gerd.authelia: add initial authelia configuration

It is one big mess, and I'm unsure what is and what isn't needed.

machines/gerd/services/authelia.nix

@@ -0,0 +1,73 @@
+{ config, ... }:
+
+let
+  autheliaStateDir = "/var/lib/authelia-main";
+in {
+  services.authelia.instances.main = {
+    enable = true;
+
+    environmentVariables.AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.age.secrets.authelia-lldap-bind-user-pass.path;
+    secrets = {
+      jwtSecretFile = config.age.secrets.authelia-jwt.path;
+      storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
+      sessionSecretFile = config.age.secrets.authelia-session.path;
+      oidcIssuerPrivateKeyFile = config.age.secrets.authelia-oidc-issuer-privatekey-pem.path;
+    };
+
+    settings = {
+      access_control.default_policy = "one_factor";
+      session.domain = "fricloud.dk";
+
+      storage.local.path = "${autheliaStateDir}/authelia.sqlite3";
+      notifier.filesystem.filename = "${autheliaStateDir}/authelia_notifier.txt";
+
+      authentication_backend = {
+        password_reset.disable = false;
+        refresh_interval = "1m";
+
+        ldap = {
+          implementation = "custom";
+
+          # address in the future
+          url = "ldap://localhost:${builtins.toString config.services.lldap.settings.ldap_port}";
+          timeout = "5s";
+          start_tls = false;
+
+          base_dn = "dc=fricloud,dc=dk";
+          additional_users_dn = "ou=people";
+          users_filter = "(&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+
+
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+
+          user = "uid=bind_user,ou=people,dc=fricloud,dc=dk";
+        };
+      };
+    };
+  };
+
+  services.nginx.virtualHosts."auth.fricloud.dk" = {
+    forceSSL = true;
+    enableACME = true;
+    locations."/".proxyPass = "http://localhost:${builtins.toString config.services.authelia.instances.main.settings.server.port}";
+  };
+
+  # persistent files
+  environment.persistence.root.directories = [
+    autheliaStateDir
+  ];
+
+  # setup secrets for authelia
+  age.secrets = {
+    authelia-jwt.owner = "authelia-main";
+    authelia-storage.owner = "authelia-main";
+    authelia-session.owner = "authelia-main";
+    authelia-oidc-issuer-privatekey-pem.owner = "authelia-main";
+    authelia-lldap-bind-user-pass.owner = "authelia-main";
+  };
+}

secrets/authelia/jwt.age

@@ -0,0 +1,9 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg 2i+hCYHZQ8bEtQJWnazPdAkDky907gzu1tMod6tIUkQ
+c7AoKQEZERJziS+b89OP9v3j5BFG1FTcc5yK4U7wHtg
+-> ssh-ed25519 n8n9DQ O1jM3fRClKiKGaJig/u+APxwi/MzIvs7l/HC+rDiQiw
++0VQR4gO/rxXZJRjfv/t+mfaDi0kUioTom8OoNoFDio
+-> ssh-ed25519 BTp6UA 93ld1x4OCnO4GshJz3Hf7mB2jFVGYqZQ8AwvB7cOqzg
+AMFa8ueIf3Fz8VQpWWrS6ncfrh+pdsU7RMR3ZjA8KLE
+--- qDtFEysXwYfNfu63ufZFt2lARP72Gkx0Kp6zs81VkT8
+Oj´}¼4VfĬj¢Ç\cBÁ!9ÏìÚYÚ¨­Ô(ìd2©\bÙs5…ïâ2ËhTRœ@êg¼ªÔ·®•„kì9¹S<½wq~ÕÞ%)º^B ÎõJS­ @Å©x±Í‘1[†Ì0œá>

secrets/authelia/session.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg s4bJfm5nhl8dESl1yXgQFkCT2nJdKeMVhOC10Z1e1TE
+m1MEBzSr/GZRdNrw2ceFFVjFfcVOdO3D8dxsg4x/lUU
+-> ssh-ed25519 n8n9DQ GwPbYmxKFHZ/JJtJV5o/MSi2mYyJtpupT6TF/QAUAjI
+FZ0WMuYfq3e8Kcp7DAI6kkHVavfVFNm4mIwGbaw1VWk
+-> ssh-ed25519 BTp6UA QcXiF+NIbadObCT3jK7KnVluDqjFev+XA5xQJwk2cA4
+/FKzec70a9cuKq3FStESSwbbgUi3Zf5k5xfa45eMB5g
+--- lwDjO24aMTssxFfekozBYCnigZJ7ztklFwFh0Gn10pA
+cïPvýqÕÿ
œæT‰Ï_Kt
``\˜–1_Ô0^S¬ô’BQ8Þ<38>u’Ã}òEËÒϬ¿â3{))š<3®uwCµ‹jëý„R ¡ÏÉ#û@g0xk T
Í8ÊR<C38A>U
n·¨$
+æ³µ

secrets/authelia/storage.age

@@ -0,0 +1,10 @@
+age-encryption.org/v1
+-> ssh-ed25519 QSDXqg /Ywa18VQyXbCgwIBWGRDB0m9mNd7TtQH4HEQvJpxLkU
+NdigMBP4yDz1v6Q8OXGu7lOd4JpxnBJuaWj5xgz/I/w
+-> ssh-ed25519 n8n9DQ yAQO33Csz6+h8dEKmOvVbZUgxN+nPY6+OvE2W3wBNmI
+5v8JM8vHAmWUlnYiK+eBhp+BIKwbGSOS4UzFpxuvzEo
+-> ssh-ed25519 BTp6UA VnmGREd7Rn1c4sYJRo85cvnuH1QBTQxG6P+c/tdat1M
+0TBJ+a1BBtFBo4beFx5671hIq/pluFJ9wiUK59dZEc0
+--- qzbsERkRBc+PLfAg8/+MiwO2Rh2bWQi6YD0B1QiyzJ0
+<EFBFBD>ra•ËteX
PœZ¥Á	Ê!Y *ð§aþ™ß;‰í±ˆYöÏá&¶
+eñ4<>¡¹ÿéì¥UÉz )ºº2«
 Ê’ «¤>íº8SßozRÈÁ@·Âè(UÒ´rܹË$åUVóÆßäw

secrets/default.nix

@@ -1,5 +1,12 @@
 {
   age.secrets = {
+    authelia-jwt.file = ./authelia/jwt.age;
+    authelia-storage.file = ./authelia/storage.age;
+    authelia-session.file = ./authelia/session.age;
+    authelia-oidc-issuer-privatekey-pem.file = ./authelia/oidc-issuer-privatekey-pem.age;
+    authelia-oidc-issuer-privatekey-crt.file = ./authelia/oidc-issuer-privatekey-crt.age;
+    authelia-lldap-bind-user-pass.file = ./authelia/lldap-bind-user-pass.age;
+
     lldap-user-pass.file = ./lldap/user-pass.age;
   };
 }

secrets/secrets.nix

@@ -10,5 +10,12 @@ let
   defaultAccess = users ++ systems;
 in
 {
+  "authelia/jwt.age".publicKeys = defaultAccess;
+  "authelia/storage.age".publicKeys = defaultAccess;
+  "authelia/session.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-pem.age".publicKeys = defaultAccess;
+  "authelia/oidc-issuer-privatekey-crt.age".publicKeys = defaultAccess;
+  "authelia/lldap-bind-user-pass.age".publicKeys = defaultAccess;
+
   "lldap/user-pass.age".publicKeys = defaultAccess;
 }