fujin/Nixos
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add Authelia, it does not work :)

Browse Source
This commit is contained in:
Alexander Derevianko
2025-07-29 18:38:43 +02:00
parent 28e3b773c5
commit 20f36c7842
7 changed files with 373 additions and 24 deletions
Download Patch File Download Diff File Expand all files Collapse all files
main/default.nix
+5
View File
@@ -153,6 +153,11 @@ in {
samba.enable = true; samba.enable = true;
searxng.enable = true; searxng.enable = true;
auth = {
authelia.enable = false; # TODO needs configuration with nginx or traefik
# ldap.enable = false; # TODO too hard to setup, will need to take a look later
};
}; };
# DO NOT CHANGE AT ANY POINT! # DO NOT CHANGE AT ANY POINT!
main/secrets/secrets.yaml
+11 -12
View File
@@ -1,13 +1,3 @@
hello: ENC[AES256_GCM,data:kQFj0v5K91h8DOvtm64tHx6qeJlfTyfxMNJelCtOvKNSf+UhiaCPPjWqDKOc+A==,iv:x/nWPKqwCI8kCo1/Md60DGK7zpOj4Wo1z9zUz6iN7VA=,tag:nR7PRubjoT8Y24lhsaR0Lg==,type:str]
example_key: ENC[AES256_GCM,data:fsWUwTTDcqKyRECWbg==,iv:B7CiWA03R/VQMt0EuymXHMz2+lAOQ9JMBP/fgGRlXuU=,tag:sH0nk4Oa6nKCFQmHmhfEqg==,type:str]
#ENC[AES256_GCM,data:WWchy1xoaqb+YoprbxR9cQ==,iv:lN7qwwOO1KezH7ab7Y1agKwuI3lLNO/bAiiJBWbGXn8=,tag:MC/3jd245bRAD5N9PNGPFg==,type:comment]
example_array:
- ENC[AES256_GCM,data:yoH7Z3R5/JZSNF6HSuI=,iv:MFcdr/hUnQlRq/Uv8j0wVV1mcPXTxv/ie2BU2N+/gyc=,tag:dQnYQI86rUSTHn+GFoi/Eg==,type:str]
- ENC[AES256_GCM,data:XhW7btDAl5pOkTj4QsE=,iv:qk9GlUObq1omvo02L07Y7g6qftZGnSrCyZnrxNRxJow=,tag:bqKzb0EeyztCiu8yh0NuAA==,type:str]
example_number: ENC[AES256_GCM,data:5mNliaa4HqK4Bw==,iv:t6hpGNyi59mEwwvglKT3JwO5RRON5z0mvqt0jdTV+L8=,tag:0KVsAEe24M/ZcBf8TjPcLQ==,type:float]
example_booleans:
- ENC[AES256_GCM,data:4rh2xA==,iv:2wQtaVPzLjQzPezrxd1w4/IZu4bT0rvU8G/edcsQ7VQ=,tag:re5rdTqPNSTZ+CuZjvs86A==,type:bool]
- ENC[AES256_GCM,data:5VhbnIk=,iv:sRnE8roVMQVs1Dk9tOtALWiDtfM4aJiSX5gb/MDHak8=,tag:egUULcUP5vCsy5uUM+j6dA==,type:bool]
user_password: ENC[AES256_GCM,data:Q7rk67ylyjr5Sa+AYCxnQAPLbBP5Fy85wTGLZuqxBG3iJ+MmhEgfeatVA2tcsY7GSaU/vghny+TJtrvhDYYMqa10h/F0wPxUjId78qkhKbnRQs4mqAxA9heSi4ojp1kh/pXN7tj64wNyJA==,iv:FTUojVNz78tn/Uj1N8Oj5Iov9eEMRo5vz+mqHdewxjg=,tag:YF74hLXXUby0IjHrqdkBUQ==,type:str] user_password: ENC[AES256_GCM,data:Q7rk67ylyjr5Sa+AYCxnQAPLbBP5Fy85wTGLZuqxBG3iJ+MmhEgfeatVA2tcsY7GSaU/vghny+TJtrvhDYYMqa10h/F0wPxUjId78qkhKbnRQs4mqAxA9heSi4ojp1kh/pXN7tj64wNyJA==,iv:FTUojVNz78tn/Uj1N8Oj5Iov9eEMRo5vz+mqHdewxjg=,tag:YF74hLXXUby0IjHrqdkBUQ==,type:str]
