diff --git a/hosts/sin/authelia.nix b/hosts/sin/authelia.nix deleted file mode 100644 index fd46059..0000000 --- a/hosts/sin/authelia.nix +++ /dev/null @@ -1,54 +0,0 @@ -{ config, lib, ... }: -let - cfg = config.services.authelia.instances.main; - dataDir = /var/lib/authelia/${cfg.name}; -in -{ - services.authelia.instances = { - main = { - enable = true; - secrets = { - jwtSecretFile = config.age.secrets.authelia-jwt.path; - storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path; - sessionSecretFile = config.age.secrets.authelia-session.path; - }; - settings = { - theme = "light"; - log.level = "debug"; - - authentication_backend = { - file = { - path = dataDir + "/users.yml"; - }; - }; - storage = { - local = { - path = dataDir + "/db.sqlite3"; - }; - }; - session = { - cookies = [ - { - domain = "shobu.fr"; - authelia_url = "https://auth.Shobu.fr"; - default_redirection_url = "https://shobu.fr"; - } - ]; - }; - access_control = { - default_policy = "deny"; - rules = [ - { - domain = "*.shobu.fr"; - policy = "one_factor"; - } - ]; - }; - }; - }; - }; - - systemd.tmpfiles.rules = lib.mkif cfg.enable [ - "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -" - ]; -} diff --git a/hosts/sin/configuration.nix b/hosts/sin/configuration.nix index 08d71e1..aacf56a 100644 --- a/hosts/sin/configuration.nix +++ b/hosts/sin/configuration.nix @@ -17,7 +17,6 @@ ./secrets.nix ./coredns ./copyparty.nix - # ./authelia.nix # ./trilium.nix ]; diff --git a/hosts/thea/authelia.nix b/hosts/thea/authelia.nix new file mode 100644 index 0000000..21c199e --- /dev/null +++ b/hosts/thea/authelia.nix @@ -0,0 +1,120 @@ +{ + pkgs, + config, + lib, + ... +}: +let + cfg = config.services.authelia.instances.main; + dataDir = "/var/lib/authelia-${cfg.name}"; + authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; }; +in +{ + services.authelia.instances = { + main = { + enable = true; + secrets = { + jwtSecretFile = config.age.secrets.authelia-jwt.path; + storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path; + sessionSecretFile = config.age.secrets.authelia-session.path; + }; + settings = { + theme = "light"; + log.level = "debug"; + + authentication_backend = { + file = { + path = dataDir + "/users.yml"; + }; + }; + storage = { + local = { + path = dataDir + "/db.sqlite3"; + }; + }; + session = { + cookies = [ + { + domain = "shobu.fr"; + authelia_url = "https://auth.shobu.fr"; + default_redirection_url = "https://shobu.fr"; + } + ]; + }; + notifier = { + filesystem = { + filename = "${dataDir}/notification.txt"; + }; + }; + access_control = { + default_policy = "deny"; + rules = [ + { + domain = "*.shobu.fr"; + policy = "one_factor"; + } + ]; + }; + server = { + endpoints = { + authz = { + auth-request = { + implementation = "AuthRequest"; + }; + }; + }; + }; + }; + }; + }; + + # systemd.tmpfiles.rules = lib.mkIf cfg.enable [ + # "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -" + # ]; + + age.secrets = { + authelia-jwt = { + owner = cfg.user; + file = ./secrets/authelia-jwt.age; + mode = "700"; + }; + authelia-encryption = { + owner = cfg.user; + file = ./secrets/authelia-encryption.age; + mode = "700"; + }; + authelia-session = { + owner = cfg.user; + file = ./secrets/authelia-session.age; + mode = "700"; + }; + }; + + services.nginx = { + enable = true; + recommendedProxySettings = true; + recommendedTlsSettings = true; + + virtualHosts."auth.shobu.fr" = + let + upstream = "http://thea:9091"; + in + { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = upstream; + extraConfig = '' + include ${authelia-snippets.proxy}; + ''; + }; + locations."/api/verify" = { + proxyPass = upstream; + }; + locations."/api/authz" = { + proxyPass = upstream; + }; + }; + }; +} diff --git a/hosts/thea/configuration.nix b/hosts/thea/configuration.nix index 13719f9..3079e35 100644 --- a/hosts/thea/configuration.nix +++ b/hosts/thea/configuration.nix @@ -16,10 +16,11 @@ in { imports = [ ./nginx.nix - # ./striped # ./cybercoffee ./ollama.nix ./minecraft.nix + ./secrets + ./authelia.nix ]; # Use the systemd-boot EFI boot loader. diff --git a/hosts/thea/lib/autheliaSnippets.nix b/hosts/thea/lib/autheliaSnippets.nix new file mode 100644 index 0000000..70112eb --- /dev/null +++ b/hosts/thea/lib/autheliaSnippets.nix @@ -0,0 +1,107 @@ +{ pkgs }: +{ + proxy = pkgs.writeText "proxy.conf" '' + set $upstream_authelia https://sin:9091/api/authz/auth-request; + + ## Virtual endpoint created by nginx to forward auth requests. + location /internal/authelia/authz { + ## Essential Proxy Configuration + internal; + proxy_pass $upstream_authelia; + + ## Headers + ## The headers starting with X-* are required. + proxy_set_header X-Original-Method $request_method; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header Content-Length ""; + proxy_set_header Connection ""; + + ## Basic Proxy Configuration + proxy_pass_request_body off; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 4 32k; + client_body_buffer_size 