From 1454e649815dd9e82b97fef1af8afa7d1f3e50e3 Mon Sep 17 00:00:00 2001
From: eyjhb <eyjhbb@gmail.com>
Date: Fri, 9 Aug 2024 21:38:40 +0200
Subject: [PATCH] gerd.authelia: add initial authelia configuration

It is one big mess, and I'm unsure what is and what isn't needed.
---
 machines/gerd/services/authelia.nix           |  73 ++++++++++++++++++
 secrets/authelia/jwt.age                      |   9 +++
 secrets/authelia/lldap-bind-user-pass.age     | Bin 0 -> 465 bytes
 .../authelia/oidc-issuer-privatekey-crt.age   | Bin 0 -> 1498 bytes
 .../authelia/oidc-issuer-privatekey-pem.age   | Bin 0 -> 2111 bytes
 secrets/authelia/session.age                  |  10 +++
 secrets/authelia/storage.age                  |  10 +++
 secrets/default.nix                           |   7 ++
 secrets/secrets.nix                           |   7 ++
 9 files changed, 116 insertions(+)
 create mode 100644 machines/gerd/services/authelia.nix
 create mode 100644 secrets/authelia/jwt.age
 create mode 100644 secrets/authelia/lldap-bind-user-pass.age
 create mode 100644 secrets/authelia/oidc-issuer-privatekey-crt.age
 create mode 100644 secrets/authelia/oidc-issuer-privatekey-pem.age
 create mode 100644 secrets/authelia/session.age
 create mode 100644 secrets/authelia/storage.age

diff --git a/machines/gerd/services/authelia.nix b/machines/gerd/services/authelia.nix
new file mode 100644
index 0000000..61a6088
--- /dev/null
+++ b/machines/gerd/services/authelia.nix
@@ -0,0 +1,73 @@
+{ config, ... }:
+
+let
+  autheliaStateDir = "/var/lib/authelia-main";
+in {
+  services.authelia.instances.main = {
+    enable = true;
+
+    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path;
+    secrets = {
+      jwtSecretFile = config.age.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+      sessionSecretFile = config.age.secrets.authelia-session.path;
+      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
+    };
+
+    settings = {
+      access_control.default_policy = "one_factor";
+      session.domain = "fricloud.dk";
+
+      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
+      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
+
+      authentication_backend = {
+        password_reset.disable = false;
+        refresh_interval = "1m";
+
+        ldap = {
+          implementation = "custom";
+
+          # address in the future
+          url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
+          timeout = "5s";
+          start_tls = false;
+