duckdns-token: ENC[AES256_GCM,data:Gf3kIpOO/X+ZVXV4w71Fp5qMuNedBBoobazAFpp22RC70xKb6xsJVffWdtFq0blDe5Y=,iv:SNq6wnhG6CuDwB3NQ/PryTgY3U/J2g1XfGCW7gSEYbo=,tag:MWqhrJRreGZ/SaapAaCXQA==,type:str] duckdns-token: ENC[AES256_GCM,data:Gf3kIpOO/X+ZVXV4w71Fp5qMuNedBBoobazAFpp22RC70xKb6xsJVffWdtFq0blDe5Y=,iv:SNq6wnhG6CuDwB3NQ/PryTgY3U/J2g1XfGCW7gSEYbo=,tag:MWqhrJRreGZ/SaapAaCXQA==,type:str]
matrix_secret: ENC[AES256_GCM,data:U1yPFsFeLA5tbFf/MMACrhmH/32zUMUg2HOHWdAtcm+ybg9KgjhQmbGDM/MTDoRaAa+Zqfs774gz3A6Rg4HLuvCr4cPotSCHH8qRPz+UDK4Bvf305EfLP22Rrhc=,iv:A9BSgw1hHg+y8x4GC4hWNBCaYZNlRfS1+jKKv38znXg=,tag:SkwEfez7TRhFuLEL4PkvZA==,type:str] matrix_secret: ENC[AES256_GCM,data:U1yPFsFeLA5tbFf/MMACrhmH/32zUMUg2HOHWdAtcm+ybg9KgjhQmbGDM/MTDoRaAa+Zqfs774gz3A6Rg4HLuvCr4cPotSCHH8qRPz+UDK4Bvf305EfLP22Rrhc=,iv:A9BSgw1hHg+y8x4GC4hWNBCaYZNlRfS1+jKKv38znXg=,tag:SkwEfez7TRhFuLEL4PkvZA==,type:str]
@@ -16,6 +6,15 @@ copyparty:
alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str] alex_password: ENC[AES256_GCM,data:0X5AZH8tqJRd6er5w3oMaWI0jrE=,iv:/2aLquP4LVCKCozJsMGItqX9+L9pxSM4PRpn6QnDzbE=,tag:b1GRHEBwQNYBtERj1xqjoA==,type:str]
smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str] smb-secrets: ENC[AES256_GCM,data:RW8xaGU94jxE/iTocH3ylCP5uIpmnSg/MQDC+e5i9PhvlsNY+kfUiqQHoDXETgEPmNUbLr2qZSMLPhQ=,iv:5vkw0Qfa7UHYZ2ODOvFZgirehpY7muV6fvjWHAyHMu4=,tag:cuEzibaBZVf5HVlAF2xUIA==,type:str]
searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str] searxng: ENC[AES256_GCM,data:KmW0pzhjWBBC0VqQNkOmPzcuDnPBEXiZMi030x+LxcOZmS/Q4Hz8RgahWIYwef0maRyFdyB++36SQbUnXz1+Cw==,iv:PL7mby/fmsROaOafv0auCmTEpF5w8WH6Nw4wUrpXNg0=,tag:3s4E1zJh6MB1YkDFM9gBSw==,type:str]
authelia:
jwt_secret: ENC[AES256_GCM,data:WroxkJeD+rtej6wMXgafQ+DdzCffLs8SDD4VHPQnOURIzZFCTPwK9JOvrNIL6eIEGyhqtySvOhXrnFj4,iv:tQZ15yoGLoDAF9PFKSh/ol8hDX88vZmHOrI+nhGGu4Y=,tag:Qadsu6Z62287XK8voIjn5g==,type:str]
session_secret: ENC[AES256_GCM,data:t5pBvmZaO+bXyac0NZUZL8sS1xcwa9XH6M8zgziIA9Nhe9umw8B2LckMqz82NAvpLGeCoMXd9MmODv0e,iv:OIfo4omyCN1kM4FCAf9tB0tyzDJ4FsbggGboX9duVH0=,tag:ybYRFlIJPEmnR8ASGNI3TA==,type:str]
storage_password: ENC[AES256_GCM,data:BhV/oOvjnY4xi6cTZhgxNERKfIE=,iv:xmz4eLoKjlmX3TxQoPttMFhJWwOlwaOTgfgQty+AWts=,tag:k0tVP2X3YH9Pf7BtfpSDaw==,type:str]
