feat(deertopia): Foundational Authelia setup

By 'foundational,' I mean that a demo is working correctly.  Work will
continue in a follow-up commit integrating existing services with LDAP
and Authelia. ♥

modules/nixos/deertopia/authelia.nix

@@ -0,0 +1,183 @@
+{ config, lib, pkgs, ... }:
+
+let cfg = config.sydnix.deertopia.authelia;
+in {
+  options.sydnix.deertopia.authelia = {
+    enable = lib.mkEnableOption ''Deertopia's Authelia'';
+    httpPort = lib.mkOption {
+      description = ''
+        The port on which Authelia's web UI will be served.
+      '';
+      type = lib.types.port;
+      default = 9091;
+    };
+    stateDirectory = lib.mkOption {
+      description = ''
+        The directory under which Authelia's general state will be stored.
+      '';
+      type = lib.types.path;
+      default = "/var/lib/authelia-deertopia";
+    };
+    bindUserName = lib.mkOption {
+      description = ''
+        The name of the LDAP user Authelia will bind as.
+      '';
+      type = lib.types.str;
+      default = "authelia";
+    };
+  };
+
+  config = lib.mkIf cfg.enable {
+    sydnix.sops.secrets =
+      let e = {
+            mode = "0600";
+            owner = config.services.authelia.instances."deertopia".user;
+            group = config.services.authelia.instances."deertopia".group;
+          };
+      in {
+        authelia-jwt-secret = e;
+        authelia-session-secret = e;
+        authelia-storage-encryption-key = e;
+        authelia-authentication-backend-ldap-password = e;
+      };
+
+    # I don't think the Authelia NixOS module exposes or even creates any paths
+    # for the service's state.  No big deal, we'll do it ourselves…
+    #
+    # It is obligatory that I mention tmpfiles.d(5) every time this setting is used.
+    systemd.tmpfiles.settings."10-authelia".${cfg.stateDirectory} = {
+      v.user = config.services.authelia.instances."deertopia".user;
+      v.group = config.services.authelia.instances."deertopia".group;
+    };
+
+    # See:
+    #  - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml
+    #  - https://matwick.ca/authelia-nginx-sso/
+    #  - https://www.gandalfk7.it/posts/20220713_01_sso-with-lldap-authelia-and-nginx/
+    services.authelia.instances."deertopia" = {
+      enable = true;
+      # "Automatic" secrets are seemingly broken and offer little more than
+      # some assertions from the Nix module.
+      secrets.manual = true;
+      environmentVariables = {
+        AUTHELIA_JWT_SECRET_FILE =
+          "/run/secrets/authelia-jwt-secret";
+        AUTHELIA_SESSION_SECRET_FILE =
+          "/run/secrets/authelia-session-secret";
+        AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE =
+          "/run/secrets/authelia-storage-encryption-key";
+        AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+          "/run/secrets/authelia-authentication-backend-ldap-password";
+      };
+      settings = {
+        default_2fa_method = "totp";
+        theme = "auto";
+        server = {
+          address = "tcp://:${builtins.toString cfg.httpPort}";
+          asset_path = "${cfg.stateDirectory}/assets";
+          # Necessary for Nginx integration.  No, I do not understand what it
+          # does.
+          endpoints.authz.auth-request.implementation = "AuthRequest";
+        };
+        authentication_backend =
+          let base-dn = config.services.lldap.settings.ldap_base_dn;
+              ldap-port =
+                builtins.toString config.services.lldap.settings.ldap_port;
+          in {
+            password_reset.disable = false;
+            refresh_interval = "1 minutes";
+            ldap = {
+              implementation = "custom";
+              address = "ldap://127.0.0.1:${ldap-port}";
+              timeout = "5s";
+              start_tls = "false";
+              base_dn = base-dn;
+              additional_users_dn = "ou=people";
+              additional_groups_dn = "ou=groups";
+              groups_filter = "(member={dn})";
+              users_filter = "(&({username_attribute}={input})(objectClass=person))";
+              attributes = {
+                username = "uid";
+                group_name = "cn";
+                mail = "mail";
+                display_name = "displayName";
+              };
+              user = "uid=${cfg.bindUserName},ou=people,${base-dn}";
+            };
+          };
+        access_control = {
+          default_policy = "deny";
+          rules = [
+            {
+              # TODO: Remove this.  It's only used for a quick demo for myself.
+              # The domain choice is arbitrary.  It's just one I happen to have
+              # set up.
+              domain = "ldap.deertopia.net";
+              policy = "one_factor";
+            }
+          ];
+        };
+        session = {
+          name = "authelia_session";
+          same_site = "lax";
+          inactivity = "5 minutes";
+          expiration = "1 hour";
+          remember_me = "1 month";
+          cookies = [
+            {
+              domain = "deertopia.net";
+              authelia_url = "https://auth.deertopia.net";
+              # TODO: Remove this.  It's only used for a quick demo for myself.
+              # The domain choice is arbitrary.  It's just one I happen to have
+              # set up.
+              default_redirection_url = "https://ldap.deertopia.net";
+            }
+          ];
+        };
+        storage.local.path = "${cfg.stateDirectory}/db.sqlite";
+        notifier = {
+          disable_startup_check = false;
+          filesystem.filename = "${cfg.stateDirectory}/notifications";
+        };
+        # Default is false, which prevents anything from showing up when you run
+        # `systemctl status authelia-deertopia`, which is really, really confusing.
+        log = {
+          keep_stdout = true;
+          file_path = "${cfg.stateDirectory}/authelia.log";
+        };
+      };
+    };
+
+    sydnix.deertopia.nginx.vhosts."auth".vhost = {
+      forceSSL = true;
+      enableACME = true;
+      extraConfig = ''
+        set $upstream http://127.0.0.1:${builtins.toString cfg.httpPort};
+      '';
+      locations."/".extraConfig = ''
+        include ${./authelia/proxy.conf};
+        proxy_pass $upstream;
+      '';
+      locations."/api/verify".proxyPass = "$upstream";
+      locations."/api/authz".proxyPass = "$upstream";
+    };
+
+    # TODO: Remove this.  It's only used for a quick demo for myself.  The
+    # domain choice is arbitrary.  It's just one I happen to have set up.
+    sydnix.deertopia.nginx.vhosts."ldap" = {
+      directory = null;
+      vhost = {
+        forceSSL = true;
+        enableACME = true;
+        extraConfig = ''
+          include ${./authelia/authelia-location.conf};
+        '';
+        locations."/".extraConfig = ''
+          include ${./authelia/authelia-authrequest.conf};
+          include ${./authelia/proxy.conf};
+          root /persist/deertopia.net/ldap;
+        '';
+      };
+    };
+  };
+}

