diff --git a/hosts/db-01/default.nix b/hosts/db-01/default.nix index 266d967..dcad648 100644 --- a/hosts/db-01/default.nix +++ b/hosts/db-01/default.nix @@ -23,9 +23,14 @@ host all all 100.64.0.0/24 trust # trust tailnet ''; ensureDatabases = [ + "authelia" "lldap" ]; ensureUsers = [ + { + name = "authelia"; + ensureDBOwnership = true; + } { name = "lldap"; ensureDBOwnership = true; diff --git a/hosts/hosting-01/auth/authelia.nix b/hosts/hosting-01/auth/authelia.nix new file mode 100644 index 0000000..ce62ea5 --- /dev/null +++ b/hosts/hosting-01/auth/authelia.nix @@ -0,0 +1,151 @@ +{ config, lib, ... }: +{ + services = { + authelia.instances.escapeangle = { + enable = true; + + settings = { + theme = "auto"; + + authentication_backend.ldap = { + address = "ldap://localhost:3890"; + base_dn = "dc=escapeangle,dc=com"; + users_filter = "(&({username_attribute}={input})(objectClass=person))"; + groups_filter = "(memberOf={dn})"; + user = "uid=authelia,ou=people,dc=escapeangle,dc=com"; + }; + + access_control = { + default_policy = "deny"; + rules = lib.mkAfter [ + { + domain = "*.escapeangle.com"; + policy = "one_factor"; + } + ]; + }; + + storage.postgres = { + address = "db-01.tailnet.escapeangle.com"; + database = "authelia"; + username = "authelia"; + password = "authelia"; # using peer auth + }; + + session = { + cookies = [ + { + domain = "escapeangle.com"; + authelia_url = "https://auth.escapeangle.com"; + inactivity = "1M"; + expiration = "3M"; + remember_me = "1y"; + } + ]; + }; + + notifier.smtp = { + address = "smtp://mail.escapeangle.com:587"; + username = "authelia@escapeangle.com"; + sender = "authelia@escapeangle.com"; + + }; + + log.level = "info"; + + identity_providers.oidc = { + cors = { + endpoints = [ "token" ]; + allowed_origins_from_client_redirect_uris = true; + }; + + authorization_policies.default = { + default_policy = "one_factor"; + rules = [ + { + policy = "deny"; + subject = "group:lldap_strict_readonly"; + } + ]; + }; + + clients = [ + { + client_id = "headscale"; + client_name = "Headscale"; + client_secret = "$pbkdf2-sha512$310000$fvaPyF69vBFs3oG1h4Qa1w$ezdJFynGV6bSA8UzGNangyOcaST7a3.LZ6WkVYeI.Ag5znxPsjmm9U23BL7OBMQWAY75CsvftYJWK5eE8nxi9A"; + public = false; + authorization_policy = "two_factor"; + require_pkce = true; + redirect_uris = [ "https://headscale.escapeangle.com/oidc/callback" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + access_token_signed_response_alg = "none"; + userinfo_signed_response_alg = "none"; + token_endpoint_auth_method = "client_secret_basic"; + } + ]; + }; + }; + + secrets = with config.sops; { + jwtSecretFile = secrets."authelia/jwt_secret".path; + oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path; + oidcHmacSecretFile = secrets."authelia/hmac_secret".path; + sessionSecretFile = secrets."authelia/session_secret".path; + storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path; + }; + + environmentVariables = with config.sops; { + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = + secrets."authelia/lldap_authelia_password".path; + AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_password".path; + }; + }; + }; + + services.nginx.virtualHosts."auth.escapeangle.com" = { + forceSSL = true; + enableACME = true; + locations."/" = { + proxyPass = "http://localhost:9091"; + }; + }; + + sops.secrets = { + "authelia/hmac_secret" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/jwks" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/jwt_secret" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/session_secret" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/storage_encryption_key" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/lldap_authelia_password" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + "authelia/smtp_password" = { + owner = "authelia-escapeangle"; + sopsFile = ../secrets.yaml; + }; + }; +} diff --git a/hosts/hosting-01/auth/default.nix b/hosts/hosting-01/auth/default.nix index fb3cf91..aab3e21 100644 --- a/hosts/hosting-01/auth/default.nix +++ b/hosts/hosting-01/auth/default.nix @@ -1,6 +1,7 @@ { ... }: { imports = [ + ./authelia.nix ./lldap.nix ]; } diff --git a/hosts/hosting-01/secrets.yaml b/hosts/hosting-01/secrets.yaml index 416b9da..f18681c 100644 --- a/hosts/hosting-01/secrets.yaml +++ b/hosts/hosting-01/secrets.yaml @@ -1,7 +1,19 @@ +authelia: + hmac_secret: ENC[AES256_GCM,data:BKW1DTLgoGR5Z+lJxIzDugqDaJD4I9YgwPYKvaY3GyLsjZ+A9YmAKrSVIxixjaV465H2dJU1Gy9IFf1fL1IdKw==,iv:u3lN2yXlJ53Q+KHwjKNOUz+wdFziFGRPYrWYPvPbp3M=,tag:CslQZLCB40KfPnsGNBQh3w==,type:str] + jwt_secret: ENC[AES256_GCM,data:4FvIOu8GFTLfQ5n5owAd2gJxLmamyZaciJFDXG50SADIaS/BTK0e1wp7lw6YvPFmNnpzfUcQ7jxmYatNU1wZjg==,iv:gEu/hOsKAGdXBbvXZAEqaE1a5mIYD4eS80WlxRbDLaM=,tag:2IfNyPZUTsnilPD9a1GBCw==,type:str] + jwks: ENC[AES256_GCM,data:jqVP5S+b/KXDJzOkbSmq9IVr1Kjk4qp2VtVZFcW4GB7syISBcqFUFOJt7VZ9Wj+WksxdfxcNscxvTRe9etkU+foCf0MX5z65M3nOYdisApDc+Xiv014wWQqUp91tWEmR2lEHZY6fNtjx77BS4M3gkQLob4wIHfumKt9dWTfE6nk4NKRS2EDo2omIBzFgAplTnZkTC9gZI49HI+m7r4qWNnH5T7Lmd36ALhezV6H9S0sww271sIsQjFC+G1wTU3rnd2IRS415SQvzrqpdcdx+iSXa7wdqIXFOVFk5swhPhRNsmr7IMlLJAXne3h1hl1M+M89hSTO1dySFbTawS7TvPaBKbZ11LXhXD5PORzocUdR+jxsVtjsbAQBPR2rj13I1KuCRLgWo+P7CTRmueXiCc14rwLabR1AeEM64eF+CGJ6sbFQxkC+ZloN3qYYxo7UMSRReS6GYsNlT3Tgzb4c2WZ5/3vMT/ESE5yOaeSYEZ+T/nyN20sL7bumaA6t+u0vX4GLDkwNHhQ8ph38hLSfezlxrTJIqJVILaGH2cF7aNfCZ3vIA/IRoxKnhS66MKZvY3aWX1mZoLTnGpnXoIZvcKieF1jNpdjcUyUTXkCtB1aDauuE6gYITsvApUd3GLcQnga0iFeWsacghy5CBbqJLRdabvIKHSDFLI9BZlVlxiAXC8JS9b6JW6tKcsUNbrSc7XJn8MiTZDjsKQNrTaYYeqv/EaP/ToJBHmQpJ0Xg/q9dh4Tklhfqma4S02mqwrJ7S0K32vAGfUdt8NwukD6FOocysmh/sO/soiBEMgwO01InbroRRgYPeXrwxG7eRnHXGj+sRKaDa6BR/qxDLEVjxVRlOu2L+sXWE9rMUME7qUn/6oVCpxv4PwsEQ5IReL1tvi5wUzykXxScKOJPz8Djatjtw5xq/79mioasw0tF7K5zBEiSAZuuuq7+ndOtMCRmyg77SNYT/GDd2pwL+CvY7eEtZ0h367Zp+2t2r9qlrOgetckTrVBDApaYSwQCkEJweZ1RrPWUZdpvkV8x6JyHBY9+iN4bK39iFGeR0mzRStEzF5Zu7DfsHA2Sq4YIZz5ba91me2Jgh52CLM4Gis5goatJoRHcfMl5DYIxhOVo9DM2631DJDy5xHGf9tmZ5aO7PPjH46pzWsVj1Uh9i086Qd6FkOwPFVjfoMB1AdZl7AwKk4XHjavdINcBzr9roXlTIPGRyRCzfuodV1EptFQ6H+171NN7rDXZGXVvxkAJnxhpo/w5H7t6ST4/lnmDlr+Vgesa91rAEl9R74dmAiznc6CR9PVWk8dPvAdWIjiGYeXSrTEsqdBXW3Oh33A4j2F1jeUmWErL3RJbg1GoFbSZ43uBgJA58rylM0Xp+70sO0iROYyYK4Ow9wn7WRUIkIPRc5a5+xFsoS07Fd2siHw9mI2JNVTpbsYbi++0/Ffhmks1P5H1R63oNfk3tmcl2FH2jtA/T9wL6Zbk0ouMZGjjnV33lO8frHqfTm1uziIZa3nc40jN1cpTzjRxtKOCaUVk2be+RbUaqrNwicx755nosu5md8ULJE1g4nkbOLVPUfniMER8KlvSTISjPJqChnz8FtubqIOa/jca9Bd92ILxK0NumPubni/E4SecXcdH6RqAAMvpX1oXn87xZ66/BYBCR7iE0NZB1Ggqcudc5asYzBoBBetN516+ak4gD7eOZmX4AtXBZAvbPdQtigiVcN9IrvpodUNlPI/vI1OgczwMSehoI9Vx8wIV7wzp5HZka0y03soMFdpJvql6racyMC/ff2rgWAFgmxuShDkZJx20t/x4vr/zOcLhZA4AaFR9DbVgAHboB30NTs3fE1JecPvQNsxQQAfumwskpLSu9lMsBC9bdtti6tbCyVGmsZD4FmoebgepJ9G6UeC1psh5iVuSNs+Anovly9mcuqvGzL65s4qSDzAIrQlLIPqa1LqlQhdYv8epks7bBkisexlRygZhC9w/ru48XUWVQFfBLqYSBo4old1Ma4hyvBFBAyhILu215AcZ5mNEyP2v+7OJ5CWaCA0gwovW+A4Phr8lIO7Wo+eZtCKOY753US2SCOlIsc74j82U0TfG+7AwJON5Te7SKTXM5Gkxjv8WnNt2osqyY79c63R5UTrLADMh5kyL6QMUVREaTpFpjpJW/UbiHMbBKCxZ7cvpRcNBoq+WcREYB+C859yD4oV2G1DkTeIDeSr0V9ewd3RfFCTloqK/phMtdq3SuMsnzI112uIr6EI5bKDmkJ/BCx/5ChA==,iv:rN0J3aCHpdRSEyx8K8FQCuTvEBaKDV6+pQWZVB55wxo=,tag:StQWyn4EpUtRyium8Skg+Q==,type:str] + lldap_authelia_password: ENC[AES256_GCM,data:OdW47EXFf9AwDtnjy1BBeHnMA8Jj4SBjLIGMF8BR4sw=,iv:DWqLJ9Hu16H5mMUxDSEi78W9kdaPmGmtvd2PamM1NqY=,tag:1Im3hAAd17PWdSjH+w+LKA==,type:str] + session_secret: ENC[AES256_GCM,data:Xw4K4DA1jyJGg6nzLLv2y9j4vwoodHeZhL35DrNB9BKBx8Muv99BbPIvz3lDZ2xB2p+aqB+3WzY/8jgkANlgAg==,iv:CxMkaBnOty4Q7dFH6Kn5v3L+F5QWJP9TR86xVRXCKN8=,tag:KIa2BsNn5gzDiaOxEZ2LQg==,type:str] + smtp_password: ENC[AES256_GCM,data:L7yf9g01QysPSirr9IK5ITvnl6XNQONv1AS91zrkf7E=,iv:fRJ9ZIviravLvgdl5BigSoOjUiAfQGB492/bS5GvhL8=,tag:DLhVqa/2Xn/vdChz4/ZixA==,type:str] + storage_encryption_key: ENC[AES256_GCM,data:hl5ciFqrQzv0iGE1RlIFctDMIFv7QOrVqZfqWBuHqn792i8ewwQxWnWQOxglsxSmvZwWYK9c2FcPJuMBWsYlpg==,iv:FBJXZQeenoV84wGCDinerifofKMSqJIY9qw0o3qUmeY=,tag:cymRnw2Jp+VaOo/lhX1C8Q==,type:str] lldap: jwt_secret: ENC[AES256_GCM,data:9h7XljbIrLxK3ekcAP8dZTAwlx8u/2eLqdfRHhHn+Lwj/sav3QNmqgfee9pyHhaoLvgZKWwKr7I+ijLZtOpIgQ==,iv:+VZUqDTy9EOm65ATJ6fPGeyA6aR043VmvXTzVmeMH+o=,tag:8nyYCrwoZADmt05EgldymA==,type:str] key_seed: ENC[AES256_GCM,data:gt3jgAk4upREudd1HYXCSsqg6E3Vuq0WbiDSTjYZF+QJXa7cdq0Ke8XrjJVCAokbp7ZZsf1MMo/wEkr47HXggg==,iv:7xrMZrWNpsAtBoOx4p3RjaEJru9jXrdXkR/Z8rA4vwI=,tag:oLbli5vAw8X00eiD87sSCA==,type:str] admin_password: ENC[AES256_GCM,data:RBibqepGrtX8hKVzdcAtTbsVZg==,iv:RLu3JkhtmCfXVwZA8EX/dVgqqu7hWURIWNSywlW/8ew=,tag:jQXYo2a+Idh1AIfr1687gg==,type:str] +oidc_clients: + headscale: + hashed: ENC[AES256_GCM,data:WWD40bVWbFAp1qIDHjKhc2UWTtCuVPaMrU+NqHBwvc7CDQ9CiUIb19vGqvUR11dhg5XyX2TgDRKuwRusA6Sv7cKjiLS7Mh1vkPi2rthYt/v5xKK0dvdI7VykkJQ1PV15VWumVuswhHuTu1FHweTA9dnMyaz4fE3cWerb22SRbT7LCko=,iv:psR3lnD/kO5+WTqcmTKbuOFfnd/YNZFR0qYYMGYgzhM=,tag:QPgfxytRP+X6mgtRqZngBg==,type:str] + unhashed: ENC[AES256_GCM,data:UPW0HSB712h6sjSHdEf3dsJ5iwodNyzutxPQy4tFdSrjoBRxzr0ad8uzOsMtqGX7fEt7w88QQBNNvki/9IXRfV07vQMAcOnN,iv:EvdLrxdhq6nLBc8zaGmImRRiuHZJ/R0cofuoj4RNUHI=,tag:R0DLJ0fngr4MRx38bZ9WWA==,type:str] sops: age: - recipient: age18g4z53ykxzq35dsjq3a2np4f88xwat0kwtax229l3zn0ykhlpvqqy8fgtv @@ -13,8 +25,8 @@ sops: NW9CUkJQbis1NmpyU0xrb3J4UVNKTDgKsPFnlQBa8LGm6s8uZsUXq9RIt4WzzROc mz9dEVq/R54xvjMRltgzZyu54BWWOQYgkZUEhOnDoqwVnA7XwGGYtA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-07-06T18:36:06Z" - mac: ENC[AES256_GCM,data:WoRdw4Vv8aHFz3dlyu28e/KSu+bKCKiNRV2JYLGZDxgl/fV0CLunhY3/jc+zddAJOd8Q8pO750mvAmgQ6wzTd90N8hQg4kP5Uqjajoi4iUTbWiPr6CGWwhqcl6HZ1M4Ei35MyQ/NXOECk4Ma9mMG9TyDxkd2jEQwpL2Wpus3uBg=,iv:N5UYoT1Zqznwgyrf3L4YESnX7/iLAXDuBW6+k39VHMc=,tag:nlBlAnoU3fFTU4Nf0njpLA==,type:str] + lastmodified: "2025-07-07T11:53:55Z" + mac: ENC[AES256_GCM,data:UneR3XJjMXINseZN8LXmdKiu72gz70Py4NSc+PW/kFtio9BBXazYf/sGwSI5FhPk1IxeA79pptpSJSZsCqjS5AGgrDZg4npYzyNyoop11SVcwNLJgH5qp3xQmy7i7wk8v9qnafRCdsp3eeCYkMgCrGLLVntymY1mV8n1O+UW7FI=,iv:OsxM2DJCtEo/vb6k3pTsnzC+OOc7988WHtE7R8yoiRI=,tag:d01skLc0/EbFFNmOd5sgaw==,type:str] pgp: - created_at: "2025-07-06T18:28:35Z" enc: |-