storage_encryption_key: ENC[AES256_GCM,data:0ZC36l/F/Kd4GXZ61TW1MaVrVdyLrg0/4/wOw26RDu0YYmjDmM2GFZ9jQdImoF+LoMqCsosMwcwa357tKvH4eg==,iv:AwRwEedfgg4QYdLr01V9O18la5tv5qC2kAlykHEkebk=,tag:J7WiGacBM6nCoFSBIoh5xg==,type:str]
oidc_jwk: ENC[AES256_GCM,data:7Y93/QNMmP/trJtalNUTWHKzUEb9dqoxdw1rwphRcT0acKN9QIKcsivgte7uAekSZDw15H552lrtlOgLl6dpO+fPYUry1UpskC6EyFIoNmG+FXWNvhBH1Vtl9KdubejQ5GHzPJB/qj5pjxwHXMB+cjei+bJuid1Dt8pRPJ+CM/n/S2fHy2bGWxfAZodp1ADaqwz3+gqrPxFgCHRZlwRKqCnHm3DR8pM0XiEVse8KyzC6P6qzWeTSAQ8Dtu36CxsxHtWasUGxXTz2rlcTTUr7XQCCfr2a8xqk7M4++G9OUkQubDpbDKiuQgFAiO8kbPwniSfkjHqwcICiHrnmo+0cIoucHF5CqAAR6YtahRYS13ANGsmiWpe/32RN+41LLFMB0nTVkRn9LpxEYlrDvyIHu5qV7OXRwFuUR0OwYNiU9fpSkZI35b1j6rtcNqKNL5DC5l/iBdqkKZ45QJenKSuxNli1HP/ftufBEwypuwrUZeYkr1NXnoeC4k789ZNIKFdDjj6du+pb38OcdGAIKilSlH67LzdthP002qJerxa3YEM2bsBuvWJ5s5GB6VfSdQMzygYpOjQXbckC3Mj3SrpnrSw4NMpRSFz9R0OlMf7SKJ31fykeTWamsrAmaTHz8RiQeXR8Un2T+UMa3w0Opr9ICKls/7pUKLQ3h1TS+p9fKw/WK/wh54xZ2Umn1RbQRkjJDOas6aVUvEFT3hhkDObWXbBSpu3Nm+4eW+G9xXoqg34p3AK7Hr64TYcLoqh8KaYiXEceZp16HLPL3npW43rNYgT3c0vyI5yDzJXP1j75lym/jyP9pUtTQINyT0SqswAQEOwaPBIyNqbInUi4gX/yOBJmGVF8MXJLG+/5EjFyTmoQfdbtCG/ZTq2cz87czF6Ai0R6HTSOA/nv//phGdy1b9pG2LxeBCUpvhkTxzpATNxinaB8TeTnhiFvpK54NLHm4y2y4oB3jB0BAPIsCFfjjqKTWAvg7c2BEiI8HSb2Uh8DR1uEbSqY8QX+1eOqx1chaPKxtJzmXivYQRZ89PV29pmiQ2sj41e5dG38faZY9LNUeES4kSmSOqjQUskiogF6aaTWQlb4/SMoDdbmLzbdTAC66XBopt6DFPIGL+MoRAxAPdDTBDEl54ZV1/N9uJ89kOVW3EQIr0oiCEt5eowYel9I1rOIkyPPe7GcmqyDM0d9jlWe6kQ+HIUe1uJhCTCZjb9COGTQ2mf3toHJXA03kW6U71bT/33fHDvQj/mi1qGv30bWyQxu3Ll0jMuhhoelZBEHnSdKvtZKzxW+p2ymwmJjh1R/OZt4lhgVhh4mW6633Jb5IIVUfMHPjTBA8ERLCOrOffT1Y9BV5iK3/CLOZEx1qDLdl9hGKt/Kt4ULvIk4iqSb0nPDMI42m3zM+KmipzMff2RDwxt6U2itdIuZyiqkqbO8YKiqbzhJeC7cXQpKmTAj90OFiFzUnwDMJFSTBpcKRAVlbU9IYLK1RhVIv0J1Jt5Vmi5vZKyHV3O0fsbvP/SU/8kLGYgodiaZANJzIuIJvR84Fs4kmwvicM7WhG8nkl/Rz6ZG+2S4EYQBpvi73WRJ9MPY9ULhcYJBuFZQXNeOOEcyHPq5nkcsFjshB6g5ssIBxhElxYFa08AyAopc2bg0vXCRUQJn/I1uTvTJmxGBjM4q2SAlWAUf3MX3yPQwd/p5LoxwrRHEB+lXLKImg95QZUaaOu9JWvJMwpje+6YP8XBFTgoM6gqz44jBXHLGfyiHiCfOQn0dpzvhSimcKgQN2rjkhgEdVWovIyTi4+oD+4TawHjl2xORnbCX2+m4X4FnTnX8JU8xCNU2f4sIk4PPptSn1bogt9YUFxCdvDqX0gAgSaAwT4L3xfQ/4prYv57dyFUElvcZjPzJGrmHwWnZE0YaT94dQetCLCMRlQJcHIBz1V36pftRLZdFCTiDd7PxifZk/Ol5kLO3UEJR8ALaC0+KqwUPqO2wse+HOsvobTXcA6Jn+7g58xPpPE88EI52jj/wlp58EZp6B8yYs7ZZufZcFKhrhllWgWEzEnnTd3NuKZjYWx4TYbBgBggNW5EMRLD4HxQLiZu5JUAcwUbFPyLQrVEYejo8LixcciIUMic6DV+oZ7245tBiYxWHHpQWOkAUE67/+I7tN7xFsl8rdmUGkBXCoEIAsX5T3VKjre6JnqHzH4TLlPFxuP0uPVuAjUYVu9gWecpVlDHKEIMFnbLhdye7zgcwYmmfav1KFGgXYGd0R9IMu7ONJtaVvxfxrngW,iv:nR4OAMkuWvBHtkpkzr0XLUHHjVfZjw6sk5V7/llK14g=,tag:KJqhsBiqe2cU2kuCxTWB6g==,type:str]
