lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat: add authelia

Browse source 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
This commit is contained in:
Lander Van den Bulcke 2025-07-07 11:18:06 +02:00
parent 820cb47af0
commit 813ddd2c0d
Signed by: lander
GPG key ID: 0142722B4B0C536F
4 changed files with 171 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

151
hosts/hosting-01/auth/authelia.nix Normal file
View file

@ -0,0 +1,151 @@
{ config, lib, ... }:
{
services = {
authelia.instances.escapeangle = {
enable = true;
settings = {
theme = "auto";
authentication_backend.ldap = {
address = "ldap://localhost:3890";
base_dn = "dc=escapeangle,dc=com";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(memberOf={dn})";
user = "uid=authelia,ou=people,dc=escapeangle,dc=com";
};
access_control = {
default_policy = "deny";
rules = lib.mkAfter [
{
domain = "*.escapeangle.com";
policy = "one_factor";
}
];
};
storage.postgres = {
address = "db-01.tailnet.escapeangle.com";
database = "authelia";
username = "authelia";
password = "authelia"; # using peer auth
};
session = {
cookies = [
{
domain = "escapeangle.com";
authelia_url = "https://auth.escapeangle.com";
inactivity = "1M";
expiration = "3M";
remember_me = "1y";
}
];
};
notifier.smtp = {
address = "smtp://mail.escapeangle.com:587";
username = "authelia@escapeangle.com";
sender = "authelia@escapeangle.com";
};
log.level = "info";
identity_providers.oidc = {
cors = {
endpoints = [ "token" ];
allowed_origins_from_client_redirect_uris = true;
};
authorization_policies.default = {
default_policy = "one_factor";
rules = [
{
policy = "deny";
subject = "group:lldap_strict_readonly";
}
];
};
clients = [
{
client_id = "headscale";
client_name = "Headscale";
client_secret = "$pbkdf2-sha512$310000$fvaPyF69vBFs3oG1h4Qa1w$ezdJFynGV6bSA8UzGNangyOcaST7a3.LZ6WkVYeI.Ag5znxPsjmm9U23BL7OBMQWAY75CsvftYJWK5eE8nxi9A";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
redirect_uris = [ "https://headscale.escapeangle.com/oidc/callback" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
};
secrets = with config.sops; {
jwtSecretFile = secrets."authelia/jwt_secret".path;
oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
sessionSecretFile = secrets."authelia/session_secret".path;
storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
};
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_password".path;
};
};
};
services.nginx.virtualHosts."auth.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9091";
};
};
sops.secrets = {
"authelia/hmac_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/jwks" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/jwt_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/session_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/storage_encryption_key" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/lldap_authelia_password" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/smtp_password" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
};
}

1
hosts/hosting-01/auth/default.nix
View file

@ -1,6 +1,7 @@
{ ... }:
{
imports = [
./authelia.nix
./lldap.nix
];
}