diff --git a/main/default.nix b/main/default.nix index 07d363a..471011e 100644 --- a/main/default.nix +++ b/main/default.nix @@ -153,6 +153,11 @@ in { samba.enable = true; searxng.enable = true; + + auth = { + authelia.enable = false; # TODO needs configuration with nginx or traefik + # ldap.enable = false; # TODO too hard to setup, will need to take a look later + }; }; # DO NOT CHANGE AT ANY POINT! diff --git a/main/secrets/secrets.yaml b/main/secrets/secrets.yaml index 4a9cfd7..382870b 100644 --- a/main/secrets/secrets.yaml +++ b/main/secrets/secrets.yaml @@ -1,13 +1,3 @@ -hello: ENC[AES256_GCM,data:kQFj0v5K91h8DOvtm64tHx6qeJlfTyfxMNJelCtOvKNSf+UhiaCPPjWqDKOc+A==,iv:x/nWPKqwCI8kCo1/Md60DGK7zpOj4Wo1z9zUz6iN7VA=,tag:nR7PRubjoT8Y24lhsaR0Lg==,type:str] -example_key: ENC[AES256_GCM,data:fsWUwTTDcqKyRECWbg==,iv:B7CiWA03R/VQMt0EuymXHMz2+lAOQ9JMBP/fgGRlXuU=,tag:sH0nk4Oa6nKCFQmHmhfEqg==,type:str] -#ENC[AES256_GCM,data:WWchy1xoaqb+YoprbxR9cQ==,iv:lN7qwwOO1KezH7ab7Y1agKwuI3lLNO/bAiiJBWbGXn8=,tag:MC/3jd245bRAD5N9PNGPFg==,type:comment] -example_array: - - ENC[AES256_GCM,data:yoH7Z3R5/JZSNF6HSuI=,iv:MFcdr/hUnQlRq/Uv8j0wVV1mcPXTxv/ie2BU2N+/gyc=,tag:dQnYQI86rUSTHn+GFoi/Eg==,type:str] - - ENC[AES256_GCM,data:XhW7btDAl5pOkTj4QsE=,iv:qk9GlUObq1omvo02L07Y7g6qftZGnSrCyZnrxNRxJow=,tag:bqKzb0EeyztCiu8yh0NuAA==,type:str] -example_number: ENC[AES256_GCM,data:5mNliaa4HqK4Bw==,iv:t6hpGNyi59mEwwvglKT3JwO5RRON5z0mvqt0jdTV+L8=,tag:0KVsAEe24M/ZcBf8TjPcLQ==,type:float] -example_booleans: - - ENC[AES256_GCM,data:4rh2xA==,iv:2wQtaVPzLjQzPezrxd1w4/IZu4bT0rvU8G/edcsQ7VQ=,tag:re5rdTqPNSTZ+CuZjvs86A==,type:bool] - - ENC[AES256_GCM,data:5VhbnIk=,iv:sRnE8roVMQVs1Dk9tOtALWiDtfM4aJiSX5gb/MDHak8=,tag:egUULcUP5vCsy5uUM+j6dA==,type:bool] user_password: ENC[AES256_GCM,data:Q7rk67ylyjr5Sa+AYCxnQAPLbBP5Fy85wTGLZuqxBG3iJ+MmhEgfeatVA2tcsY7GSaU/vghny+TJtrvhDYYMqa10h/F0wPxUjId78qkhKbnRQs4mqAxA9heSi4ojp1kh/pXN7tj64wNyJA==,iv:FTUojVNz78tn/Uj1N8Oj5Iov9eEMRo5vz+mqHdewxjg=,tag:YF74hLXXUby0IjHrqdkBUQ==,type:str] duckdns-token: ENC[AES256_GCM,data:Gf3kIpOO/X+ZVXV4w71Fp5qMuNedBBoobazAFpp22RC70xKb6xsJVffWdtFq0blDe5Y=,iv:SNq6wnhG6CuDwB3NQ/PryTgY3U/J2g1XfGCW7gSEYbo=,tag:MWqhrJRreGZ/SaapAaCXQA==,type:str] matrix_secret: ENC[AES256_GCM,data:U1yPFsFeLA5tbFf/MMACrhmH/32zUMUg2HOHWdAtcm+ybg9KgjhQmbGDM/MTDoRaAa+Zqfs774gz3A6Rg4HLuvCr4cPotSCHH8qRPz+UDK4Bvf305EfLP22Rrhc=,iv:A9BSgw1hHg+y8x4GC4hWNBCaYZNlRfS1+jKKv38znXg=,tag:SkwEfez7TRhFuLEL4PkvZA==,type:str] @@ -16,6 +6,15 @@ copyparty: alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str] smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str] searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str] +authelia: + jwt_secret: ENC[AES256_GCM,data:WroxkJeD+rtej6wMXgafQ+DdzCffLs8SDD4VHPQnOURIzZFCTPwK9JOvrNIL6eIEGyhqtySvOhXrnFj4,iv:tQZ15yoGLoDAF9PFKSh/ol8hDX88vZmHOrI+nhGGu4Y=,tag:Qadsu6Z62287XK8voIjn5g==,type:str] + session_secret: ENC[AES256_GCM,data:t5pBvmZaO+bXyac0NZUZL8sS1xcwa9XH6M8zgziIA9Nhe9umw8B2LckMqz82NAvpLGeCoMXd9MmODv0e,iv:OIfo4omyCN1kM4FCAf9tB0tyzDJ4FsbggGboX9duVH0=,tag:ybYRFlIJPEmnR8ASGNI3TA==,type:str] + storage_password: ENC[AES256_GCM,data:BhV/oOvjnY4xi6cTZhgxNERKfIE=,iv:xmz4eLoKjlmX3TxQoPttMFhJWwOlwaOTgfgQty+AWts=,tag:k0tVP2X3YH9Pf7BtfpSDaw==,type:str] + storage_encryption_key: ENC[AES256_GCM,data:0ZC36l/F/Kd4GXZ61TW1MaVrVdyLrg0/4/wOw26RDu0YYmjDmM2GFZ9jQdImoF+LoMqCsosMwcwa357tKvH4eg==,iv:AwRwEedfgg4QYdLr01V9O18la5tv5qC2kAlykHEkebk=,tag:J7WiGacBM6nCoFSBIoh5xg==,type:str] + oidc_jwk: ENC[AES256_GCM,data:7Y93/QNMmP/trJtalNUTWHKzUEb9dqoxdw1rwphRcT0acKN9QIKcsivgte7uAekSZDw15H552lrtlOgLl6dpO+fPYUry1UpskC6EyFIoNmG+FXWNvhBH1Vtl9KdubejQ5GHzPJB/qj5pjxwHXMB+cjei+bJuid1Dt8pRPJ+CM/n/S2fHy2bGWxfAZodp1ADaqwz3+gqrPxFgCHRZlwRKqCnHm3DR8pM0XiEVse8KyzC6P6qzWeTSAQ8Dtu36CxsxHtWasUGxXTz2rlcTTUr7XQCCfr2a8xqk7M4++G9OUkQubDpbDKiuQgFAiO8kbPwniSfkjHqwcICiHrnmo+0cIoucHF5CqAAR6YtahRYS13ANGsmiWpe/32RN+41LLFMB0nTVkRn9LpxEYlrDvyIHu5qV7OXRwFuUR0OwYNiU9fpSkZI35b1j6rtcNqKNL5DC5l/iBdqkKZ45QJenKSuxNli1HP/ftufBEwypuwrUZeYkr1NXnoeC4k789ZNIKFdDjj6du+pb38OcdGAIKilSlH67LzdthP002qJerxa3YEM2bsBuvWJ5s5GB6VfSdQMzygYpOjQXbckC3Mj3SrpnrSw4NMpRSFz9R0OlMf7SKJ31fykeTWamsrAmaTHz8RiQeXR8Un2T+UMa3w0Opr9ICKls/7pUKLQ3h1TS+p9fKw/WK/wh54xZ2Umn1RbQRkjJDOas6aVUvEFT3hhkDObWXbBSpu3Nm+4eW+G9xXoqg34p3AK7Hr64TYcLoqh8KaYiXEceZp16HLPL3npW43rNYgT3c0vyI5yDzJXP1j75lym/jyP9pUtTQINyT0SqswAQEOwaPBIyNqbInUi4gX/yOBJmGVF8MXJLG+/5EjFyTmoQfdbtCG/ZTq2cz87czF6Ai0R6HTSOA/nv//phGdy1b9pG2LxeBCUpvhkTxzpATNxinaB8TeTnhiFvpK54NLHm4y2y4oB3jB0BAPIsCFfjjqKTWAvg7c2BEiI8HSb2Uh8DR1uEbSqY8QX+1eOqx1chaPKxtJzmXivYQRZ89PV29pmiQ2sj41e5dG38faZY9LNUeES4kSmSOqjQUskiogF6aaTWQlb4/SMoDdbmLzbdTAC66XBopt6DFPIGL+MoRAxAPdDTBDEl54ZV1/N9uJ89kOVW3EQIr0oiCEt5eowYel9I1rOIkyPPe7GcmqyDM0d9jlWe6kQ+HIUe1uJhCTCZjb9COGTQ2mf3toHJXA03kW6U71bT/33fHDvQj/mi1qGv30bWyQxu3Ll0jMuhhoelZBEHnSdKvtZKzxW+p2ymwmJjh1R/OZt4lhgVhh4mW6633Jb5IIVUfMHPjTBA8ERLCOrOffT1Y9BV5iK3/CLOZEx1qDLdl9hGKt/Kt4ULvIk4iqSb0nPDMI42m3zM+KmipzMff2RDwxt6U2itdIuZyiqkqbO8YKiqbzhJeC7cXQpKmTAj90OFiFzUnwDMJFSTBpcKRAVlbU9IYLK1RhVIv0J1Jt5Vmi5vZKyHV3O0fsbvP/SU/8kLGYgodiaZANJzIuIJvR84Fs4kmwvicM7WhG8nkl/Rz6ZG+2S4EYQBpvi73WRJ9MPY9ULhcYJBuFZQXNeOOEcyHPq5nkcsFjshB6g5ssIBxhElxYFa08AyAopc2bg0vXCRUQJn/I1uTvTJmxGBjM4q2SAlWAUf3MX3yPQwd/p5LoxwrRHEB+lXLKImg95QZUaaOu9JWvJMwpje+6YP8XBFTgoM6gqz44jBXHLGfyiHiCfOQn0dpzvhSimcKgQN2rjkhgEdVWovIyTi4+oD+4TawHjl2xORnbCX2+m4X4FnTnX8JU