ldap:
root: ENC[AES256_GCM,data:ZQWTm78whU8DA4GQkZYEcM/WO1AGBWTOV0ymGF2LFkBCuSKG2u4=,iv:YGZRvBvlR0R4umt0Uu71fWoUieYXSyxKX/gUivF8/dI=,tag:hPBAyEzql60pRCzDKrMuBQ==,type:str]
authelia: ENC[AES256_GCM,data:y3oaV8zP/9A+QBmjfnsxATPfG+g=,iv:wFlSk8oJuKYfBAL5dyjpgwDC+xJ4XbzjS1GaGQGV8RE=,tag:euFXBfZ/u5OVJ/hicFnkMw==,type:str]
sops: sops:
age: age:
- recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke - recipient: age19wvqtn4ju6k4vs8fxr34unl6xx4cv04jw0lx9ps20xlde927zfssgl4qke
@@ -36,7 +35,7 @@ sops:
NHdWQnlGbk43WS80VDkxV0o4TE5uSUUK0WSdFzR3u0pLUYHXaTMrtBm0sKKe9ZPG NHdWQnlGbk43WS80VDkxV0o4TE5uSUUK0WSdFzR3u0pLUYHXaTMrtBm0sKKe9ZPG
nF90b/jv66WGIH1n2oFaaohCkd7DZGzSpr0+KsqX6pkszYnp39YC5A== nF90b/jv66WGIH1n2oFaaohCkd7DZGzSpr0+KsqX6pkszYnp39YC5A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-27T19:16:54Z" lastmodified: "2025-07-28T09:08:03Z"
mac: ENC[AES256_GCM,data:SlHu8gnDv7QluHvgiz4OORZ5X1ooQu3OYvw8l1xfmfA/lUSMpALzzAgzmKjniEamCVcgQubj11I5LpRpUZOKzL5VmhbCONPknxCDTGgILf1gJlV3NhmEymChGgyrxItqCABA+hjXY0RlFGdNCTdeYwWJAIi/a1jzKYcWiGURTr8=,iv:GFGUYDftz5S9OQYU/iyOJLCSye+QuLowar35hgoivlw=,tag:8kv/OLeMzR1PAK4BCj0E2Q==,type:str] mac: ENC[AES256_GCM,data:R66Wy3x0MQxwvS1vR59IEG31p3i9x/IXCusK28HhOH611TPRt5Zy4iWv3pLJpuG36v4qTmGOGq5Fznf/iYl4kj313KXeo45opDZixyOEDTLhaY4ZBLTa0Ozh9DBoq/emrwis8eEysFESBM5WKtQZUDw7gQXgTcgaEa4/RQYtn+o=,iv:dvTmKh0EAEOYY9QikQMXtkxOPLy7XsF131Lnm1E6Kcc=,tag:tBbb8EbTcMkhRCE/NuED9g==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.10.2 version: 3.10.2
modules/auth/authelia/default.nix
+160
View File
@@ -0,0 +1,160 @@
{ config, lib, pkgs, ... }:
with lib;
let
cfg = config.dov.auth.authelia;
domain = "susano-lab.duckdns.org";
autheliaUser = config.services.authelia.instances.main.user;
redis = config.services.redis.servers."";
in {
options.dov.auth.authelia = { enable = mkEnableOption "authelia config"; };
config = mkIf cfg.enable {
# 1. Sops secrets for Authelia
sops.secrets = {
