basic authella configuration

hosts/sin/authelia.nix

@@ -1,54 +0,0 @@
-{ config, lib, ... }:
-let
-  cfg = config.services.authelia.instances.main;
-  dataDir = /var/lib/authelia/${cfg.name};
-in
-{
-  services.authelia.instances = {
-    main = {
-      enable = true;
-      secrets = {
-        jwtSecretFile = config.age.secrets.authelia-jwt.path;
-        storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
-        sessionSecretFile = config.age.secrets.authelia-session.path;
-      };
-      settings = {
-        theme = "light";
-        log.level = "debug";
-
-        authentication_backend = {
-          file = {
-            path = dataDir + "/users.yml";
-          };
-        };
-        storage = {
-          local = {
-            path = dataDir + "/db.sqlite3";
-          };
-        };
-        session = {
-          cookies = [
-            {
-              domain = "shobu.fr";
-              authelia_url = "https://auth.Shobu.fr";
-              default_redirection_url = "https://shobu.fr";
-            }
-          ];
-        };
-        access_control = {
-          default_policy = "deny";
-          rules = [
-            {
-              domain = "*.shobu.fr";
-              policy = "one_factor";
-            }
-          ];
-        };
-      };
-    };
-  };
-
-  systemd.tmpfiles.rules = lib.mkif cfg.enable [
-    "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
-  ];
-}

hosts/sin/configuration.nix

@@ -17,7 +17,6 @@
     ./secrets.nix
     ./coredns
     ./copyparty.nix
-    # ./authelia.nix
     # ./trilium.nix
   ];
 

hosts/thea/authelia.nix

@@ -0,0 +1,120 @@
+{
+  pkgs,
+  config,
+  lib,
+  ...
+}:
+let
+  cfg = config.services.authelia.instances.main;
+  dataDir = "/var/lib/authelia-${cfg.name}";
+  authelia-snippets = pkgs.callPackage ./lib/autheliaSnippets.nix { inherit pkgs; };
+in
+{
+  services.authelia.instances = {
+    main = {
+      enable = true;
+      secrets = {
+        jwtSecretFile = config.age.secrets.authelia-jwt.path;
+        storageEncryptionKeyFile = config.age.secrets.authelia-encryption.path;
+        sessionSecretFile = config.age.secrets.authelia-session.path;
+      };
+      settings = {
+        theme = "light";
+        log.level = "debug";
+
+        authentication_backend = {
+          file = {
+            path = dataDir + "/users.yml";
+          };
+        };
+        storage = {
+          local = {
+            path = dataDir + "/db.sqlite3";
+          };
+        };
+        session = {
+          cookies = [
+            {
+              domain = "shobu.fr";
+              authelia_url = "https://auth.shobu.fr";
+              default_redirection_url = "https://shobu.fr";
+            }
+          ];
+        };
+        notifier = {
+          filesystem = {
+            filename = "${dataDir}/notification.txt";
+          };
+        };
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              domain = "*.shobu.fr";
+              policy = "one_factor";
+            }
+          ];
+        };
+        server = {
+          endpoints = {
+            authz = {
+              auth-request = {
+                implementation = "AuthRequest";
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+
+  # systemd.tmpfiles.rules = lib.mkIf cfg.enable [
+  #   "d '${dataDir}' 0700 ${cfg.user} ${cfg.group} - -"
+  # ];
+
+  age.secrets = {
+    authelia-jwt = {
+      owner = cfg.user;
+      file = ./secrets/authelia-jwt.age;
+      mode = "700";
+    };
+    authelia-encryption = {
+      owner = cfg.user;
+      file = ./secrets/authelia-encryption.age;
+      mode = "700";
+    };
+    authelia-session = {
+      owner = cfg.user;
+      file = ./secrets/authelia-session.age;
+      mode = "700";
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    recommendedTlsSettings = true;
+
+    virtualHosts."auth.shobu.fr" =
+      let
+        upstream = "http://thea:9091";
+      in
+      {
+        enableACME = true;
+        forceSSL = true;
+
+        locations."/" = {
+          proxyPass = upstream;
+          extraConfig = ''
+            include ${authelia-snippets.proxy};
+          '';
+        };
+        locations."/api/verify" = {
+          proxyPass = upstream;
+        };
+        locations."/api/authz" = {
+          proxyPass = upstream;
+        };
+      };
+  };
+}