128k; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 240; + proxy_send_timeout 240; + proxy_connect_timeout 240; + } + ''; + authelia-location = pkgs.writeText "authelia-location.conf" '' + ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource. + auth_request /internal/authelia/authz; + + ## Save the upstream metadata response headers from Authelia to variables. + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + + ## Inject the metadata response headers from the variables into the request made to the backend. + proxy_set_header Remote-User $user; + proxy_set_header Remote-Groups $groups; + proxy_set_header Remote-Email $email; + proxy_set_header Remote-Name $name; + + ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method' + ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url + ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily. + + ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint. + auth_request_set $redirection_url $upstream_http_location; + + ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url. + error_page 401 =302 $redirection_url; + + ## Legacy Method: Set $target_url to the original requested URL. + ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module. + # set_escape_uri $target_url $scheme://$http_host$request_uri; + + ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd' + ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL. + # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url; + ''; + authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" '' + ## Headers + proxy_set_header Host $host; + proxy_set_header X-Original-URL $scheme://$http_host$request_uri; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_set_header X-Forwarded-Host $http_host; + proxy_set_header X-Forwarded-URI $request_uri; + proxy_set_header X-Forwarded-Ssl on; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Real-IP $remote_addr; + + ## Basic Proxy Configuration + client_body_buffer_size 128k; + proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead. + proxy_redirect http:// $scheme://; + proxy_http_version 1.1; + proxy_cache_bypass $cookie_session; + proxy_no_cache $cookie_session; + proxy_buffers 64 256k; + + ## Trusted Proxies Configuration + ## Please read the following documentation before configuring this: + ## https://www.authelia.com/integration/proxies/nginx/#trusted-proxies + # set_real_ip_from 10.0.0.0/8; + # set_real_ip_from 172.16.0.0/12; + # set_real_ip_from 192.168.0.0/16; + # set_real_ip_from fc00::/7; + real_ip_header X-Forwarded-For; + real_ip_recursive on; + + ## Advanced Proxy Configuration + send_timeout 5m; + proxy_read_timeout 360; + proxy_send_timeout 360; + proxy_connect_timeout 360; + ''; +} diff --git a/hosts/thea/minecraft.nix b/hosts/thea/minecraft.nix index 0e0f4cf..54f9997 100644 --- a/hosts/thea/minecraft.nix +++ b/hosts/thea/minecraft.nix @@ -9,6 +9,10 @@ let url = "file:///${inputs.testing-grounds.modpack}/pack.toml"; packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU="; }; + gregpack = pkgs.fetchPackwizModpack { + url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml"; + packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM="; + }; in { imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ]; @@ -35,4 +39,10 @@ in }; }; }; + + networking.firewall.allowedTCPPorts = [ + 25865 # autismcraft + 25665 # reclamation + 25675 # reclamation + ]; } diff --git a/hosts/thea/secrets/authelia-encryption.age b/hosts/thea/secrets/authelia-encryption.age new file mode 100644 index 0000000..b7c549e --- /dev/null +++ b/hosts/thea/secrets/authelia-encryption.age @@ -0,0 +1,10 @@ +age-encryption.org/v1 +-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU +VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8 +-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg +fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M +-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI +MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ +--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU +똁6TX f +?Z7MT|Qf p] 0 ʻw n!R{{k:3) uQkX1h== \ No newline at end of file diff --git a/hosts/thea/secrets/authelia-jwt.age b/hosts/thea/secrets/authelia-jwt.age new file mode 100644 index 0000000..23add5e Binary files /dev/null and b/hosts/thea/secrets/authelia-jwt.age differ diff --git a/hosts/thea/secrets/authelia-session.age b/hosts/thea/secrets/authelia-session.age new file mode 100644 index 0000000..b0e7daa --- /dev/null +++ b/hosts/thea/secrets/authelia-session.age @@ -0,0 +1,9 @@ +age-encryption.org/v1 +-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI +UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8 +-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc +oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8 +-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI +1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4 +--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0 +Prh"BF̟t̀{(B`q"AnN_ f*όvPpj&{)@kF«]