"authelia/jwt_secret" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/session_secret" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/storage_encryption_key" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
"authelia/oidc_jwk" = {
owner = autheliaUser;
group = autheliaUser;
mode = "0400";
};
};
users.users.authelia-main.extraGroups = [ "redis" ];
services.redis = {
vmOverCommit = true;
servers."" = {
enable = true;
databases = 16;
port = 0;
};
};
# --- Authelia Service Configuration ---
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets."authelia/jwt_secret".path;
sessionSecretFile = config.sops.secrets."authelia/session_secret".path;
storageEncryptionKeyFile =
config.sops.secrets."authelia/storage_encryption_key".path;
oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc_jwk".path;
};
settings = {
log = { level = "info"; };
default_2fa_method = "totp";
session = {
cookies = [{
inherit domain;
authelia_url = "https://auth.${domain}";
default_redirection_url = "https://homepage.${domain}";
}];
redis = {
host = redis.unixSocket;
port = 0;
database_index = 0;
};
};
authentication_backend = {
file = {
path = pkgs.writeText "authelia/users_database.yml" ''
users:
admin:
displayname: "Administrator"
password: "$argon2id$v=19$m=65536,t=3,p=4$B7hBxdT+R4WOS02iZb3HOA$6Epdb0B8JuwkFXbzV16s3gGcgnzviXaRMICNbZbBaFc"
email: "admin@${domain}"
groups:
- admins
- dev
'';
password.algorithm = "argon2id"; # Modern and secure hashing
};
};
# authentication_backend.ldap = {
# url = "ldaps://127.0.0.1:636";
# skip_verify = true;
# start_tls = false;
# base_dn = "dc=susano-nixos,dc=duckdns,dc=org";
# user = "cn=authelia,ou=services,dc=susano-nixos,dc=duckdns,dc=org";
# # --- User Schema
# username_attribute = "uid";
# users_filter = "(&({username_attribute}={input})(objectClass=inetOrgPerson))";
# mail_attribute = "mail";
# display_name_attribute = "displayName";
# # --- Group Schema ---
# groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
# group_name_attribute = "cn";
# };
# Access control rules remain the same, but now reference LDAP groups.
access_control = {
default_policy = "deny";
rules = [
{
domain = [ "immich.${domain}" ];
policy = "two_factor";
# 'admins' and 'dev' are now groups from your LDAP directory.
subject = [ "group:admins" ];
}
{
domain = [ "searxng.${domain}" ];
policy = "one_factor";
subject = [ "group:admins" "group:dev" ];
}
];
};
