From 1454e649815dd9e82b97fef1af8afa7d1f3e50e3 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Fri, 9 Aug 2024 21:38:40 +0200
Subject: [PATCH] gerd.authelia: add initial authelia configuration

It is one big mess, and I'm unsure what is and what isn't needed.
---
 machines/gerd/services/authelia.nix           |  73 ++++++++++++++++++
 secrets/authelia/jwt.age                      |   9 +++
 secrets/authelia/lldap-bind-user-pass.age     | Bin 0 -> 465 bytes
 .../authelia/oidc-issuer-privatekey-crt.age   | Bin 0 -> 1498 bytes
 .../authelia/oidc-issuer-privatekey-pem.age   | Bin 0 -> 2111 bytes
 secrets/authelia/session.age                  |  10 +++
 secrets/authelia/storage.age                  |  10 +++
 secrets/default.nix                           |   7 ++
 secrets/secrets.nix                           |   7 ++
 9 files changed, 116 insertions(+)
 create mode 100644 machines/gerd/services/authelia.nix
 create mode 100644 secrets/authelia/jwt.age
 create mode 100644 secrets/authelia/lldap-bind-user-pass.age
 create mode 100644 secrets/authelia/oidc-issuer-privatekey-crt.age
 create mode 100644 secrets/authelia/oidc-issuer-privatekey-pem.age
 create mode 100644 secrets/authelia/session.age
 create mode 100644 secrets/authelia/storage.age

diff --git a/machines/gerd/services/authelia.nix b/machines/gerd/services/authelia.nix
new file mode 100644
index 0000000..61a6088
--- /dev/null
+++ b/machines/gerd/services/authelia.nix
@@ -0,0 +1,73 @@
+{ config, ... }:
+
+let
+  autheliaStateDir = "/var/lib/authelia-main";
+in {
+  services.authelia.instances.main = {
+    enable = true;
+
+    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path;
+    secrets = {
+      jwtSecretFile = config.age.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+      sessionSecretFile = config.age.secrets.authelia-session.path;
+      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
+    };
+
+    settings = {
+      access_control.default_policy = "one_factor";
+      session.domain = "fricloud.dk";
+
+      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
+      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
+
+      authentication_backend = {
+        password_reset.disable = false;
+        refresh_interval = "1m";
+
+        ldap = {
+          implementation = "custom";
+
+          # address in the future
+          url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
+          timeout = "5s";
+          start_tls = false;
+
+          base_dn = "dc=fricloud,dc=dk";
