diff options
Diffstat (limited to 'apps/authelia')
| -rw-r--r-- | apps/authelia/appspec.nix | 33 | ||||
| -rw-r--r-- | apps/authelia/integration.nix | 15 | ||||
| -rw-r--r-- | apps/authelia/module.nix | 61 | ||||
| -rw-r--r-- | apps/authelia/secrets.nix | 5 |
4 files changed, 114 insertions, 0 deletions
diff --git a/apps/authelia/appspec.nix b/apps/authelia/appspec.nix new file mode 100644 index 0000000..60e2695 --- /dev/null +++ b/apps/authelia/appspec.nix @@ -0,0 +1,33 @@ +{ appConfig, lib, ... }: { + name = "authelia"; + endOfLife = null; + options = { + domain = lib.mkOption { + type = lib.types.str; + }; + users = lib.mkOption { + type = lib.types.attrsOf (lib.types.submodule { + options.username = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + options.passwordFile = lib.mkOption { + type = lib.types.nullOr lib.types.str; + default = null; + }; + }); + }; + jwtSecret = lib.mkOption { + type = lib.types.str; + default = "system-secrets/${appConfig.appId}/jwtSecret"; + }; + storageEncryptionKey = lib.mkOption { + type = lib.types.str; + default = "system-secrets/${appConfig.appId}/storageEncryptionKey"; + }; + sessionSecret = lib.mkOption { + type = lib.types.str; + default = "system-secrets/${appConfig.appId}/sessionSecret"; + }; + }; +} diff --git a/apps/authelia/integration.nix b/apps/authelia/integration.nix new file mode 100644 index 0000000..a7b71a6 --- /dev/null +++ b/apps/authelia/integration.nix @@ -0,0 +1,15 @@ +{ appConfig, lib, ... }: lib.mkMerge [ + { + port = 9091; + } + { + container.extraFlags = [ + "--load-credential jwtSecret:/etc/nixos/${appConfig.jwtSecret}" + "--load-credential sessionSecret:/etc/nixos/${appConfig.sessionSecret}" + "--load-credential storageEncryptionKey:/etc/nixos/${appConfig.storageEncryptionKey}" + ] ++ (lib.mapAttrsToList + (username: args: + "--load-credential ${args.username}.password:/etc/nixos/${args.passwordFile}") + appConfig.users); + } +] diff --git a/apps/authelia/module.nix b/apps/authelia/module.nix new file mode 100644 index 0000000..fa4d35d --- /dev/null +++ b/apps/authelia/module.nix @@ -0,0 +1,61 @@ +{ appConfig, lib, pkgs, ... }: lib.mkMerge [ + # authelia + { + services.authelia.instances.default.enable = true; + services.authelia.instances.default.settings.access_control.default_policy = "one_factor"; + services.authelia.instances.default.settings.log.format = "text"; + services.authelia.instances.default.settings.log.level = "info"; + services.authelia.instances.default.settings.notifier.filesystem.filename = "/var/lib/authelia-default/notifier.txt"; + services.authelia.instances.default.settings.server.host = "0.0.0.0"; + services.authelia.instances.default.settings.server.port = 9091; + services.authelia.instances.default.settings.session.domain = appConfig.domain; + services.authelia.instances.default.settings.storage.local.path = "/var/lib/authelia-default/storage.sqlite3"; + } + # configure secrets + { + services.authelia.instances.default.secrets.manual = true; + systemd.services.authelia-default.environment.AUTHELIA_JWT_SECRET_FILE = "%d/jwtSecret"; + systemd.services.authelia-default.environment.AUTHELIA_SESSION_SECRET_FILE = "%d/sessionSecret"; + systemd.services.authelia-default.environment.AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "%d/storageEncryptionKey"; + systemd.services.authelia-default.serviceConfig.LoadCredential = [ + "jwtSecret:jwtSecret" + "sessionSecret:sessionSecret" + "storageEncryptionKey:storageEncryptionKey" + ]; + } + # configure users + { + services.authelia.instances.default.settings.authentication_backend.file.path = "/var/lib/authelia-default/users.yaml"; + services.authelia.instances.default.settings.authentication_backend.file.watch = true; + + systemd.services.authelia-default-users.before = [ "authelia-default.service" ]; + systemd.services.authelia-default-users.environment.CREDENTIALS_DIRECTORY = "%d"; + systemd.services.authelia-default-users.serviceConfig.Group = "authelia-default"; + systemd.services.authelia-default-users.serviceConfig.LoadCredential = lib.mapAttrsToList (username: attrs: "${username}:${username}.password") appConfig.users; + systemd.services.authelia-default-users.serviceConfig.User = "authelia-default"; + systemd.services.authelia-default-users.wantedBy = [ "authelia-default.service" ]; + + # TODO password is used on command line + # + # @topic apps/authelia + systemd.services.authelia-default-users.script = "${pkgs.writers.writeDashBin "script" '' + set -efu + umask 0177 + PATH=${lib.makeBinPath [ pkgs.authelia pkgs.coreutils pkgs.jq pkgs.json2yaml ]} + users=$( + echo ${lib.escapeShellArg (lib.generators.toJSON {} (lib.attrValues appConfig.users))} | jq -c .[] | while read -r account; do + username=$(echo "$account" | jq -r .username) + passwordFile=$(echo "$account" | jq -r .passwordFile) + hashedPassword=$(authelia crypto hash generate argon2 --password "$(cat "$CREDENTIALS_DIRECTORY"/"$username")" | cut -d' ' -f2-) + jq -cn \ + --arg username "$username" \ + --arg password "$hashedPassword" \ + '{ key: $username, value: { displayname: $username, $password } }' + done | + jq -s from_entries + ) + jq -cn --argjson users "$users" '{ $users }' | + json2yaml > /var/lib/authelia-default/users.yaml + ''}/bin/script"; + } +] diff --git a/apps/authelia/secrets.nix b/apps/authelia/secrets.nix new file mode 100644 index 0000000..1ad5f1a --- /dev/null +++ b/apps/authelia/secrets.nix @@ -0,0 +1,5 @@ +{ appConfig, ... }: [ + { type = "random-string"; path = appConfig.jwtSecret; } + { type = "random-string"; path = appConfig.sessionSecret; } + { type = "random-string"; path = appConfig.storageEncryptionKey; } +] |