Compare commits
2 commits
1d21825c7b
...
23209d82a4
| Author | SHA1 | Date | |
|---|---|---|---|
23209d82a4
|
|||
|
4c2dfb4f0c
|
4 changed files with 87 additions and 5 deletions
59
hosts/sakura/services/authelia.nix
Normal file
59
hosts/sakura/services/authelia.nix
Normal file
|
|
@ -0,0 +1,59 @@
|
||||||
|
{config, ...}: {
|
||||||
|
networking.firewall.allowedTCPPorts = [9091];
|
||||||
|
sops.secrets.authelia-jwt = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
|
||||||
|
sops.secrets.authelia-sek = {owner = config.systemd.services.authelia-default.serviceConfig.User;};
|
||||||
|
services.authelia.instances.default = {
|
||||||
|
enable = true;
|
||||||
|
secrets = {
|
||||||
|
jwtSecretFile = config.sops.secrets.authelia-jwt.path;
|
||||||
|
storageEncryptionKeyFile = config.sops.secrets.authelia-sek.path;
|
||||||
|
};
|
||||||
|
settings = {
|
||||||
|
log.level = "debug";
|
||||||
|
theme = "dark";
|
||||||
|
default_2fa_method = "totp";
|
||||||
|
default_redirection_url = "https://passport.notohh.dev/";
|
||||||
|
authentication_backend = {
|
||||||
|
file.path = "/etc/authelia/user.yml";
|
||||||
|
};
|
||||||
|
session = {
|
||||||
|
domain = "notohh.dev";
|
||||||
|
expiration = 3600;
|
||||||
|
inactivity = 300;
|
||||||
|
};
|
||||||
|
totp = {
|
||||||
|
issuer = "authelia.com";
|
||||||
|
disable = false;
|
||||||
|
algorithm = "sha1";
|
||||||
|
digits = 6;
|
||||||
|
period = 30;
|
||||||
|
skew = 1;
|
||||||
|
secret_size = 32;
|
||||||
|
};
|
||||||
|
server = {
|
||||||
|
host = "0.0.0.0";
|
||||||
|
port = 9091;
|
||||||
|
};
|
||||||
|
access_control = {
|
||||||
|
default_policy = "deny";
|
||||||
|
rules = [
|
||||||
|
{
|
||||||
|
domain = "notohh.dev";
|
||||||
|
policy = "bypass";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
regulation = {
|
||||||
|
max_retries = 3;
|
||||||
|
find_time = 120;
|
||||||
|
ban_time = 300;
|
||||||
|
};
|
||||||
|
notifier.filesystem = {
|
||||||
|
filename = "/var/lib/authelia-default/notif.txt";
|
||||||
|
};
|
||||||
|
storage.local = {
|
||||||
|
path = "/var/lib/authelia-default/db.sqlite3";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
{...}: {
|
{...}: {
|
||||||
imports = [
|
imports = [
|
||||||
./traefik.nix
|
./traefik.nix
|
||||||
|
./authelia.nix
|
||||||
./hugo.nix
|
./hugo.nix
|
||||||
./foundryvtt.nix
|
./foundryvtt.nix
|
||||||
./forgejo.nix
|
./forgejo.nix
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
{config, ...}: {
|
{config, ...}: {
|
||||||
sops.secrets.cloudflare-api-key = {};
|
sops.secrets.cloudflare-api-key = {};
|
||||||
networking.firewall.allowedTCPPorts = [80 443];
|
networking.firewall.allowedTCPPorts = [80 443 8080];
|
||||||
systemd.services.traefik = {
|
systemd.services.traefik = {
|
||||||
environment = {
|
environment = {
|
||||||
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
CLOUDFLARE_EMAIL = "jch0tm2e@notohh.dev";
|
||||||
|
|
@ -12,6 +12,12 @@
|
||||||
services.traefik = {
|
services.traefik = {
|
||||||
enable = true;
|
enable = true;
|
||||||
dynamicConfigOptions = {
