fujin/Nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Authelia, it does not work :)

Browse Source
This commit is contained in:
Alexander Derevianko
2025-07-29 18:38:43 +02:00
parent 28e3b773c5
commit 20f36c7842
7 changed files with 373 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
modules/auth/authelia/default.nix
+160
View File
@@ -0,0 +1,160 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.dov.auth.authelia;
domain = "susano-lab.duckdns.org";
autheliaUser = config.services.authelia.instances.main.user;
redis = config.services.redis.servers."";
in {
options.dov.auth.authelia = { enable = mkEnableOption "authelia config"; };
config = mkIf cfg.enable {
# 1. Sops secrets for Authelia
sops.secrets = {
"authelia/jwt_secret" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/session_secret" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/storage_encryption_key" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/oidc_jwk" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
};
users.users.authelia-main.extraGroups = [ "redis" ];
services.redis = {
vmOverCommit = true;
servers."" = {
enable = true;
databases = 16;
port = 0;
};
};
# --- Authelia Service Configuration ---
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets."authelia/jwt_secret".path;
sessionSecretFile = config.sops.secrets."authelia/session_secret".path;
storageEncryptionKeyFile =
config.sops.secrets."authelia/storage_encryption_key".path;
oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc_jwk".path;
};
settings = {
log = { level = "info"; };
default_2fa_method = "totp";
session = {
cookies = [{
inherit domain;
authelia_url = "https://auth.${domain}";
default_redirection_url = "https://homepage.${domain}";
}];
redis = {
host = redis.unixSocket;
port = 0;
database_index = 0;
};
};
authentication_backend = {
file = {
path = pkgs.writeText "authelia/users_database.yml" ''
users:
admin:
displayname: "Administrator"
password: "$argon2id$v=19$m=65536,t=3,p=4$B7hBxdT+R4WOS02iZb3HOA$6Epdb0B8JuwkFXbzV16s3gGcgnzviXaRMICNbZbBaFc"
email: "admin@${domain}"
groups:
- admins
- dev
'';
password.algorithm = "argon2id"; # Modern and secure hashing
};
};
# authentication_backend.ldap = {
# url = "ldaps://127.0.0.1:636";
# skip_verify = true;
# start_tls = false;
# base_dn = "dc=susano-nixos,dc=duckdns,dc=org";
# user = "cn=authelia,ou=services,dc=susano-nixos,dc=duckdns,dc=org";
# # --- User Schema
# username_attribute = "uid";
# users_filter = "(&({username_attribute}={input})(objectClass=inetOrgPerson))";
# mail_attribute = "mail";
# display_name_attribute = "displayName";
# # --- Group Schema ---
# groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
# group_name_attribute = "cn";
# };
# Access control rules remain the same, but now reference LDAP groups.
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "immich.${domain}" ];
policy = "two_factor";
# 'admins' and 'dev' are now groups from your LDAP directory.
subject = [ "group:admins" ];
}
{
domain = [ "searxng.${domain}" ];
policy = "one_factor";
subject = [ "group:admins" "group:dev" ];
}
];
};
# Other settings remain unchanged...
notifier.filesystem = {
filename = "/var/lib/authelia-main/notifications.txt";
};
storage.local = { path = "/var/lib/authelia-main/db.sqlite3"; };
identity_providers.oidc = {
jwks = [{
# This is a standard key type for OIDC
use = "sig";
algorithm = "RS256";
key = config.sops.secrets."authelia/oidc_jwk".path;
}];
clients = [{
authorization_policy = "one_factor";
client_id = "immich";
client_secret =
"$pbkdf2-sha512$310000$wPpdmhrPqd.dU.tcLTh9nQ$du11GENjjxaXf5njeqnhpVgr8O9fCISulobjRStCsYJzY6i3aaOyiloRJHKDh.CC.4n1QVqsP.ty9Lo8UH3XvA";
redirect_uris = [
"https://immich.${domain}/auth/login"
"https://immich.${domain}/user-settings"
"app.immich:///oauth-callback"
];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
}];
};
};
};
};
}
modules/auth/default.nix
+8
View File
@@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
{
imports = [
./authelia
./ldap
];
