTRKNExlWjBNdEdzUEpaelE0
+Z3lTYnU5UQoKlBHBfgjaKZCdbeKTt8ueefQ3PmBTxuixThJKvUzyPq3+UPCRqmdI
+ENCtKKxB57gI0WrqbnAP8OCNfTT+ZxqbnX6RDjtPgTR3
+-----END AGE ENCRYPTED FILE-----

secrets/secrets.nix

@@ -33,6 +33,9 @@ in {
   "lldap/key-seed.age".publicKeys = [ felschr home-server ];
   "lldap/jwt.age".publicKeys = [ felschr home-server ];
   "lldap/password.age".publicKeys = [ felschr home-server ];
+  "authelia/jwt.age".publicKeys = [ felschr home-server ];
+  "authelia/session.age".publicKeys = [ felschr home-server ];
+  "authelia/storage.age".publicKeys = [ felschr home-server ];
   "hass/secrets.age".publicKeys = [ felschr home-server ];
   "esphome/password.age".publicKeys = [ felschr home-server ];
   "focalboard/.env.age".publicKeys = [ felschr home-server ];

services/authelia.nix

@@ -0,0 +1,129 @@
+{ config, ... }:
+
+let
+  domain = "auth.felschr.com";
+  port = 9091;
+  ldapHost = "localhost";
+  ldapPort = config.services.lldap.settings.ldap_port;
+  redis = config.services.redis.servers.authelia;
+  cfg = config.services.authelia.instances.main;
+in {
+  age.secrets.authelia-jwt = {
+    file = ../secrets/authelia/jwt.age;
+    owner = cfg.user;
+  };
+  age.secrets.authelia-session = {
+    file = ../secrets/authelia/session.age;
+    owner = cfg.user;
+  };
+  age.secrets.authelia-storage = {
+    file = ../secrets/authelia/storage.age;
+    owner = cfg.user;
+  };
+
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = config.age.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+      sessionSecretFile = config.age.secrets.authelia-session.path;
+    };
+    environmentVariables = {
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.age.secrets.lldap-password.path;
+      # AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.age.secrets.smtp.path;
+    };
+    settings = {
+      theme = "dark";
+      server = {
+        host = "::1";
+        inherit port;
+      };
+      default_2fa_method = "webauthn";
+      default_redirection_url = "https://${domain}";
+      log.level = "debug";
+      authentication_backend = {
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://${ldapHost}:${toString ldapPort}";
+          timeout = "5m";
+          start_tls = false;
+          base_dn = "dc=felschr,dc=com";
+          username_attribute = "uid";
+          additional_users_dn = "ou=people";
+          users_filter =
+            "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          display_name_attribute = "displayName";
+          user = "uid=admin,ou=people,dc=felschr,dc=com";
+        };
+      };
+      access_control = {
+        default_policy = "deny";
+        rules = [{
+          domain = [ "*.felschr.com" ];
+          policy = "one_factor";
+        }];
+      };
+      session = {
+        domain = "felschr.com";
+        redis = {
+          host = redis.unixSocket;
+          port = 0;
+        };
+      };
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+      storage.postgres = {
+        host = "/run/postgresql";
+        inherit (config.services.postgresql) port;
+        username = cfg.user;
+        database = cfg.user;
+        # password not used since it uses peer auth
+        password = "dummy";
+      };
+      # TODO set up notifier
+      notifier.filesystem.filename = "/var/lib/authelia-main/notifications.log";
+      # notifier.smtp = rec {
+      #   username = "felschr@web.de";
+      #   sender = username;
+      #   host = "smtp.web.de";
+      #   port = 587;
+      # };
+    };
+  };
+
+  systemd.services.authelia.requires = [ "postgresql.service" "lldap.service" ];
+  systemd.services.authelia.after = [ "postgresql.service" "lldap.service" ];
+
+  services.postgresql = {
+    enable = true;
+    ensureDatabases = [ cfg.user ];
+    ensureUsers = [{
+      name = cfg.user;
+      ensurePermissions."DATABASE \"${cfg.user}\"" = "ALL PRIVILEGES";
+    }];
+  };
+
+  services.redis.servers.authelia = {
+    enable = true;
+    port = 31641;
+    inherit (cfg) user;
+  };
+
+  services.nginx.virtualHosts.${domain} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://[::1]:${toString port}";
+  };
+
+  users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ];
+}

services/lldap.nix

@@ -7,7 +7,11 @@ let
 in {
   age.secrets.lldap-key-seed.file = ../secrets/lldap/key-seed.age;
   age.secrets.lldap-jwt.file = ../secrets/lldap/jwt.age;
-  age.secrets.lldap-password.file = ../secrets/lldap/password.age;
+  age.secrets.lldap-password = {
+    file = ../secrets/lldap/password.age;
+    group = "ldap";
+    mode = "440";
+  };
 
   services.lldap = {
     enable = true;
@@ -37,4 +41,6 @@ in {
       locations."/".proxyPass = "http://[::1]:${toString port}";
     };
   };
+
+  users.groups.ldap = { gid = 979; };
 }

services/mail.nix

@@ -1,7 +1,11 @@
-{ config, pkgs, ... }:
+{ config, ... }:
 
 {
-  age.secrets.smtp.file = ../secrets/smtp.age;
+  age.secrets.smtp = {
+    file = ../secrets/smtp.age;
+    group = "smtp";
+    mode = "440";
+  };
 
   programs.msmtp = {
     enable = true;
@@ -21,4 +25,6 @@
       from = user;
     };
   };
+
+  users.groups.smtp = { gid = 983; };
 }