+          base_dn = "dc=fricloud,dc=dk";
+          additional_users_dn = "ou=people";
+          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+
+
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+
+          user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."auth.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";
+  };
+
+  # persistent files
+  environment.persistence.root.directories = [
+    autheliaStateDir
+  ];
+
+  # setup secrets for authelia
+  age.secrets = {
+    authelia-jwt.owner = "authelia-main";
+    authelia-storage.owner = "authelia-main";
+    authelia-session.owner = "authelia-main";
+    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
+    authelia-lldap-bind-user-pass.owner = "authelia-main";
+  };
+}
diff --git a/secrets/authelia/jwt.age b/secrets/authelia/jwt.age
new file mode 100644
index 0000000..f65b223
--- /dev/null
+++ b/secrets/authelia/jwt.age
@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg 2i+hCYHZQ8bEtQJWnazPdAkDky907gzu1tMod6tIUkQ
+c7AoKQEZERJziS+b89OP9v3j5BFG1FTcc5yK4U7wHtg
+-> ssh-ed25519 n8n9DQ O1jM3fRClKiKGaJig/u+APxwi/MzIvs7l/HC+rDiQiw
++0VQR4gO/rxXZJRjfv/t+mfaDi0kUioTom8OoNoFDio
+-> ssh-ed25519 BTp6UA 93ld1x4OCnO4GshJz3Hf7mB2jFVGYqZQ8AwvB7cOqzg
+AMFa8ueIf3Fz8VQpWWrS6ncfrh+pdsU7RMR3ZjA8KLE
+--- qDtFEysXwYfNfu63ufZFt2lARP72Gkx0Kp6zs81VkT8
+Oj´}¼4VfÄ¬j¢Ç\cBÁ!9ÏìÚYÚ¨­Ô(ìd2©\bÙs5…ïâ2ËhTRœ@êg¼ªÔ·®•„kì9¹S<½wq~ÕÞ%)º^B ÎõJS­ @Å©x±Í‘1[†Ì0œá>
\ No newline at end of file
diff --git a/secrets/authelia/lldap-bind-user-pass.age b/secrets/authelia/lldap-bind-user-pass.age
new file mode 100644
index 0000000000000000000000000000000000000000..17aa20f6655ecc899cfeca43957a8852cb4c95d0
GIT binary patch
literal 465
zcmZ9_O^%aL003YYu1Jh0m;`s42Fp($EykEopi`#M0<Tb7jS))WwUkHY@6p-K0mi6t
zrwbEzUcj}<EZwPzd!vbmn8f{j7x;o?!))-nI3B8PjvwYl(rq}3c|w;ZVm1*E04LEl
zRQ;C;U7UeLFp3e8=f(~SA}522%k0)0))-AXK_4D$dk%rG_9$sS!>S|HahKQ4U9Lnc
zc7mtfphFBJ-up0K?;0Vj-5RZLZg_wt)uye$(?PhEtSmIgyc!t@lv<1&e_`Sc2U%Z9
zf)q*%P0*;BJw4@TRZUtj=-^(*57E9+h;^DN6SEPyHHp|o(=O#yzqt+P2ho*jF9#{R
ztIu*0C(+0oS6SE~h{Vc-Uf!U=kteFUKeStxr3!*O^>z^-U0-I4p}t@3&r54Jl3}Vz
zjZD}A6-ub-GRi52VQ9A;OG{9#>d*}wH_gkepG+nqzX){Lb!K1<4QZJ=2R~z}_V&|X
zGb_Hnd-e0AL9cqko4>byU;g?2;osZm55W10`;WgFuit$<`O-D--MJwBY5nNyr|Xr7
MpYcB=^7;MMe?ys`I{*Lx

literal 0
HcmV?d00001

diff --git a/secrets/authelia/oidc-issuer-privatekey-crt.age b/secrets/authelia/oidc-issuer-privatekey-crt.age
new file mode 100644
index 0000000000000000000000000000000000000000..b64c8058a9c48f4f88e8e51c20d6c40a15abff92