}
modules/auth/ldap/default.nix
+154
View File
@@ -0,0 +1,154 @@
# { config, lib, pkgs, ... }:
# with lib;
# let
# cfg = config.dov.auth.ldap;
# domainToDC = domain: "dc=" + (replaceStrings ["."] [",dc="] domain);
# baseDN = domainToDC cfg.domain;
# rootPasswordFile = config.sops.secrets."ldap/root".path;
# in
# {
# # --- Module Options ---
# options.dov.auth.ldap = {
# enable = mkEnableOption "Enable OpenLDAP service";
# domain = mkOption {
# type = types.str;
# default = "susano-nixos.duckdns.org";
# description = "The base domain for the LDAP directory.";
# };
# };
# # --- Module Configuration ---
# config = mkIf cfg.enable {
# sops.secrets = {
# "ldap/root" = {
# owner = config.services.openldap.user;
# group = config.services.openldap.group;
# mode = "0400";
# };
# "ldap/authelia" = mkIf config.dov.auth.authelia.enable {
# owner = config.services.openldap.user;
# group = config.services.openldap.group;
# mode = "0400";
# };
# };
# # --- Allow LDAP to use Traefik's SSL Certificates ---
# # Since Traefik is already getting valid certs for your domain, we reuse them for LDAPS.
# users.groups.acme.members = [ "openldap" ];
# security.acme = {
# acceptTerms = true;
# certs."${cfg.domain}" = {
# # This assumes your Traefik is getting certs for the root domain.
# # If not, you might need a separate cert definition here.
# };
# };
# # --- OpenLDAP Service Configuration ---
# services.openldap = {
# enable = true;
# # This provides the hashed password for the Root DN.
# passwordFile = cfg.rootPasswordFile;
# # --- Declarative Directory Information Tree (DIT) ---
# # This LDIF file defines the entire structure and initial data of your directory.
# ldifFile = pkgs.writeText "ldif-declarative" ''
# # The Base DN of your directory
# dn: ${baseDN}
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: ${cfg.domain} organization
# dc: ${head (splitString "." cfg.domain)}
# # The Admin user for daily management
# # Note: This is different from the ultimate Root DN (cn=admin,${baseDN})
# dn: cn=admin,${baseDN}
# objectClass: simpleSecurityObject
# objectClass: organizationalRole
# cn: admin
# description: LDAP administrator
# # --- Standard Organizational Units (OUs) ---
# dn: ou=people,${baseDN}
# objectClass: organizationalUnit
# ou: people
# dn: ou=groups,${baseDN}
# objectClass: organizationalUnit
# ou: groups
# dn: ou=services,${baseDN}
# objectClass: organizationalUnit
# ou: services
# # --- Service Account for Authelia (read-only) ---
# dn: cn=authelia,ou=services,${baseDN}
# objectClass: inetOrgPerson
# objectClass: organizationalPerson
# objectClass: person
# objectClass: top
# cn: authelia
# sn: Service Account
# mail: authelia@${cfg.domain}
# # Special syntax to read the raw password from a file at runtime.
# userPassword:: file://${config.sops.secrets."ldap/authelia".path}
# # --- Initial Users and Groups ---
# # An example user 'jdoe'
# # dn: uid=jdoe,ou=people,${baseDN}
# # objectClass: inetOrgPerson
# # objectClass: organizationalPerson
# # objectClass: person
# # objectClass: top
# # uid: jdoe
# # cn: John Doe
# # sn: Doe
# # displayName: John Doe
# # mail: jdoe@${cfg.domain}
# # # Provide a hashed password for this user
# # userPassword: {SSHA}your-ssha-hash-for-jdoe
# # Example 'admins' group
# dn: cn=admins,ou=groups,${baseDN}
# objectClass: groupOfNames
# objectClass: top
# cn: admins
# # Add 'jdoe' to the admins group
# member: uid=jdoe,ou=people,${baseDN}
# # Example 'dev' group
# dn: cn=dev,ou=groups,${baseDN}
# objectClass: groupOfNames
# objectClass: top
# cn: dev
# '';
# # --- Security and Access Control ---
# # Enable LDAPS (LDAP over SSL) on port 636
# settings = {
# "olcTLSCertificateFile" = config.security.acme.certs."${cfg.domain}".cert;
# "olcTLSCertificateKeyFile" = config.security.acme.certs."${cfg.domain}".key;
# # Fine-grained Access Control Lists (ACLs)
# # Order matters: from most specific to most general.
# "olcAccess" = [
# # The admin user and root user have full control.
# "{0}to * by dn.base=\"cn=admin,${baseDN}\" write by dn.base=\"${config.services.openldap.rootDN}\" write by * break"
# # The authelia service account can read entries.
# "{1}to * by dn.base=\"cn=authelia,ou=services,${baseDN}\" read"
# # Users can change their own password.
# "{2}to attrs=userPassword by self write by anonymous auth by * none"
# # Users can read their own entry.
# "{3}to * by self read by * none"
# ];
# };
# };
# # --- Firewall ---
# # Open the LDAPS port. We do not open the unencrypted port 389.
# networking.firewall.allowedTCPPorts = [ 636 ];
# };
# }
{
}