8xCNU2f4sIk4PPptSn1bogt9YUFxCdvDqX0gAgSaAwT4L3xfQ/4prYv57dyFUElvcZjPzJGrmHwWnZE0YaT94dQetCLCMRlQJcHIBz1V36pftRLZdFCTiDd7PxifZk/Ol5kLO3UEJR8ALaC0+KqwUPqO2wse+HOsvobTXcA6Jn+7g58xPpPE88EI52jj/wlp58EZp6B8yYs7ZZufZcFKhrhllWgWEzEnnTd3NuKZjYWx4TYbBgBggNW5EMRLD4HxQLiZu5JUAcwUbFPyLQrVEYejo8LixcciIUMic6DV+oZ7245tBiYxWHHpQWOkAUE67/+I7tN7xFsl8rdmUGkBXCoEIAsX5T3VKjre6JnqHzH4TLlPFxuP0uPVuAjUYVu9gWecpVlDHKEIMFnbLhdye7zgcwYmmfav1KFGgXYGd0R9IMu7ONJtaVvxfxrngW,iv:nR4OAMkuWvBHtkpkzr0XLUHHjVfZjw6sk5V7/llK14g=,tag:KJqhsBiqe2cU2kuCxTWB6g==,type:str] +ldap: + root: ENC[AES256_GCM,data:ZQWTm78whU8DA4GQkZYEcM/WO1AGBWTOV0ymGF2LFkBCuSKG2u4=,iv:YGZRvBvlR0R4umt0Uu71fWoUieYXSyxKX/gUivF8/dI=,tag:hPBAyEzql60pRCzDKrMuBQ==,type:str] + authelia: ENC[AES256_GCM,data:y3oaV8zP/9A+QBmjfnsxATPfG+g=,iv:wFlSk8oJuKYfBAL5dyjpgwDC+xJ4XbzjS1GaGQGV8RE=,tag:euFXBfZ/u5OVJ/hicFnkMw==,type:str] sops: age: - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke @@ -36,7 +35,7 @@ sops: NHdWQnlGbk43WS80VDkxV0o4TE5uSUUK0WSdFzR3u0pLUYHXaTMrtBm0sKKe9ZPG nF90b/jv66WGIH1n2oFaaohCkd7DZGzSpr0+KsqX6pkszYnp39YC5A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-27T19:16:54Z" - mac: ENC[AES256_GCM,data:SlHu8gnDv7QluHvgiz4OORZ5X1ooQu3OYvw8l1xfmfA/lUSMpALzzAgzmKjniEamCVcgQubj11I5LpRpUZOKzL5VmhbCONPknxCDTGgILf1gJlV3NhmEymChGgyrxItqCABA+hjXY0RlFGdNCTdeYwWJAIi/a1jzKYcWiGURTr8=,iv:GFGUYDftz5S9OQYU/iyOJLCSye+QuLowar35hgoivlw=,tag:8kv/OLeMzR1PAK4BCj0E2Q==,type:str] + lastmodified: "2025-07-28T09:08:03Z" + mac: ENC[AES256_GCM,data:R66Wy3x0MQxwvS1vR59IEG31p3i9x/IXCusK28HhOH611TPRt5Zy4iWv3pLJpuG36v4qTmGOGq5Fznf/iYl4kj313KXeo45opDZixyOEDTLhaY4ZBLTa0Ozh9DBoq/emrwis8eEysFESBM5WKtQZUDw7gQXgTcgaEa4/RQYtn+o=,iv:dvTmKh0EAEOYY9QikQMXtkxOPLy7XsF131Lnm1E6Kcc=,tag:tBbb8EbTcMkhRCE/NuED9g==,type:str] unencrypted_suffix: _unencrypted version: 3.10.2 diff --git a/modules/auth/authelia/default.nix b/modules/auth/authelia/default.nix new file mode 100644 index 0000000..b47cadc --- /dev/null +++ b/modules/auth/authelia/default.nix @@ -0,0 +1,160 @@ +{ config, lib, pkgs, ... }: + +with lib; + +let + cfg = config.dov.auth.authelia; + domain = "susano-lab.duckdns.org"; + autheliaUser = config.services.authelia.instances.main.user; + redis = config.services.redis.servers.""; +in { + options.dov.auth.authelia = { enable = mkEnableOption "authelia config"; }; + + config = mkIf cfg.enable { + + # 1. Sops secrets for Authelia + sops.secrets = { + "authelia/jwt_secret" = { + owner = autheliaUser; + group = autheliaUser; + mode = "0400"; + }; + "authelia/session_secret" = { + owner = autheliaUser; + group = autheliaUser; + mode = "0400"; + }; + "authelia/storage_encryption_key" = { + owner = autheliaUser; + group = autheliaUser; + mode = "0400"; + }; + "authelia/oidc_jwk" = { + owner = autheliaUser; + group = autheliaUser; + mode = "0400"; + }; + }; + + users.users.authelia-main.extraGroups = [ "redis" ]; + services.redis = { + vmOverCommit = true; + servers."" = { + enable = true; + databases = 16; + port = 0; + }; + }; + + # --- Authelia Service Configuration --- + services.authelia.instances.main = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets."authelia/jwt_secret".path; + sessionSecretFile = config.sops.secrets."authelia/session_secret".path; + storageEncryptionKeyFile = + config.sops.secrets."authelia/storage_encryption_key".path; + oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc_jwk".path; + }; + + settings = { + log = { level = "info"; }; + default_2fa_method = "totp"; + session = { + cookies = [{ + inherit domain; + authelia_url = "https://auth.${domain}"; + default_redirection_url = "https://homepage.${domain}"; + }]; + redis = { + host = redis.unixSocket; + port = 0; + database_index = 0; + }; + }; + + authentication_backend = { + file = { + path = pkgs.writeText "authelia/users_database.yml" '' + users: + admin: + displayname: "Administrator" + password: "$argon2id$v=19$m=65536,t=3,p=4$B7hBxdT+R4WOS02iZb3HOA$6Epdb0B8JuwkFXbzV16s3gGcgnzviXaRMICNbZbBaFc" + email: "admin@${domain}" + groups: + - admins + - dev + ''; + password.algorithm = "argon2id"; # Modern and secure hashing + }; + }; + + # authentication_backend.ldap = { + # url = "ldaps://127.0.0.1:636"; + # skip_verify = true; + # start_tls = false; + + # base_dn = "dc=susano-nixos,dc=duckdns,dc=org"; + # user = "cn=authelia,ou=services,dc=susano-nixos,dc=duckdns,dc=org"; + + # # --- User Schema + # username_attribute = "uid"; + # users_filter = "(&({username_attribute}={input})(objectClass=inetOrgPerson))"; + # mail_attribute = "mail"; + # display_name_attribute = "displayName"; + + # # --- Group Schema --- + # groups_filter = "(&(member={dn})(objectClass=groupOfNames))"; + # group_name_attribute = "cn"; + # }; + + # Access control rules remain the same, but now reference LDAP groups. + access_control = { + default_policy = "deny"; + rules = [ + { + domain = [ "immich.${domain}" ]; + policy = "two_factor"; + # 'admins' and 'dev' are now groups from your LDAP directory. + subject = [ "group:admins" ]; + } + { + domain = [ "searxng.