+          additional_users_dn = "ou=people";
+          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+
+
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+
+          user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."auth.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";
+  };
+
+  # persistent files
+  environment.persistence.root.directories = [
+    autheliaStateDir
+  ];
+
+  # setup secrets for authelia
+  age.secrets = {
+    authelia-jwt.owner = "authelia-main";
+    authelia-storage.owner = "authelia-main";
+    authelia-session.owner = "authelia-main";
+    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
+    authelia-lldap-bind-user-pass.owner = "authelia-main";
+  };
+}
diff --git a/secrets/authelia/jwt.age b/secrets/authelia/jwt.age
new file mode 100644
index 0000000..f65b223
--- /dev/null
+++ b/secrets/authelia/jwt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg 2i+hCYHZQ8bEtQJWnazPdAkDky907gzu1tMod6tIUkQ
+c7AoKQEZERJziS+b89OP9v3j5BFG1FTcc5yK4U7wHtg
+-> ssh-ed25519 n8n9DQ O1jM3fRClKiKGaJig/u+APxwi/MzIvs7l/HC+rDiQiw
++0VQR4gO/rxXZJRjfv/t+mfaDi0kUioTom8OoNoFDio
+-> ssh-ed25519 BTp6UA 93ld1x4OCnO4GshJz3Hf7mB2jFVGYqZQ8AwvB7cOqzg
+AMFa8ueIf3Fz8VQpWWrS6ncfrh+pdsU7RMR3ZjA8KLE
+--- qDtFEysXwYfNfu63ufZFt2lARP72Gkx0Kp6zs81VkT8
+Oj´}¼4VfÄ¬j¢Ç\cBÁ!9ÏìÚYÚ¨­Ô(ìd2©\bÙs5…ïâ2ËhTRœ@êg¼ªÔ·®•„kì9¹S<½wq~ÕÞ%)º^B ÎõJS­ @Å©x±Í‘1[†Ì0œá>
\ No newline at end of file
diff --git a/secrets/authelia/lldap-bind-user-pass.age b/secrets/authelia/lldap-bind-user-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..17aa20f6655ecc899cfeca43957a8852cb4c95d0
GIT binary patch
literal 465
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjjuKGEF!3
zDRL`!4DrbdHa0VKG%YdA4Xg-rD$UFA)=o4JE(i<^2{w&zG2yZd@y~M!GA>QiH}dq&
z%6CqQGVspx(@)ec_wh-~i3m<h&MGrbDh(~oNJh6U&mzy#B~T$CG0f96Dbq3_H_6w-
z$R))m!?f5nEh8u*+&3@PFxVi%IXy8u*fQMJ*p<sa(9hk-zofLh!qh@L&qO;SDI=%M
zxjeu<*V)^*%*-&kJjEcqtRm7e+Y{Y3r;q}(P)CKZeA8@$tWvN1^0f36w=j>A+@!LM
z;0&`8-{7$PvJ8t#qjDFQoPvr>0|Tz2@;vR*%<#0z&<IC^A}7zBsGO?efGju1;A~gR
zGRJa*qKqQvBv((zjC?L#U0sFHVh_tm(~_vtq|n5m(Cqx;T=R5qZ!@FtM9*OTAb->3
zU?0oK?4W{(Tm!BOmgpP)0cn5vk6e{4%jh#Pp7@O6aqrX1b6!r0(=@G0(6Bk<GhxaC
f+3otiioA{G=6<DC2N(a1GRuoGx?)+rYW5KTLz$jC

literal 0
HcmV?d00001

diff --git a/secrets/authelia/oidc-issuer-privatekey-crt.age b/secrets/authelia/oidc-issuer-privatekey-crt.age
new file mode 100644
index 0000000000000000000000000000000000000000..b64c8058a9c48f4f88e8e51c20d6c40a15abff92
GIT binary patch
literal 1498