|
dynamicConfigOptions = {
|
||||||
|
http.middlewares.authelia = {
|
||||||
|
forwardauth = {
|
||||||
|
address = "http://localhost:9091/api/verify?rd=https://passport.notohh.dev/";
|
||||||
|
trustForwardHeader = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
http = {
|
http = {
|
||||||
routers = {
|
routers = {
|
||||||
api = {
|
api = {
|
||||||
|
|
@ -34,12 +40,20 @@
|
||||||
entrypoints = ["web"];
|
entrypoints = ["web"];
|
||||||
service = "dashdot";
|
service = "dashdot";
|
||||||
};
|
};
|
||||||
|
authelia = {
|
||||||
|
rule = "Host(`passport.notohh.dev`)";
|
||||||
|
entrypoints = ["websecure"];
|
||||||
|
service = "authelia";
|
||||||
|
tls.domains = [{main = "*.notohh.dev";}];
|
||||||
|
tls.certresolver = "production";
|
||||||
|
};
|
||||||
hugo = {
|
hugo = {
|
||||||
rule = "Host(`notohh.dev`)";
|
rule = "Host(`notohh.dev`)";
|
||||||
entryPoints = ["websecure"];
|
entrypoints = ["websecure"];
|
||||||
service = "hugo";
|
service = "hugo";
|
||||||
tls.domains = [{main = "*.notohh.dev";}];
|
tls.domains = [{main = "*.notohh.dev";}];
|
||||||
tls.certresolver = "production";
|
tls.certresolver = "production";
|
||||||
|
middlewares = "authelia";
|
||||||
};
|
};
|
||||||
foundryvtt = {
|
foundryvtt = {
|
||||||
rule = "Host(`foundry.notohh.dev`)";
|
rule = "Host(`foundry.notohh.dev`)";
|
||||||
|
|
@ -92,6 +106,7 @@
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
services = {
|
services = {
|
||||||
|
authelia.loadBalancer.servers = [{url = "http://localhost:9091";}];
|
||||||
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
|
dashdot.loadBalancer.servers = [{url = "http://localhost:4000";}];
|
||||||
hugo.loadBalancer.servers = [{url = "http://localhost:1313";}];
|
hugo.loadBalancer.servers = [{url = "http://localhost:1313";}];
|
||||||
jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}];
|
jellyfin.loadBalancer.servers = [{url = "http://localhost:8096";}];
|
||||||
|
|
@ -123,6 +138,11 @@
|
||||||
forwardedHeaders.insecure = true;
|
forwardedHeaders.insecure = true;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
metrics = {
|
||||||
|
prometheus = {
|
||||||
|
addServicesLabels = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
certificatesResolvers = {
|
certificatesResolvers = {
|
||||||
staging.acme = {
|
staging.acme = {
|
||||||
email = "x3xr6n66@notohh.dev";
|
email = "x3xr6n66@notohh.dev";
|
||||||
|
|
|
||||||
|
|
@ -7,7 +7,9 @@ woodpecker-server: ENC[AES256_GCM,data:elB9cO9bM3B4aRadcma42tz5TFdXRPN4RS71PDfqK
|
||||||
woodpecker-agent-secret: ENC[AES256_GCM,data:Xfz8OEQqcqeb9zi531zhfitbDbfxtVAsf4JFmmqpAL9rMsQwRl8vWVp3m23yEl6F5f67+Bf26GAlPwWT8hVCAA==,iv:fCoBgR1L1niZaa/HCCfJTsrJvOrlGv0Fa7zcTL6s118=,tag:SOE/4MOp6tx+eTr4vrxxGA==,type:str]
|
woodpecker-agent-secret: ENC[AES256_GCM,data:Xfz8OEQqcqeb9zi531zhfitbDbfxtVAsf4JFmmqpAL9rMsQwRl8vWVp3m23yEl6F5f67+Bf26GAlPwWT8hVCAA==,iv:fCoBgR1L1niZaa/HCCfJTsrJvOrlGv0Fa7zcTL6s118=,tag:SOE/4MOp6tx+eTr4vrxxGA==,type:str]
|
||||||