# Other settings remain unchanged...
notifier.filesystem = {
filename = "/var/lib/authelia-main/notifications.txt";
};
storage.local = { path = "/var/lib/authelia-main/db.sqlite3"; };
identity_providers.oidc = {
jwks = [{
# This is a standard key type for OIDC
use = "sig";
algorithm = "RS256";
key = config.sops.secrets."authelia/oidc_jwk".path;
}];
clients = [{
authorization_policy = "one_factor";
client_id = "immich";
client_secret =
"$pbkdf2-sha512$310000$wPpdmhrPqd.dU.tcLTh9nQ$du11GENjjxaXf5njeqnhpVgr8O9fCISulobjRStCsYJzY6i3aaOyiloRJHKDh.CC.4n1QVqsP.ty9Lo8UH3XvA";
redirect_uris = [
"https://immich.${domain}/auth/login"
"https://immich.${domain}/user-settings"
"app.immich:///oauth-callback"
];
scopes = [ "openid" "profile" "email" ];
userinfo_signed_response_alg = "none";
}];
};
};
};
};
}
modules/auth/default.nix
+8
View File
@@ -0,0 +1,8 @@
{ config, lib, pkgs, ... }:
{
imports = [
./authelia
./ldap
];
}
modules/auth/ldap/default.nix
+154
View File
@@ -0,0 +1,154 @@
# { config, lib, pkgs, ... }:
# with lib;
# let
# cfg = config.dov.auth.ldap;
# domainToDC = domain: "dc=" + (replaceStrings ["."] [",dc="] domain);
# baseDN = domainToDC cfg.domain;
# rootPasswordFile = config.sops.secrets."ldap/root".path;
# in
# {
# # --- Module Options ---
# options.dov.auth.ldap = {
# enable = mkEnableOption "Enable OpenLDAP service";
# domain = mkOption {
# type = types.str;
# default = "susano-nixos.duckdns.org";
# description = "The base domain for the LDAP directory.";
# };
# };
# # --- Module Configuration ---
# config = mkIf cfg.enable {
# sops.secrets = {
# "ldap/root" = {
# owner = config.services.openldap.user;
# group = config.services.openldap.group;
# mode = "0400";
# };
# "ldap/authelia" = mkIf config.dov.auth.authelia.enable {
# owner = config.services.openldap.user;
# group = config.services.openldap.group;
# mode = "0400";
# };
# };
# # --- Allow LDAP to use Traefik's SSL Certificates ---
# # Since Traefik is already getting valid certs for your domain, we reuse them for LDAPS.
# users.groups.acme.members = [ "openldap" ];
# security.acme = {
# acceptTerms = true;
# certs."${cfg.domain}" = {
# # This assumes your Traefik is getting certs for the root domain.
# # If not, you might need a separate cert definition here.
# };
# };
# # --- OpenLDAP Service Configuration ---
# services.openldap = {
# enable = true;
# # This provides the hashed password for the Root DN.
# passwordFile = cfg.rootPasswordFile;
# # --- Declarative Directory Information Tree (DIT) ---
# # This LDIF file defines the entire structure and initial data of your directory.
# ldifFile = pkgs.writeText "ldif-declarative" ''
# # The Base DN of your directory
# dn: ${baseDN}
# objectClass: top
# objectClass: dcObject
# objectClass: organization
# o: ${cfg.domain} organization
# dc: ${head (splitString "." cfg.domain)}
# # The Admin user for daily management
# # Note: This is different from the ultimate Root DN (cn=admin,${baseDN})
# dn: cn=admin,${baseDN}
# objectClass: simpleSecurityObject
# objectClass: organizationalRole
# cn: admin
# description: LDAP administrator
# # --- Standard Organizational Units (OUs) ---
# dn: ou=people,${baseDN}
# objectClass: organizationalUnit
# ou: people
# dn: ou=groups,${baseDN}
# objectClass: organizationalUnit
# ou: groups
# dn: ou=services,${baseDN}
# objectClass: organizationalUnit
# ou: services
# # --- Service Account for Authelia (read-only) ---
# dn: cn=authelia,ou=services,${baseDN}
# objectClass: inetOrgPerson
# objectClass: organizationalPerson
# objectClass: person
# objectClass: top
# cn: authelia
# sn: Service Account
# mail: authelia@${cfg.domain}
# # Special syntax to read the raw password from a file at runtime.