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjpRN@Xs|*
zbocS`D=zhnDDnx@_BOD{332gC5AgO*G4d<&c5#U)i1gKV&*m~WD9JJQ@^$t#agT^f
zGD=J>^74s@v<Qn#G)ply(Dq3&D0B4ox3sME_e8fX&mzy#B~T&X*)_<*EhRj|tg5&;
zGb1O_G^HxT#W29EGPj^CD!0<qQ@^03LO;DE)R)WL!#Fc4)Y8B$Gs&mYD>5&ts46g^
zq9QxZ$TOm}Fg>rT(kZt%B0S04BOBc|r;q}(P)CJQg8+m447c3S3db<xk_>N0FAG0c
zS98PQBHz5wiu_!Y^5CG*U<2=Rk3g;{vs9N{ZU3yO)Lh3<?}8xzkP>~<>_YQI=N!j^
zu#Cja48MrPRJWAOG)FF7U0ntJ@{EWo?MTZcFZ~i{eN$h<N>7t2kMJ}fx1@5v++?G&
z$YAG6GtWH#AQP_OliwfjvA_JFjx{sQ<_z~Y_kPB6_f^|g*%+M5v!0%zvS9J)xH~Uy
zb}$}cTJ&hqDzRtVE;Tj>`E!b-9k>%HS|c<u>5Klxt%qWcseVw6Z1%Z1TXUu<^F)3X
zPd7E2EjjZ```5))zq|70VSVa79qGeUc#d5O&R+iZyok>4M#;0Yi}<qg?_~x*l4g+2
zw9B=fvG~h_+Er^TN;MU(>Rn-K*GQOnj%9zqjg(i0?|8p$<4C;y^}J+{zv#{h-~6oB
zrv<(*vY7aoP4v#uh4)<+zhVD-)+<0~>a(+PO;2izBc;BVcE?<La&tkozgbkDq3}!Z
z&HA=yEg$3_RlR?x>dj%^vz9MkX74(g$*_M?II~t$=eKhm9qUS8`7PhM%lGT59anxy
z?RdE6_?|OPdWrU2Y_t75d{X3-rcc$Wes*1Bn_WStNYzmTl^<Ge=2v63-ibH5y1Kb1
zpuz5-V_=-h))NWGR>fP_a_O%LOa8iH-85s4{qKx^zLBg*Zuj`VT=8OfT{08j%^xou
znVzf4JZNryyXRzIt^MlEAfEKeS8pcCEAHN&_(kQ!@!fXIRZRBPNqI12{Fw34;zW5(
z`W)T`{i^5AXf2$~d}-=jy_emZ*IU{WHZJH1K5|uC$#QFha?XdD_f__KJXCHmDqbsP
zd^yc<`X{9)B}?x~l^wBJyUO9|q0ja5I|ccjzbjfjjZOFF-p8_z=gqx+9~9zN^29sm
z+dGOZo%34bYvhN;DY}a?=5zm>de)U&F!I~egUPxUcSFsLvgYi1m9}RePo_iF=VL~*
zT54RAm;blmd+7Hf{pGb^>}M9fZAs&ao~^8&!Dbcn_Ro<GJ8lUuOLgl^p4qmdHNv)c
zUVPgzL2n+usF$xJ+5=Og1m8R_SQ(WzapuJ!*@;`sEZJDJPX9M!I$E+?V4sECidyCg
zE0(=l)KR-wpJ#Q{G-iqSv*QFWp1qeiZT8`V)7dPz%d9=Fzu6&N-?7Ev?v}>={Nc?D
zPSo8!C*PiYgqfH3q|mjBBIi3@BH2<6OATM|w_k9-{MNnj?@RxxT{|@KS;m6*yPmxD
zu;aH=P@Zs+!PmQZTG&}V0l!1{*HryyTex__ecr9U=l{j0u@v@w-`99FQ0PvCbdb^p
z^ZYM$NBX(zzkBC(uHTh9L&-%kv)$*At{l5Y@sAW!OR+zei(iP;9^UAEis9Kgxl1<J
z?Y}3)sz2Cp^kqWl(jTr<>z4Tlsra&TyG&HtIm_|=%56^fb$)N;JkIh}De7!$*O%k@
z4dslF3K}<EuPEQr<^QNd^46O)pEK;-Iu~E4pZvLfL)0p%clR%a|E%8Q5bN2KzvIhV
zwc8qwUQ)8=D-3_R-PaF%JL%%Yq-e#dZ&N0Gj$e67OJ{b>E_s2*2NLRrzwW<`ki2^H
zgJyOAl6`(^H^cP8C3w!I9k*b9p1*w2-sxf2lHcqom~MHhSvy=(Ro+KpRn_`~HQcYJ
eY^c83Vfj>Y+w#alF14v;-kR1YE}C7Katr`$Y@uKP

literal 0
HcmV?d00001

diff --git a/secrets/authelia/oidc-issuer-privatekey-pem.age b/secrets/authelia/oidc-issuer-privatekey-pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..9c723b3618a0a0c96780f3ac3dd9d575b8e6e0e1
GIT binary patch
literal 2111
zcmYdHPt{G$OD?J`D9Oyv)5|YP*Do{V(zR14F3!+RO))YxHMCR+40eeqOjigs3JZyF
z%nI<#u5c_a3^&P04=y!zw~Wkox6BR<D=4anD6VvJDK$^Ya^xz^%QLU^3k)a=j!1Sa
zH_JBmG%HU|D=~HrG%wUo52z|k&UOlL$;k-~cSN@>&mzy#B~T&RyHMZPHPbxYEGx*u
zxhSG2Fwex_%hAgq!^FGFIndSB+{oOd$S>a_H=ipwsVp-p(I+6;+}G4RG0MWo&7`Wx