GIT binary patch
literal 1498
zcmV<01tt1nXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQBy=%ac3ZE
zcu#FNVMk0%PIGlhSaM8OD@!mqY*a)_XHZK^WHL^2OGHFia9K?&M{5c<Fm!A)N=-ve
zG)GukVlrW6a!O2CSvXc%VK!tlFe^-CFm^#pPdPbxPe}?bJ|J^*Xf0)AGBq_ZIUsI0
zZaG9zAa6rOQaDCrS7<hRb8~5EY+*HIdT2y3P&RpOaCTa4c{NEdaCCStXLMCf3O7hI
zX<Ah|Fh*%&OnFLKZd!7BQBZhzYi2S@Saoq{ZhCn_ZF5*xVoOMC3N1b$b8~1dWn?ln
zH8D9LLR4@zRY4$iFi<dWXhv;SctKV(bZARKN;pnMMK>{1a!qbkcyDbqcT-YTQ!q<+
zNKpz}Hf2O@D^F@#Wo<!KOK?(8RCF&jYjHPWLu^5CR%l^qXiivRWkzIaW<d%qEiE7~
zcW798D_J>WN-uOnFEvduc}X;SNLOY|Mq+nPZDTTaSyMxKHc4(zQZx!v$@k;DKhxlT
z1!-nH%nSBMj{(l#C5EazFwSl}muMuQqsw00=-G$?!~&w?qN*0=w$g!vQcnpKX29H0
z6?_trV)QSuwZdG+CGaI#gG||*DVa3`kq;zEMkYM8Y@c<Hu3mfY)a>DZW!@|s!;}oh
z)KhDx?ave}`+*tFn{p0nZ{BHB;u`=RX+CW|n4|RIeX6WDbtxd#F4O{tC}5G!1iw(&
zWa=^Q4feJOVcYf38H`UAxsdiwI<IC??{YYi;|3Mn#i8FsqwEL$%}P)#mFCS}g5-U3
zSsM3si(Jy=*`Rw*Hd>A`6X{E{FFnmU;BCbv-@<zA!wt<j>FH~_$!P$;l2-#Nf{FId
zh={Ir>Q1M*x=r<}xYYU@xZ$kFyv#x_VLu86n@&hfWFKOel`MPa*C@6=aETOp#V{oJ
zDn>WeT(#U^GS#btj8K3+!9h`8B(=z3#;RXCeF`tER%7+Bu9h<hzwR>m>=}4the-dY
zA<<WUV*(D@_~=0b=OrBAgM;n7$&P(Lt7%dUXOq?0Vjm&9w_)@o$j7@rrzAAKei}#s
zX!w}%ILLQ=XPgb7k0s8`Dxs4D(v_Vq>5D1Xgoa?Tpo~+*)hi-7wSXgR@R{Evy-49B
zgferj8Z*;oF_-cp<aDLp8g|4yt*Suf!t;M0xe*UT_aQpvU1v)Rz67oe?B2fcAYQ2q
zUqf#{K@_E&>nQbE@S|icqG+EB{*}!|3lUlN<-ubuINen?GHRT<>SnyY3~4}m^Tslo
zgnUI~r~fz(;ZEph>DKxO%%SasW(-@KBPVDEI$Z7i#IU&95Ca;EER&grsD)TPjh<hI
z#t};l4qEB!Scg$%S`qB$aH(2mk(tp_9g(y)IR*qO%l|e4#dNC>zBopxeFKoFrs|@I
zeWNc7t6G)=81I{25z)=wVV0Z2!IuU&3wAq5*X+0xe~7d|-L!$f4_AYr$bQ|<ABSVa
z0}Tzy64rQfL)?lKYZ`#1G3&oSpx<}e-dFdf{U+AJk>+Ti@4DpeNInlfAR~~`08LAC
zmR8L!5KhA1ta|?jp`(!B4Yf_r{$FMUagO)CfyGf0+*lh@BCt1a^nS#T3xD@ZZi%nD
zWtbvFA!&z9!Yv*LD0BE^H8~diIiu(leZ#R!$^hoh9@0G5Klfl=C*ZKf>0pVa_(hd|
zrc4qfO$7@?ks`U8LGP)yLf<U=u?fcn^&(o$Ws3C2Z-93J;&6eo*LZidicjK*8QSb-
zOw0!hEYavE$@#aiTB;iE-_lq4d%QqhNsMo}^sOe_C_zdZ9XF^k`bOU`QSFk^kz!jR
zmF;AZ^IxgTDlD5^x*rgM;20+{`rqkT8P(bFDSMBkzD_3DRxVc<49;f9I0NTzr=q==
zR@P(exNw&_%7ZIc86_V~7^-@&!F&tql(2i*h&kmMwx?Nf3MQ3yODQ|Z(KgVO#%ye%
AU;qFB

literal 0
HcmV?d00001

diff --git a/secrets/authelia/oidc-issuer-privatekey-pem.age b/secrets/authelia/oidc-issuer-privatekey-pem.age
new file mode 100644
index 0000000000000000000000000000000000000000..9c723b3618a0a0c96780f3ac3dd9d575b8e6e0e1
GIT binary patch
literal 2111
zcmV-F2*CGYXJsvAZewzJaCB*JZZ2<fXD@a!3N1b$b8~1dWn?lnH8D9LQBy=%ac3Y^
zGFDVrL26J*Yj{C(aaS~GXH#`GM>$z*M>%UzR&a87SaW$oM0Gc0YC#HdZf-YuPEk;H
zQ&?j`cQ$J?Nj7(5W^^+}Q8#ffXHa@^V{1ZCL~LwTS3wFbJ|J^*Xf0)AGBq_ZIUsI0
zZaG9zAY)5$FHJ>hH&-@lQaD3$SaMNrG*3!FN-$_NOL{|5MMXC<H#BliZ#Zpl3R7Zs