hosts/thea/configuration.nix

@@ -16,10 +16,11 @@ in
 {
   imports = [
     ./nginx.nix
-    # ./striped
     # ./cybercoffee
     ./ollama.nix
     ./minecraft.nix
+    ./secrets
+    ./authelia.nix
   ];
 
   # Use the systemd-boot EFI boot loader.

hosts/thea/lib/autheliaSnippets.nix

@@ -0,0 +1,107 @@
+{ pkgs }:
+{
+  proxy = pkgs.writeText "proxy.conf" ''
+    set $upstream_authelia https://sin:9091/api/authz/auth-request;
+
+    ## Virtual endpoint created by nginx to forward auth requests.
+    location /internal/authelia/authz {
+      ## Essential Proxy Configuration
+      internal;
+      proxy_pass $upstream_authelia;
+
+      ## Headers
+      ## The headers starting with X-* are required.
+      proxy_set_header X-Original-Method $request_method;
+      proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Content-Length "";
+      proxy_set_header Connection "";
+
+      ## Basic Proxy Configuration
+      proxy_pass_request_body off;
+      proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+      proxy_redirect http:// $scheme://;
+      proxy_http_version 1.1;
+      proxy_cache_bypass $cookie_session;
+      proxy_no_cache $cookie_session;
+      proxy_buffers 4 32k;
+      client_body_buffer_size 128k;
+
+      ## Advanced Proxy Configuration
+      send_timeout 5m;
+      proxy_read_timeout 240;
+      proxy_send_timeout 240;
+      proxy_connect_timeout 240;
+    }
+  '';
+  authelia-location = pkgs.writeText "authelia-location.conf" ''
+    ## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+    auth_request /internal/authelia/authz;
+
+    ## Save the upstream metadata response headers from Authelia to variables.
+    auth_request_set $user $upstream_http_remote_user;
+    auth_request_set $groups $upstream_http_remote_groups;
+    auth_request_set $name $upstream_http_remote_name;
+    auth_request_set $email $upstream_http_remote_email;
+
+    ## Inject the metadata response headers from the variables into the request made to the backend.
+    proxy_set_header Remote-User $user;
+    proxy_set_header Remote-Groups $groups;
+    proxy_set_header Remote-Email $email;
+    proxy_set_header Remote-Name $name;
+
+    ## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
+    ## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
+    ## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
+
+    ## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
+    auth_request_set $redirection_url $upstream_http_location;
+
+    ## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
+    error_page 401 =302 $redirection_url;
+
+    ## Legacy Method: Set $target_url to the original requested URL.
+    ## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
+    # set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+    ## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
+    ## URL parameter set to $target_url. This requires users update 'auth.shobu.fr/' with their external authelia URL.
+    # error_page 401 =302 https://auth.shobu.fr/?rd=$target_url;
+  '';
+  authelia-authrequest = pkgs.writeText "authelia-authrequest.conf" ''
+    ## Headers
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-URI $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header X-Real-IP $remote_addr;
+
+    ## Basic Proxy Configuration
+    client_body_buffer_size 128k;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 64 256k;
+
+    ## Trusted Proxies Configuration
+    ## Please read the following documentation before configuring this:
+    ##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+    # set_real_ip_from 10.0.0.0/8;
+    # set_real_ip_from 172.16.0.0/12;
+    # set_real_ip_from 192.168.0.0/16;
+    # set_real_ip_from fc00::/7;
+    real_ip_header X-Forwarded-For;
+    real_ip_recursive on;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 360;
+    proxy_send_timeout 360;
+    proxy_connect_timeout 360;
+  '';
+}