# userPassword:: file://${config.sops.secrets."ldap/authelia".path}
# # --- Initial Users and Groups ---
# # An example user 'jdoe'
# # dn: uid=jdoe,ou=people,${baseDN}
# # objectClass: inetOrgPerson
# # objectClass: organizationalPerson
# # objectClass: person
# # objectClass: top
# # uid: jdoe
# # cn: John Doe
# # sn: Doe
# # displayName: John Doe
# # mail: jdoe@${cfg.domain}
# # # Provide a hashed password for this user
# # userPassword: {SSHA}your-ssha-hash-for-jdoe
# # Example 'admins' group
# dn: cn=admins,ou=groups,${baseDN}
# objectClass: groupOfNames
# objectClass: top
# cn: admins
# # Add 'jdoe' to the admins group
# member: uid=jdoe,ou=people,${baseDN}
# # Example 'dev' group
# dn: cn=dev,ou=groups,${baseDN}
# objectClass: groupOfNames
# objectClass: top
# cn: dev
# '';
# # --- Security and Access Control ---
# # Enable LDAPS (LDAP over SSL) on port 636
# settings = {
# "olcTLSCertificateFile" = config.security.acme.certs."${cfg.domain}".cert;
# "olcTLSCertificateKeyFile" = config.security.acme.certs."${cfg.domain}".key;
# # Fine-grained Access Control Lists (ACLs)
# # Order matters: from most specific to most general.
# "olcAccess" = [
# # The admin user and root user have full control.
# "{0}to * by dn.base=\"cn=admin,${baseDN}\" write by dn.base=\"${config.services.openldap.rootDN}\" write by * break"
# # The authelia service account can read entries.
# "{1}to * by dn.base=\"cn=authelia,ou=services,${baseDN}\" read"
# # Users can change their own password.
# "{2}to attrs=userPassword by self write by anonymous auth by * none"
# # Users can read their own entry.
# "{3}to * by self read by * none"
# ];
# };
# };
# # --- Firewall ---
# # Open the LDAPS port. We do not open the unencrypted port 389.
# networking.firewall.allowedTCPPorts = [ 636 ];
# };
# }
{
}
modules/default.nix
+1
View File
@@ -8,5 +8,6 @@
./file-server ./file-server
./samba ./samba
./searxng ./searxng
./auth
]; ];
} }
modules/reverse-proxy/traefik/default.nix
+34 -12
View File
@@ -70,19 +70,28 @@ in {
dynamicConfigOptions = { dynamicConfigOptions = {
http = { http = {
routers = { routers = {
# --- Router for the Traefik dashboard (optional) --- authelia-router = mkIf config.dov.auth.authelia.enable {
dashboard-router = { rule = "Host(`auth.${domain}`)";
rule = "Host(`traefik.${domain}`)"; # Example: A local-only subdomain
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
service = "api@internal"; # Special service for the dashboard service = "authelia-service"; # Points to the Authelia service below
tls.certResolver = "duckdns"; tls.certResolver = "duckdns";
}; };
immich-router = { dashboard-router = {
rule = "Host(`immich.${domain}`)"; rule = "Host(`traefik.${domain}`)";
entryPoints = [ "websecure" ]; entryPoints = [ "websecure" ];
service = "immich-service"; service = "api@internal";
tls.certResolver = "duckdns"; tls = {
certResolver = "duckdns";
domains = [
{
main = "susano-nixos.duckdns.org";
sans = [
"*.susano-nixos.duckdns.org"
];
}
];
};
}; };
copyparty = mkIf config.dov.file-server.copyparty.enable { copyparty = mkIf config.dov.file-server.copyparty.enable {
@@ -101,10 +110,10 @@ in {
}; };
services = { services = {
immich-service = { authelia-service = mkIf config.dov.auth.authelia.enable {
loadBalancer.servers = [ loadBalancer.servers = [
# The backend URL for Immich # Points to the Authelia instance defined in authelia.nix
{ url = "http://192.168.1.57:2283"; } { url = "http://127.0.0.1:9091"; }
]; ];
}; };
@@ -132,10 +141,23 @@ in {
"your-user:$apr1$....some-hash-here...." "your-user:$apr1$....some-hash-here...."
]; ];
}; };
authelia-mw = mkIf config.dov.auth.authelia.enable {
forwardAuth = {
# This address MUST match the Authelia service URL
address = "http://127.0.0.1:9091/api/verify?rd=https%3A%2F%2Fauth.${domain}%2F";
trustForwardHeader = true;
authResponseHeaders = [
"Remote-User"
"Remote-Groups"
"Remote-Name"
"Remote-Email"
];
};
};
}; };
}; };
}; };
}; };
}; };
} }