diff --git a/hosts/sakura/services/authelia.nix b/hosts/sakura/services/authelia.nix new file mode 100644 index 0000000..9b49a20 --- /dev/null +++ b/hosts/sakura/services/authelia.nix @@ -0,0 +1,59 @@ +{config, ...}: { + networking.firewall.allowedTCPPorts = [9091]; + sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;}; + sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;}; + services.authelia.instances.default = { + enable = true; + secrets = { + jwtSecretFile = config.sops.secrets.authelia-jwt.path; + storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path; + }; + settings = { + log.level = "debug"; + theme = "dark"; + default_2fa_method = "totp"; + default_redirection_url = "https://passport.notohh.dev/"; + authentication_backend = { + file.path = "/etc/authelia/user.yml"; + }; + session = { + domain = "notohh.dev"; + expiration = 3600; + inactivity = 300; + }; + totp = { + issuer = "authelia.com"; + disable = false; + algorithm = "sha1"; + digits = 6; + period = 30; + skew = 1; + secret_size = 32; + }; + server = { + host = "0.0.0.0"; + port = 9091; + }; + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "notohh.dev"; + policy = "bypass"; + } + ]; + }; + regulation = { + max_retries = 3; + find_time = 120; + ban_time = 300; + }; + notifier.filesystem = { + filename = "/var/lib/authelia-default/notif.txt"; + }; + storage.local = { + path = "/var/lib/authelia-default/db.sqlite3"; + }; + }; + }; +} diff --git a/hosts/sakura/services/default.nix b/hosts/sakura/services/default.nix index ef4b5e0..5a454c2 100644 --- a/hosts/sakura/services/default.nix +++ b/hosts/sakura/services/default.nix @@ -1,6 +1,7 @@ {...}: { imports = [ ./traefik.nix + ./authelia.nix ./hugo.nix ./foundryvtt.nix ./forgejo.nix diff --git a/hosts/sakura/services/traefik.nix b/hosts/sakura/services/traefik.nix index 18a774d..ab7f083 100644 --- a/hosts/sakura/services/traefik.nix +++ b/hosts/sakura/services/traefik.nix @@ -1,6 +1,6 @@ {config, ...}: { sops.secrets.cloudflare-api-key = {}; - networking.firewall.allowedTCPPorts = [80 443]; + networking.firewall.allowedTCPPorts = [80 443 8080]; systemd.services.traefik = { environment = { CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; @@ -12,6 +12,12 @@ services.traefik = { enable = true; dynamicConfigOptions = { + http.middlewares.authelia = { + forwardauth = { + address = "http://localhost:9091/api/verify?rd=https://passport.notohh.dev/"; + trustForwardHeader = true; + }; + }; http = { routers = { api = { @@ -34,12 +40,20 @@ entrypoints = ["web"]; service = "dashdot"; }; + authelia = { + rule = "Host(`passport.notohh.dev`)"; + entrypoints = ["websecure"]; + service = "authelia"; + tls.domains = [{main = "*.notohh.dev";}]; + tls.certresolver = "production"; + }; hugo = { rule = "Host(`notohh.dev`)"; - entryPoints = ["websecure"]; + entrypoints = ["websecure"]; service = "hugo"; tls.domains = [{main = "*.notohh.dev";}]; tls.certresolver = "production"; + middlewares = "authelia"; }; foundryvtt = { rule = "Host(`foundry.notohh.dev`)"; @@ -92,6 +106,7 @@ }; }; services = { + authelia.loadBalancer.servers = [{url = "http://localhost:9091";}]; dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}]; hugo.loadBalancer.servers = [{url = "http://localhost:1313";}]; jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}]; @@ -123,6 +138,11 @@ forwardedHeaders.insecure = true; }; }; + metrics = { + prometheus = { + addServicesLabels = true; + }; + }; certificatesResolvers = { staging.acme = { email = "x3xr6n66@notohh.dev";