zX<A`SP-8buH8){eI5I{wdU8)QV{3C{H+FPwNOeqEG-q-~X-I1{3N1b$b8~1dWn?ln
zH8D9LLR4@zRY4$RN_IDTM>l6pOgJw%NN80|L1#--P(*c7MOi~NK~OSKL1Hs7Gc|c(
zX?F^5P)kmAY)43KZ8=#nPgqf7W_CGwO*J(yWp!*pM^`sDYD98jIBH`^OK%D-EiE8w
zOgT4MFGDpqS4mYXR6#OnZbMg3ZbnyTb9i%TR#P@BD^W@>IB9ozFi8plm;*)Z{a&~q
zt1K?%dUrHvbT?$)Gw67;u&{Y^{ksKGF%2`=XUyQdfET!sOx@|J81ksc(y6GL#ilQ_
z*L(+LQmT&efXK-i`3f5@2TgMAR)<ci2X<vWCmW!%D1zc=pQwub353PyxL^?BHH!+j
z!bEu{h~JHANcnQP@mO0PtKqFD`QH5T_r7x0jH$0ZEb^H^wBa!!`#a5DbQs}tUFDG*
zchR<Qi7Wr~KkU4!_Ow>G0>LSjWy+v1q9ZY$_4yp_ttL_}wFnG3u#ad)nKKntVY3%x
z;^86auU`EA2o}-$yIxIMzCK2of|hI$sOq-ycDUiYj=j%!Zt0T=GfJg$wI}LK{yq+P
zO7OU=0|oZ-Dnu@w*DL&DP1X9NM3amn+%}e9P(sXLf#Z#VZv+Y04F)~$1|q_N+K{gT
zBOqV?3mauBtU$j|`s%a%yS;wnyh`{}=v23l&8HR398VMPA(!eq>IO53V-k=d^KtV^
z3o|}q3~-iY#P+KeW3^PmHO{4N2}kT-WH@D!YO-!bYyDR2%N-LiFT5NS5Umz1pJ;Ko
z_ZCEOrOYzVv|Tc=bcGK$45kwUfZDR6aZuy)1t}gbG1z$0VY^!EX)@0heRB&g6X=My
z$K12VLwo3=U0zaN2HBi3<A2iYA~B?O>dLtiMc!>YI|m=58T;X;%7iy3717qU1ldPT
zkQ3!GU)x4J^aM3*Ah=E>PC%^E6DZ6V*z9lxVLGIw1Tp+8R}Csh@9xxDS?zpBp(z+w
z;yXu<p?1KmL^6CBTa>uCi#R29rK8bWX+0dt&I<UaWhp$izm1TShG8wf_ITwS0{HG;
zP0I$Z>{D{JKL%tO5TkCCkGJ~}3_6kQske(gl4(!^6g!%8fp}l1kl?Hwtb`^SwgN|c
zLg|HGC#y%4mcH|R86=xw*yOIBJTHZDv!LlyMCfb4WpvR3T$2vfbnAJ~Ds&f(jhfs-
z_*m^A+z11bq*Rwz+Q^Pgsg`Ij=;$YM%J=?o7B==oviG8Q00V!{f%uZaB?~kKskXNh
z_OuIPa=Xo|W?MY7tBHL8!cKdrg9`@9o(bVJN9@(Ok+<t7Zy0PB-@$oTkAjF$s98_2
zQPS)9EKfLS6Kew5fX0btH}>>qCMGqmBTcUeDyU7zI<I1AP4QR#$CK%f`zGi>&853T
zq!KfJj}OfmRkCO*S*sUY=5=5@_-KD^63PMgM$kW6V|_#LimV_@6l8LMih4~h+tqK(
zgq#phEB`ydJSVY|pgEuZw>Ce9NE;w;7Y8z?6}w*$xF_$;Jg-wh!hVx(!9KI{c;QY2
zMmGX%GANrV1&_#%%W`)}c7I}f&8hgqxuwHA?VD%`Pl4q5h>_;t3hHxr0966bfjC1Q
zN%5@TDfv%<qlI%kUxLb@nTTCIZE5a8cGR9+O13p-uDR!6B{?Dui%L8}Ex%KOhBFX=
za8mo=vF1fDi(+;NL>Q>+aYh9(_Q^4bG44}k(g00+wkgfj@Cv9kozCPflm~s=*Ix}8
zNq)vAamX(DN(GAgGH2o!W0ON(#@O*UYG{Sy3!qIp=)UGjZ_y#aXOo(o`rUnL{_k3c
za=}8*R@SOh2w|&4=sE1Huk-|Dbb>(2{LGZ@_W8^f<7y+HM>hs=^~UIiMzqZu=0u?U
z4_qEca_6cXNznK<mf`nSwNrBVyuqYK8jeKm;E7}54*}v+g7w~{T@rIPvX7N}QKhX*
z9oDAXd-}eaZyobQ(ijdn_waV~Qp)95D3W=t?1O)sj4Mw1NmoRknpVOVg`NIcS3T#4
z+VD(K^?{a3CvWObQ0JPxTN1`vKPQhrf$2Aw;>R~DkKa6ONwztjP|EQ$-^%X--XE&k
zDIvWZlQLhQMDCTTkD_nYMZFah;XwC{MfQj+7?e+jQ}>;j`aMJzIvB=l7>JQw(z_d6
zJAwC`BV;2CXK2&oF{YzK!I(&c>GCD>3RdgtDy%u_;*aizQ52|MsNn(Gr9RAi5zkQz
z0*fj!)RsR+bZS|voR>ea&Jsk5e9X$%UkxO^OAFW_3OZgZW;QmsqFw!lk`X+byun6=
zz+}H4;T%j4t_bHUrjrL^04045kke`$dT*>WB*kktBwq^NMaD8oEcI^GH1*W0^HJm9
zjUm4e?h3&=i?U7|KpEr!T^ej97gF*^UNeCbjTKfu^5{{pUE%D))0$>>E)P!?`z?nf
p*4%;Plotwfut?+SeOv|*>H)7=K6TSXG}viPt-v$5f9^{?UOQFK!+HP!