${domain}" ]; + policy = "one_factor"; + subject = [ "group:admins" "group:dev" ]; + } + ]; + }; + + # Other settings remain unchanged... + notifier.filesystem = { + filename = "/var/lib/authelia-main/notifications.txt"; + }; + + storage.local = { path = "/var/lib/authelia-main/db.sqlite3"; }; + + identity_providers.oidc = { + jwks = [{ + # This is a standard key type for OIDC + use = "sig"; + algorithm = "RS256"; + key = config.sops.secrets."authelia/oidc_jwk".path; + }]; + clients = [{ + authorization_policy = "one_factor"; + client_id = "immich"; + client_secret = + "$pbkdf2-sha512$310000$wPpdmhrPqd.dU.tcLTh9nQ$du11GENjjxaXf5njeqnhpVgr8O9fCISulobjRStCsYJzY6i3aaOyiloRJHKDh.CC.4n1QVqsP.ty9Lo8UH3XvA"; + redirect_uris = [ + "https://immich.${domain}/auth/login" + "https://immich.${domain}/user-settings" + "app.immich:///oauth-callback" + ]; + scopes = [ "openid" "profile" "email" ]; + userinfo_signed_response_alg = "none"; + }]; + }; + }; + }; + }; +} diff --git a/modules/auth/default.nix b/modules/auth/default.nix new file mode 100644 index 0000000..9ae5824 --- /dev/null +++ b/modules/auth/default.nix @@ -0,0 +1,8 @@ +{ config, lib, pkgs, ... }: + +{ + imports = [ + ./authelia + ./ldap + ]; +} diff --git a/modules/auth/ldap/default.nix b/modules/auth/ldap/default.nix new file mode 100644 index 0000000..fba1479 --- /dev/null +++ b/modules/auth/ldap/default.nix @@ -0,0 +1,154 @@ +# { config, lib, pkgs, ... }: + +# with lib; + +# let +# cfg = config.dov.auth.ldap; +# domainToDC = domain: "dc=" + (replaceStrings ["."] [",dc="] domain); +# baseDN = domainToDC cfg.domain; +# rootPasswordFile = config.sops.secrets."ldap/root".path; +# in +# { +# # --- Module Options --- +# options.dov.auth.ldap = { +# enable = mkEnableOption "Enable OpenLDAP service"; +# domain = mkOption { +# type = types.str; +# default = "susano-nixos.duckdns.org"; +# description = "The base domain for the LDAP directory."; +# }; +# }; + +# # --- Module Configuration --- +# config = mkIf cfg.enable { + +# sops.secrets = { +# "ldap/root" = { +# owner = config.services.openldap.user; +# group = config.services.openldap.group; +# mode = "0400"; +# }; +# "ldap/authelia" = mkIf config.dov.auth.authelia.enable { +# owner = config.services.openldap.user; +# group = config.services.openldap.group; +# mode = "0400"; +# }; +# }; + +# # --- Allow LDAP to use Traefik's SSL Certificates --- +# # Since Traefik is already getting valid certs for your domain, we reuse them for LDAPS. +# users.groups.acme.members = [ "openldap" ]; +# security.acme = { +# acceptTerms = true; +# certs."${cfg.domain}" = { +# # This assumes your Traefik is getting certs for the root domain. +# # If not, you might need a separate cert definition here. +# }; +# }; + +# # --- OpenLDAP Service Configuration --- +# services.openldap = { +# enable = true; +# # This provides the hashed password for the Root DN. +# passwordFile = cfg.rootPasswordFile; +# # --- Declarative Directory Information Tree (DIT) --- +# # This LDIF file defines the entire structure and initial data of your directory. +# ldifFile = pkgs.writeText "ldif-declarative" '' +# # The Base DN of your directory +# dn: ${baseDN} +# objectClass: top +# objectClass: dcObject +# objectClass: organization +# o: ${cfg.domain} organization +# dc: ${head (splitString "." cfg.domain)} + +# # The Admin user for daily management +# # Note: This is different from the ultimate Root DN (cn=admin,${baseDN}) +# dn: cn=admin,${baseDN} +# objectClass: simpleSecurityObject +# objectClass: organizationalRole +# cn: admin +# description: LDAP administrator + +# # --- Standard Organizational Units (OUs) --- +# dn: ou=people,${baseDN} +# objectClass: organizationalUnit +# ou: people + +# dn: ou=groups,${baseDN} +# objectClass: organizationalUnit +# ou: groups + +# dn: ou=services,${baseDN} +# objectClass: organizationalUnit +# ou: services + +# # --- Service Account for Authelia (read-only) --- +# dn: cn=authelia,ou=services,${baseDN} +# objectClass: inetOrgPerson +# objectClass: organizationalPerson +# objectClass: person +# objectClass: top +# cn: authelia +# sn: Service Account +# mail: authelia@${cfg.domain} +# # Special syntax to read the raw password from a file at runtime. +# userPassword:: file://${config.sops.secrets."ldap/authelia".path} + +# # --- Initial Users and Groups --- +# # An example user 'jdoe' +# # dn: uid=jdoe,ou=people,${baseDN} +# # objectClass: inetOrgPerson +# # objectClass: organizationalPerson +# # objectClass: person +# # objectClass: top +# # uid: jdoe +# # cn: John Doe +# # sn: Doe +# # displayName: John Doe +# # mail: jdoe@${cfg.domain} +# # # Provide a hashed password for this user +# # userPassword: {SSHA}your-ssha-hash-for-jdoe + +# # Example 'admins' group +# dn: cn=admins,ou=groups,${baseDN} +# objectClass: groupOfNames +# objectClass: top +# cn: admins +# # Add 'jdoe' to the admins group +# member: uid=jdoe,ou=people,${baseDN} + +# # Example 'dev' group +# dn: cn=dev,ou=groups,${baseDN} +# objectClass: groupOfNames +# objectClass: top +# cn: dev +# ''; + +# # --- Security and Access Control --- +# # Enable LDAPS (LDAP over SSL) on port 636 +# settings = { +# "olcTLSCertificateFile" = config.security.acme.certs."${cfg.domain}".cert; +# "olcTLSCertificateKeyFile" = config.security.acme.certs."