attic-secret: ENC[AES256_GCM,data:dHKfY7zNz5cH2pOiK6evuZv/WMt+VHhzeOB2E3kgcEvB7uCTcC1xRtyyCpCpsBZiTJg6RRHKPf0RO8pF3NIrKlTMQZvnzlTOW7baNlOXDPGrgTfH78/a3o+laVUeBozTIvvi8fkztJjUq3VcSPRkkdzo6OCwft70R3dbYmqPQ3vd,iv:MrJ55LJMBlGik0LW1Co99pHiK4JysoBJtJvW6Rgx4Bs=,tag:eW2kdbTJ7LQy8QlRr5NkTg==,type:str]
|
attic-secret: ENC[AES256_GCM,data:dHKfY7zNz5cH2pOiK6evuZv/WMt+VHhzeOB2E3kgcEvB7uCTcC1xRtyyCpCpsBZiTJg6RRHKPf0RO8pF3NIrKlTMQZvnzlTOW7baNlOXDPGrgTfH78/a3o+laVUeBozTIvvi8fkztJjUq3VcSPRkkdzo6OCwft70R3dbYmqPQ3vd,iv:MrJ55LJMBlGik0LW1Co99pHiK4JysoBJtJvW6Rgx4Bs=,tag:eW2kdbTJ7LQy8QlRr5NkTg==,type:str]
|
||||||
gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJQ73mFt7BF+PXeqA/ilbZJW3GbCfAoXWLDP3qzFYqs9XeEV/FhHznkVHB88xdr+Fbv7cuCEa7PnnYbSiwr/R68EZLsGSr+u99+uu1TH6ABXG9nJna0bkwkTfx6ui/Yc2GndWS+Ew==,iv:rYdMasJS1LqMGvMYFyAdEkoTLtOHrZHGcfBOvbn63bg=,tag:YNcP/pvgKHPYNhAwVGdFHw==,type:str]
|
gluetun: ENC[AES256_GCM,data:yL+LOPpwU+CAtbjc7YWbNUOTpDhq4mH3aJOl3hPYxgbFUba6NVJQ73mFt7BF+PXeqA/ilbZJW3GbCfAoXWLDP3qzFYqs9XeEV/FhHznkVHB88xdr+Fbv7cuCEa7PnnYbSiwr/R68EZLsGSr+u99+uu1TH6ABXG9nJna0bkwkTfx6ui/Yc2GndWS+Ew==,iv:rYdMasJS1LqMGvMYFyAdEkoTLtOHrZHGcfBOvbn63bg=,tag:YNcP/pvgKHPYNhAwVGdFHw==,type:str]
|
||||||
miniflux: ENC[AES256_GCM,data:Ug7i6US14DKf0WvCdk07oganRcepD6GbrX7fKKDYhfpoIsksZCWQPLNCxO+uBHm4xAf7e+bk,iv:biWn2ou2chR0gDJM0dEFbAojVHrM7BFvwZ/xtk9f4og=,tag:deFNV/lCNEz0F8yBwCnVyw==,type:str]
|
miniflux: ENC[AES256_GCM,data:cEaquTD8Vr6pdAIK07QB/8OddXdRTf9SCD2yvzBi6De42sxYlbmwPTxzDu63R641JnoPRNIc,iv:RfQmmzPeHJOBFTYAEcHg0aRj+uugy4pIonR+m9BUws8=,tag:06EinGKF+MXO2K54Wjbdmw==,type:str]
|
||||||
|
authelia-jwt: ENC[AES256_GCM,data:cAn2uZeSGjG2FqTFgZkupcSutCZLvZXCNBsxuUQvGX4=,iv:1OTDQzQwaPTmnTEB4TfnxU6l8CdBAlHfqFThE8QZa6A=,tag:KJ6aYDczHFajhLJHemfIQw==,type:str]
|
||||||
|
authelia-sek: ENC[AES256_GCM,data:yWhAvl1AuEcrUCFAv2vcz6A8BLEIMIz9sqbFRAriHpw=,iv:i887EZgqGtRfFs6mHHAJry0XfQzvrTaDliz8PRh7oLs=,tag:dmn2GSG8gZk9CVXMNmH1Dw==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
|
@ -23,8 +25,8 @@ sops:
|
||||||
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
YWNQcURKMSs2U0pOa3E0cTdCZ3RnalkKGayA7DBUQS+kn+6OYVBc6oTunF0qeZdt
|
||||||
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
5b9DLHgh0HRWFm09XGSOog8K315d93Wzblw1My1/dXeEQX/ryinqUQ==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2023-06-19T09:08:32Z"
|
lastmodified: "2023-06-19T20:34:23Z"
|
||||||
mac: ENC[AES256_GCM,data:0F4X7gdqDin1iXKB0iknrhYXPdw40uhEfgjSEdj47HhMHsQofDX/74jl6U3fGaAt7Gp8mhbqaE9ZdU2eYzU7kpX/zYExnEwEjwwzD/S5Qpovl6YbfQgZ1F1iGmohCZK1r8GXV5pnvzmqrJyZL1b8g0jSeC10CFGEqCCnaUjLe8Y=,iv:2/615IMcdghY0juFyGOEWILf+5ACNk/6BZoglU75fI4=,tag:Nup4fpsidj/Usxu6GKGp3w==,type:str]
|
mac: ENC[AES256_GCM,data:Loc5ydaxx63TE0uK7rfKLx3vl6BxNaTiTLrOYNUXVvtgGramkgnlM2gO5soHV1XetZEdNMljqenKZvVHGFmg8uhYAyRQjo1SbwcBMlqFFBhywxaQBm1kLF2Z8x6RDnXfFJCcA5ejafD/VAR4rUghj+FgLhe1OtBdr3XUOTiB99k=,iv:XyLv6WPgux4R5r4e8E9vDNEXjXxtfWu6iITGqcdcDz4=,tag:VP2sn/j90eFOOyV44ai8TQ==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
unencrypted_suffix: _unencrypted
|
unencrypted_suffix: _unencrypted
|
||||||
version: 3.7.3
|
version: 3.7.3
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue