authelia middleware

Author: IogaMaster

hosts/equinox/config.nix

@@ -28,35 +28,33 @@ in {
     apps.tools.git.enable = true;
   };
 
-  services.jellyfin = {
-    enable = true;
-    openFirewall = true; # Not strictly needed if Caddy is on the same machine
-  };
-
-  networking.firewall.allowedTCPPorts = [
-    8096 # Jellyfin
-    8301 # Consul Gossip
-    8300 # Consul RPC
-  ];
-
-  services.consul = {
-    enable = true;
-    extraConfig = {
-      server = false;
-      retry_join = [ "192.168.25.131" ];
-      bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
-      services = [{
-        name = "jellyfin";
-        port = 8096;
-        tags = [ "media" "public" ];
-        check = {
-          http = "http://127.0.0.1:8096/health";
-          interval = "10s";
-          timeout = "1s";
-        };
-      }];
-    };
-  };
-
-  impermanence.enable = true;
+  # services.jellyfin = {
+  #   enable = true;
+  #   openFirewall = true; # Not strictly needed if Caddy is on the same machine
+  # };
+  #
+  # networking.firewall.allowedTCPPorts = [
+  #   8096 # Jellyfin
+  #   8301 # Consul Gossip
+  #   8300 # Consul RPC
+  # ];
+  #
+  # services.consul = {
+  #   enable = true;
+  #   extraConfig = {
+  #     server = false;
+  #     retry_join = [ "192.168.25.131" ];
+  #     bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
+  #     services = [{
+  #       name = "jellyfin";
+  #       port = 8096;
+  #       tags = [ "media" "public" ];
+  #       check = {
+  #         http = "http://127.0.0.1:8096/health";
+  #         interval = "10s";
+  #         timeout = "1s";
+  #       };
+  #     }];
+  #   };
+  # };
 }

hosts/neutrino/config.nix

@@ -40,6 +40,4 @@ in {
       };
     };
   };
-
-  impermanence.enable = true;
 }

modules/impermanence.nix

@@ -1,5 +1,5 @@
 { lib, inputs, options, ... }@args:
-lib.mkModule args "impermanence" {
+(lib.mkModule args "impermanence" {
   imports = [ inputs.impermanence.nixosModules.impermanence ];
   options = with lib;
     with lib.types; {
@@ -42,8 +42,9 @@ lib.mkModule args "impermanence" {
       umount /btrfs_tmp
     '';
 
-    environment.persistence."/persist" =
-      lib.mkAliasDefinitions options.environment.persist;
-    fileSystems."/persist".neededForBoot = true;
   };
+}) // {
+  config.environment.persistence."/persist" =
+    lib.mkAliasDefinitions options.environment.persist;
+  config.fileSystems."/persist".neededForBoot = true;
 }

modules/services/authelia.nix

@@ -0,0 +1,74 @@
+{ lib, secrets, colors, pkgs, ... }@args:
+lib.mkModule args "ioga.services.authelia" {
+  options = with lib; {
+    domain = mkOpt' types.str "ioga.dev";
+    instanceName = mkOpt' types.str "main";
+  };
+  config = { cfg }: {
+    secrets.authelia = {
+      user = "authelia-${cfg.instanceName}";
+      group = "authelia-${cfg.instanceName}";
+    };
+    services.authelia.instances.${cfg.instanceName} = {
+      enable = true;
+      secrets = {
+        jwtSecretFile = "${secrets.authelia}/jwtSecretFile";
+        sessionSecretFile = "${secrets.authelia}/sessionSecretFile";
+        storageEncryptionKeyFile =
+          "${secrets.authelia}/storageEncryptionKeyFile";
+      };
+
+      settings = {
+        theme = "dark";
+        server.address = "tcp://0.0.0.0:9091";
+
+        authentication_backend.file.path =
+          "/var/lib/authelia-${cfg.instanceName}/users.yml";
+        storage.local.path = "/var/lib/authelia-${cfg.instanceName}/db.sqlite3";
+        notifier.filesystem.filename =
+          "/var/lib/authelia-${cfg.instanceName}/emails.txt";
+
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "auth.${cfg.domain}";
+              policy = "bypass";
+            }
+            {
+              domain = "*.${cfg.domain}";
+              policy = "one_factor";
+            }
+          ];
+        };
+
+        session.cookies = [{
+          inherit (cfg) domain;
+          authelia_url = "https://auth.${cfg.domain}";
+          default_redirection_url = "https://${cfg.domain}";
+        }];
+      };
+    };
+
+    systemd.services."authelia-${cfg.instanceName}" = {
+      serviceConfig.StateDirectory = "authelia-${cfg.instanceName}";
+      preStart = # bash
+        ''
+          USER_DB="/var/lib/authelia-${cfg.instanceName}/users.yml"
+          PASS=$(cat ${secrets.authelia}/adminPassword)
+          HASHED_PASSWORD=$(${pkgs.authelia}/bin/authelia crypto hash generate argon2 --password "$PASS" | ${pkgs.gawk}/bin/awk '/Digest:/ {print $2}')
+          if [ ! -s "$USER_DB" ]; then
+            echo "${''
+            users:
+              admin:
+                displayname: "Admin"
+                password: "$HASHED_PASSWORD"
+                email: "admin@${cfg.domain}"
+                groups: [admins]''}" > "$USER_DB"
+            chmod 600 "$USER_DB"
+            chown authelia-${cfg.instanceName}:authelia-${cfg.instanceName} "$USER_DB"
+          fi
+        '';
+    };
+  };
+}

modules/services/reverse_proxy.nix

@@ -1,8 +1,9 @@
-{ lib, colors, pkgs, ... }@args:
+{ lib, colors, pkgs, secrets, ... }@args:
 lib.mkModule args "ioga.services.reverse_proxy" {
   options = with lib; { domain = mkOpt' types.str "ioga.dev"; };
   config = { cfg }: {
 
+    ioga.services.authelia.enable = true;
     services = {
       resolved.extraConfig = ''
         [Resolve]
@@ -22,16 +23,30 @@ lib.mkModule args "ioga.services.reverse_proxy" {
 
       caddy = {
         enable = true;
-        extraConfig = # caddy
+        extraConfig =
+          #caddy
           ''
+            (authelia_auth) {
+              forward_auth 0.0.0.0:9091 {
+                uri /api/authz/forward-auth
+                copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
+                # Important for session cookie logic
+                header_up X-Forwarded-Proto {scheme}
+                header_up X-Forwarded-Host {host}
+              }
+            }
+
+            http://auth.${cfg.domain} {
+              reverse_proxy 0.0.0.0:9091
+            }
+
             http://*.${cfg.domain} {
+              import authelia_auth
+
               reverse_proxy {
                 dynamic srv {
-                    name "{labels.2}.service.consul"
-                    resolvers 127.0.0.1:8600
-                }
-                transport http {
-                    resolvers 127.0.0.1:8600
+                  name "{labels.2}.service.consul"
+                  resolvers 127.0.0.1:8600
                 }
               }
             }