${cfg.domain}".key; +# # Fine-grained Access Control Lists (ACLs) +# # Order matters: from most specific to most general. +# "olcAccess" = [ +# # The admin user and root user have full control. +# "{0}to * by dn.base=\"cn=admin,${baseDN}\" write by dn.base=\"${config.services.openldap.rootDN}\" write by * break" +# # The authelia service account can read entries. +# "{1}to * by dn.base=\"cn=authelia,ou=services,${baseDN}\" read" +# # Users can change their own password. +# "{2}to attrs=userPassword by self write by anonymous auth by * none" +# # Users can read their own entry. +# "{3}to * by self read by * none" +# ]; +# }; +# }; + +# # --- Firewall --- +# # Open the LDAPS port. We do not open the unencrypted port 389. +# networking.firewall.allowedTCPPorts = [ 636 ]; +# }; +# } +{ +} diff --git a/modules/default.nix b/modules/default.nix index 908b583..94440a0 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -8,5 +8,6 @@ ./file-server ./samba ./searxng + ./auth ]; } diff --git a/modules/reverse-proxy/traefik/default.nix b/modules/reverse-proxy/traefik/default.nix index 3f6710e..3617412 100644 --- a/modules/reverse-proxy/traefik/default.nix +++ b/modules/reverse-proxy/traefik/default.nix @@ -70,19 +70,28 @@ in { dynamicConfigOptions = { http = { routers = { - # --- Router for the Traefik dashboard (optional) --- - dashboard-router = { - rule = "Host(`traefik.${domain}`)"; # Example: A local-only subdomain + authelia-router = mkIf config.dov.auth.authelia.enable { + rule = "Host(`auth.${domain}`)"; entryPoints = [ "websecure" ]; - service = "api@internal"; # Special service for the dashboard + service = "authelia-service"; # Points to the Authelia service below tls.certResolver = "duckdns"; }; - immich-router = { - rule = "Host(`immich.${domain}`)"; + dashboard-router = { + rule = "Host(`traefik.${domain}`)"; entryPoints = [ "websecure" ]; - service = "immich-service"; - tls.certResolver = "duckdns"; + service = "api@internal"; + tls = { + certResolver = "duckdns"; + domains = [ + { + main = "susano-nixos.duckdns.org"; + sans = [ + "*.susano-nixos.duckdns.org" + ]; + } + ]; + }; }; copyparty = mkIf config.dov.file-server.copyparty.enable { @@ -101,10 +110,10 @@ in { }; services = { - immich-service = { + authelia-service = mkIf config.dov.auth.authelia.enable { loadBalancer.servers = [ - # The backend URL for Immich - { url = "http://192.168.1.57:2283"; } + # Points to the Authelia instance defined in authelia.nix + { url = "http://127.0.0.1:9091"; } ]; }; @@ -132,10 +141,23 @@ in { "your-user:$apr1$....some-hash-here...." ]; }; + + authelia-mw = mkIf config.dov.auth.authelia.enable { + forwardAuth = { + # This address MUST match the Authelia service URL + address = "http://127.0.0.1:9091/api/verify?rd=https%3A%2F%2Fauth.${domain}%2F"; + trustForwardHeader = true; + authResponseHeaders = [ + "Remote-User" + "Remote-Groups" + "Remote-Name" + "Remote-Email" + ]; + }; + }; }; }; }; }; }; - }