hosts/thea/minecraft.nix

@@ -9,6 +9,10 @@ let
     url = "file:///${inputs.testing-grounds.modpack}/pack.toml";
     packHash = "sha256-+taYj4uroLNxM4Nia3n+5P1Y/g6dzE6Iq13TsZgk4mU=";
   };
+  gregpack = pkgs.fetchPackwizModpack {
+    url = "https://raw.githubusercontent.com/GregTechCEu/GregTech-Modern-Community-Pack/refs/heads/main/pack.toml";
+    packHash = "sha256-SE86gP15H/Aug6vTLmMxHuxF2/+iLmCI/wQlON1xasM=";
+  };
 in
 {
   imports = [ inputs.nix-minecraft.nixosModules.minecraft-servers ];
@@ -35,4 +39,10 @@ in
       };
     };
   };
+
+  networking.firewall.allowedTCPPorts = [
+    25865 # autismcraft
+    25665 # reclamation
+    25675 # reclamation
+  ];
 }

hosts/thea/secrets/authelia-encryption.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A 9cZH/SlDpiluz2O3wCxRcBhmt3L5eN24I0HHwiJDWRU
+VVZaJlB4QzxBPcaN3MjCemjptEbqSUMD8VVtKyGezH8
+-> ssh-ed25519 70Re8Q ZFEQxmnm+dFKSXcQAc0KxkewCB59J5FyL1Ob/uEEtVg
+fRdEZpIytxjUeSKPieIzvZaAn5Mikjp28HlZhKwzS7M
+-> ssh-ed25519 QvCxGg ifsqXBKO0mqE1RuJ44Y7qDJ7lyci8iyz+J1xFgO38jI
+MkhMTZ+RttBFFMkbIaSCSQiExR1gf4OyFWHXIsx+QYQ
+--- nnMlLyQjixpBkx+bSU5I364IP3KnZ0qnmMPueBcRHpU
+ë˜<EFBFBD>6TX—ÕÞÌfÁ““É
+®?Z7M<37>T<EFBFBD>Å|ÚQf

hosts/thea/secrets/authelia-session.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 /uqj4A yxpGM3pJxfnM/5q9+NzdfG2kBjjNex6bdyUeZEBKjnI
+UO6ovn2cFeNi6SbcGpfF71/OAyQccyG+l6aZXubUal8
+-> ssh-ed25519 70Re8Q GW40lmeg6Lj7ntZswT0/hWZFpYBWoV3CMq4pdo+Ncgc
+oWTYuM/s3G7EKPWPQpHbXo9Tpzgn7YlYVQHYGn4xKS8
+-> ssh-ed25519 QvCxGg pKLpxtuMIa0xPXoaeb4WeQWVEINRE/j4nrxDB1J9BUI
+1azpt5MImTiDSF+Ts9EvUCdWMeVG7lErUHSBQfMiip4
+--- IOOR8Us6zlZhJm0V4X3IlbkHSdtR3GLLxEfa4i+lqv0
+ó P¬¥rhé"BFãŽÌŸtÌ€ê¤{¾(öB`q“Óø"AµnN_ ™f*ÏŒºvPpj&{)ìŠØ@‹ÃkF«Ú
]<Aš*Á<>‡<EFBFBD>´WTm”ƪD‡,Ý1E­™”¦³eѨ·O¢š

hosts/thea/secrets/default.nix

@@ -0,0 +1,3 @@
+{ ... }:
+{
+}

modules/gitea/thea/virtualisation.nix

@@ -16,6 +16,10 @@
     };
   };
 
+  environment.systemPackages = with pkgs; [
+    podman-compose
+  ];
+
   virtualisation.oci-containers.containers =
     let
       runner_config = pkgs.writeTextFile {