z-#9tDIK{lIB-f+VC(<On$Su<&+XUS<r;q}(P)CInuQKy0ck^^#9}9g8kBm?s$8_)D
z0GHAr*GOkm#{i=M$0TC|W7EpS%yO>$0B^t29Cwf0T+2v9|A@fkv@**|UsF^4)Y2SB
z_i%IbESI80i>zc1?|d#@U0sDNA4~H{eP>hiaL-Wf5J#iTJm+x#Jh$+);)>#ouwXN7
z?LaSmi_G#$15Yl-8O*M4{>JT)U#+9}w5r@Bqr^Prp7D!{%^NmU7XRJN8feICd?WqL
zgFOx6J0|$teYsNN(~9GlR<4+JbeaC<>ox2tL96;cHk>#q`IAdpkKMQEZCJbCD)zEe
zTXpFLn>CsqrO#i{^@p?N=!+c*0uN2Qxwap2sZ{H@-<#?2vuNkXh-kUh57(;yy!Yqh
z_kBgzdRDHt)%i5jVar29#oyLvV@o6+7RNrFC|!PWTYjhZ|1b7$_N@B0C2R-NLCvYD
zrxqA2QZ}6T^{33+wQ51STRC_vH}q$?%`_GbP24P=^5~)Bi}i7T{&9$1{IxsIH*%ky
z+svkEIRYzQZTncZ<KgbUz30pGUQXsT_F7uBRsEIEKRdn(uMay`GqZmCq~)SF_qz6<
zB;TvQ7Q0ODQMzL`Ek3~MOhV)1-o|_u&KtaJw(r@L4mIAIu%1a-A^sn?bgI@Ghy4M+
zUTyxfdvD$2JzhV8UxaM$Kf7G?tc<_#d&TLmtY5JicP0x>Q2bo@*^ArQE{UgLTFQ}c
ztHqMHh8!|Iw=|d2{Y`v|Me4+?O?fWaf5YCKmK8S8-y<U;uvScWen#Pr?_w?mOV1dc
z-x6!Ip`?}HoM)LZbHlAoiwXlCe`eK`(=)tLaVc?k)ay*6^P;uI+<L+<I<_Cbv-y~F
z^@~NZaY1oxH|H2WuD|qJ$#6;Ot5Z9LT<_&tTeHhAmi+y2*{K$Db<vC0wzAxG_njd8
z)G+?Go6Q#%(;S5zeky(rYc2_EoDskArhqlkYRM87!#~>Lyjt$>-(87}d|TtbP*WoO
zk+pl@!m<NvT#RZYqNnWG(QTnxx^(fys7za#ljpd8EKk+6*|xuT!sNC@-F@FGp2{%&
zco*k;nr+>i;G(VeY$=igi}R-RZ~ra8V>R*3%I)2@lQILCM672OH&(<ipYULf%$gQ8
zsclT|)lM&4<J4EXPnovwbB(0R?8F;S*3GlgZ!O%s;AODOi|hlbB^Q}uCi7h_d0ly4
zt3<rFch()J9}#aA?r<<qS`son{MLy+-<8uc^k2MCFFN)8UxAp}H<wM{7nL(G*Pm<r
zG3lTxw+ZXYZQF&vZQ)KT+I@C)TC~mP)t$8rhy1EnG;_0^oX7dl#Qn|H9TT^|R?nBn
z5x;-1GQ7X3BVa|O|AxRzuYc(HTVx1lGu>=B)|qDh?Ms@Pn&~=a-}M|?D}0YztxwAE
z{TTlD_~e&;ztvtioL#!xd5Ms5T|fU>$<R$1T9K>8qo0)~SpUeV&lNhw_|5HteN=L-
z^M|fA3f>|qMGak5zIwN>=AUVqBjB(7-}-=!`o>8MEa(5*Zf4)+A+3-v&Th0!ba%YK
z4)ynEZPo`n9;%z1chGM0r;3MuEN<pZIYt_@HCg*l^qnp$_b97Rsy@5&$Kjnz58J$*
zox$nf_~d8D#Agq<UKN)!gfgCMv~ZU7{J7@6=1>2|#jV9Q@lB@|%<PD@&CPu0RCZ-v
zjMp~Pv~@e5C#YH~@pgOJIO^^XZfY|YXebE!{b1uWSN-m!G7cAs6|W23SPj3OH0&^Z
z7o2*D!MA#w=GiMBxK^0XJ@-U+3VZGC>+!sjo^{963Qy?$^kVJ$Wt9F%JbAKn+_4)U
z&9gFEA9FA8wR*AdnP>h*#e?aSXU+L_w>I<N`>6J!gHGqduB{5@NL=mm!t%|U^<P+0
zN}3!_{W&w`-M61-#2#lU&v!RxEBJcsMVs4}vr^Ao7X0Clk#jG4zDmaP!Vj})55I?P
z4KDhz=im}IsXmvt4?2?{@-sdPZu)v}Nvu$@*{1%f)qzXbddps0cDwr5zM1*5pIt6V
z@L7ESQ1&J0)YEW{NtJ8gG}q7W(f0f08SXM~R@fo2*17*8!)>3p-}>Ma__cAGmwNsy
zzkuhn_C^aGi?Ubmw{LuDKK;>gbM5~7HaVW#EawHB`e=Or)O)6T@~duXD(;n@Y!pA=
z<=xbk{fqLiy6zPfe(3PM$Msu>j>HuIw&3q`Xa2Hv5wnswmMzgSG4|4K=@{$A@3WOt
zlzGxKE<ZM0w%GaL43FlQpHx3{g}r{IwZ`)0qyBeofg&qnS3G3Axzz4Vwcz<cZl-Q6
z!z<J5-Ab||SI?Plzu}yaOIOXAQ`h5pRrY#w-%#MPiqlRrGuyE!_HWxHL7Q274!X4-
zNZBv{P{xOU9mjL6Ws}*H7*uO{CtS{wsmfntqH;9bTqU0Cp6f9qPo1xMS4_TMS^YWi
z@%>)K{rvB^4qA0@@{@Lue8Lbbm7^*i^vONWxKXHAG|c|fi@*)B58oWRJS(kCkKbSP
ww{E-gwL6WEr-*YEZ}52hvNncI;1%QgNW0R@E+#iJeb*i^-ckR~+cwS`09DV!dH?_b