literal 0
HcmV?d00001

diff --git a/secrets/authelia/session.age b/secrets/authelia/session.age
new file mode 100644
index 0000000..f8cead9
--- /dev/null
+++ b/secrets/authelia/session.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg s4bJfm5nhl8dESl1yXgQFkCT2nJdKeMVhOC10Z1e1TE
+m1MEBzSr/GZRdNrw2ceFFVjFfcVOdO3D8dxsg4x/lUU
+-> ssh-ed25519 n8n9DQ GwPbYmxKFHZ/JJtJV5o/MSi2mYyJtpupT6TF/QAUAjI
+FZ0WMuYfq3e8Kcp7DAI6kkHVavfVFNm4mIwGbaw1VWk
+-> ssh-ed25519 BTp6UA QcXiF+NIbadObCT3jK7KnVluDqjFev+XA5xQJwk2cA4
+/FKzec70a9cuKq3FStESSwbbgUi3Zf5k5xfa45eMB5g
+--- lwDjO24aMTssxFfekozBYCnigZJ7ztklFwFh0Gn10pA
+cïPvýqÕÿœæT‰Ï_Kt``\˜–1_Ô0^S¬ô’BQ8Þu’Ã}òEËÒÏ¬¿â3{))š<3®uwCµ‹jëý„R ¡ÏÉ#û@g0xk TÍ8ÊRUn·¨$
+æ³µ
\ No newline at end of file
diff --git a/secrets/authelia/storage.age b/secrets/authelia/storage.age
new file mode 100644
index 0000000..b5df178
--- /dev/null
+++ b/secrets/authelia/storage.age
@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg /Ywa18VQyXbCgwIBWGRDB0m9mNd7TtQH4HEQvJpxLkU
+NdigMBP4yDz1v6Q8OXGu7lOd4JpxnBJuaWj5xgz/I/w
+-> ssh-ed25519 n8n9DQ yAQO33Csz6+h8dEKmOvVbZUgxN+nPY6+OvE2W3wBNmI
+5v8JM8vHAmWUlnYiK+eBhp+BIKwbGSOS4UzFpxuvzEo
+-> ssh-ed25519 BTp6UA VnmGREd7Rn1c4sYJRo85cvnuH1QBTQxG6P+c/tdat1M
+0TBJ+a1BBtFBo4beFx5671hIq/pluFJ9wiUK59dZEc0
+--- qzbsERkRBc+PLfAg8/+MiwO2Rh2bWQi6YD0B1QiyzJ0
+ra•ËteXPœZ¥Á	Ê!Y *ð§aþ™ß;‰í±ˆYöÏá&¶
+eñ4¡¹ÿéì¥UÉz )ºº2« Ê’ «¤>íº8SßozRÈÁ@·Âè(UÒ´rÜ¹Ë$åUVóÆßäw
\ No newline at end of file
diff --git a/secrets/default.nix b/secrets/default.nix
index d3899e0..3060baa 100644
--- a/secrets/default.nix
+++ b/secrets/default.nix
@@ -1,5 +1,12 @@
 {
   age.secrets = {
+    authelia-jwt.file = ./authelia/jwt.age;
+    authelia-storage.file = ./authelia/storage.age;
+    authelia-session.file = ./authelia/session.age;
+    authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
+    authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
+    authelia-lldap-bind-user-pass.file = ./authelia/lldap-bind-user-pass.age;
+
     lldap-user-pass.file = ./lldap/user-pass.age;
   };
 }
diff --git a/secrets/secrets.nix b/secrets/secrets.nix
index bd2da37..5439a8e 100644
--- a/secrets/secrets.nix
+++ b/secrets/secrets.nix
@@ -10,5 +10,12 @@ let
   defaultAccess = users ++ systems;
 in
 {
+  "authelia/jwt.age".publicKeys = defaultAccess;
+  "authelia/storage.age".publicKeys = defaultAccess;
+  "authelia/session.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
+  "authelia/lldap-bind-user-pass.age".publicKeys = defaultAccess;
+
   "lldap/user-pass.age".publicKeys = defaultAccess;
 }