sakura: init authelia

This commit is contained in:
notohh 2023-06-19 18:43:32 -04:00
parent 1d21825c7b
commit 4c2dfb4f0c
Signed by: notohh
GPG key ID: BD47506D475EE86D
3 changed files with 82 additions and 2 deletions

View file

@ -0,0 +1,59 @@
{config, ...}: {
networking.firewall.allowedTCPPorts = [9091];
sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
services.authelia.instances.default = {
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
};
settings = {
log.level = "debug";
theme = "dark";
default_2fa_method = "totp";
default_redirection_url = "https://passport.notohh.dev/";
authentication_backend = {
file.path = "/etc/authelia/user.yml";
};
session = {
domain = "notohh.dev";
expiration = 3600;
inactivity = 300;
};
totp = {
issuer = "authelia.com";
disable = false;
algorithm = "sha1";
digits = 6;
period = 30;
skew = 1;
secret_size = 32;
};
server = {
host = "0.0.0.0";
port = 9091;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "notohh.dev";
policy = "bypass";
}
];
};
regulation = {
max_retries = 3;
find_time = 120;
ban_time = 300;
};
notifier.filesystem = {
filename = "/var/lib/authelia-default/notif.txt";
};
storage.local = {
path = "/var/lib/authelia-default/db.sqlite3";
};
};
};
}

View file

@ -1,6 +1,7 @@
{...}: { {...}: {
imports = [ imports = [
./traefik.nix ./traefik.nix
./authelia.nix
./hugo.nix ./hugo.nix
./foundryvtt.nix ./foundryvtt.nix
./forgejo.nix ./forgejo.nix

View file

@ -1,6 +1,6 @@
{config, ...}: { {config, ...}: {
sops.secrets.cloudflare-api-key = {}; sops.secrets.cloudflare-api-key = {};
networking.firewall.allowedTCPPorts = [80 443]; networking.firewall.allowedTCPPorts = [80 443 8080];
systemd.services.traefik = { systemd.services.traefik = {
environment = { environment = {
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev"; CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
@ -12,6 +12,12 @@
services.traefik = { services.traefik = {
enable = true; enable = true;
dynamicConfigOptions = { dynamicConfigOptions = {
http.middlewares.authelia = {
forwardauth = {
address = "http://localhost:9091/api/verify?rd=https://passport.notohh.dev/";
trustForwardHeader = true;
};
};
http = { http = {
routers = { routers = {
api = { api = {
@ -34,12 +40,20 @@
entrypoints = ["web"]; entrypoints = ["web"];
service = "dashdot"; service = "dashdot";
}; };
authelia = {
rule = "Host(`passport.notohh.dev`)";
entrypoints = ["websecure"];
service = "authelia";
tls.domains = [{main = "*.notohh.dev";}];
tls.certresolver = "production";
};
hugo = { hugo = {
rule = "Host(`notohh.dev`)"; rule = "Host(`notohh.dev`)";
entryPoints = ["websecure"]; entrypoints = ["websecure"];
service = "hugo"; service = "hugo";
tls.domains = [{main = "*.notohh.dev";}]; tls.domains = [{main = "*.notohh.dev";}];
tls.certresolver = "production"; tls.certresolver = "production";
middlewares = "authelia";
}; };
foundryvtt = { foundryvtt = {
rule = "Host(`foundry.notohh.dev`)"; rule = "Host(`foundry.notohh.dev`)";
@ -92,6 +106,7 @@
}; };
}; };
services = { services = {
authelia.loadBalancer.servers = [{url = "http://localhost:9091";}];
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}]; dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
hugo.loadBalancer.servers = [{url = "http://localhost:1313";}]; hugo.loadBalancer.servers = [{url = "http://localhost:1313";}];
jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}]; jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}];
@ -123,6 +138,11 @@
forwardedHeaders.insecure = true; forwardedHeaders.insecure = true;
}; };
}; };
metrics = {
prometheus = {
addServicesLabels = true;
};
};
certificatesResolvers = { certificatesResolvers = {
staging.acme = { staging.acme = {
email = "x3xr6n66@notohh.dev"; email = "x3xr6n66@notohh.dev";