literal 0
HcmV?d00001

diff --git a/secrets/authelia/session.age b/secrets/authelia/session.age
new file mode 100644
index 0000000..f8cead9
--- /dev/null
+++ b/secrets/authelia/session.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg s4bJfm5nhl8dESl1yXgQFkCT2nJdKeMVhOC10Z1e1TE
+m1MEBzSr/GZRdNrw2ceFFVjFfcVOdO3D8dxsg4x/lUU
+-> ssh-ed25519 n8n9DQ GwPbYmxKFHZ/JJtJV5o/MSi2mYyJtpupT6TF/QAUAjI
+FZ0WMuYfq3e8Kcp7DAI6kkHVavfVFNm4mIwGbaw1VWk
+-> ssh-ed25519 BTp6UA QcXiF+NIbadObCT3jK7KnVluDqjFev+XA5xQJwk2cA4
+/FKzec70a9cuKq3FStESSwbbgUi3Zf5k5xfa45eMB5g
+--- lwDjO24aMTssxFfekozBYCnigZJ7ztklFwFh0Gn10pA
+cïPvýqÕÿœæT‰Ï_Kt``\˜–1_Ô0^S¬ô’BQ8Þu’Ã}òEËÒÏ¬¿â3{))š<3®uwCµ‹jëý„R ¡ÏÉ#û@g0xk TÍ8ÊRUn·¨$
+æ³µ
\ No newline at end of file
diff --git a/secrets/authelia/storage.age b/secrets/authelia/storage.age
new file mode 100644
index 0000000..b5df178
--- /dev/null
+++ b/secrets/authelia/storage.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg /Ywa18VQyXbCgwIBWGRDB0m9mNd7TtQH4HEQvJpxLkU
+NdigMBP4yDz1v6Q8OXGu7lOd4JpxnBJuaWj5xgz/I/w
+-> ssh-ed25519 n8n9DQ yAQO33Csz6+h8dEKmOvVbZUgxN+nPY6+OvE2W3wBNmI
+5v8JM8vHAmWUlnYiK+eBhp+BIKwbGSOS4UzFpxuvzEo
+-> ssh-ed25519 BTp6UA VnmGREd7Rn1c4sYJRo85cvnuH1QBTQxG6P+c/tdat1M
+0TBJ+a1BBtFBo4beFx5671hIq/pluFJ9wiUK59dZEc0
+--- qzbsERkRBc+PLfAg8/+MiwO2Rh2bWQi6YD0B1QiyzJ0
+ra•ËteXPœZ¥Á	Ê!Y *ð§aþ™ß;‰í±ˆYöÏá&¶
+eñ4¡¹ÿéì¥UÉz )ºº2« Ê’ «¤>íº8SßozRÈÁ@·Âè(UÒ´rÜ¹Ë$åUVóÆßäw
\ No newline at end of file
diff --git a/secrets/default.nix b/secrets/default.nix
index d3899e0..3060baa 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,5 +1,12 @@
 {
   age.secrets = {
+    authelia-jwt.file = ./authelia/jwt.age;
+    authelia-storage.file = ./authelia/storage.age;
+    authelia-session.file = ./authelia/session.age;
+    authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
+    authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
+    authelia-lldap-bind-user-pass.file = ./authelia/lldap-bind-user-pass.age;
+
     lldap-user-pass.file = ./lldap/user-pass.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bd2da37..5439a8e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,5 +10,12 @@ let
   defaultAccess = users ++ systems;
 in
 {
+  "authelia/jwt.age".publicKeys = defaultAccess;
+  "authelia/storage.age".publicKeys = defaultAccess;
+  "authelia/session.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
+  "authelia/lldap-bind-user-pass.age".publicKeys = defaultAccess;
+
   "lldap/user-pass.age".publicKeys = defaultAccess;
 }