modules/nixos/deertopia/authelia/authelia-authrequest.conf

@@ -0,0 +1,34 @@
+# Adapted from https://www.authelia.com/integration/proxies/nginx/#authelia-authrequest
+
+## Send a subrequest to Authelia to verify if the user is authenticated and has permission to access the resource.
+auth_request /internal/authelia/authz;
+
+## Save the upstream metadata response headers from Authelia to variables.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+
+## Inject the metadata response headers from the variables into the request made to the backend.
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Email $email;
+proxy_set_header Remote-Name $name;
+
+## Configure the redirection when the authz failure occurs. Lines starting with 'Modern Method' and 'Legacy Method'
+## should be commented / uncommented as pairs. The modern method uses the session cookies configuration's authelia_url
+## value to determine the redirection URL here. It's much simpler and compatible with the mutli-cookie domain easily.
+
+## Modern Method: Set the $redirection_url to the Location header of the response to the Authz endpoint.
+auth_request_set $redirection_url $upstream_http_location;
+
+## Modern Method: When there is a 401 response code from the authz endpoint redirect to the $redirection_url.
+error_page 401 =302 $redirection_url;
+
+## Legacy Method: Set $target_url to the original requested URL.
+## This requires http_set_misc module, replace 'set_escape_uri' with 'set' if you don't have this module.
+# set_escape_uri $target_url $scheme://$http_host$request_uri;
+
+## Legacy Method: When there is a 401 response code from the authz endpoint redirect to the portal with the 'rd'
+## URL parameter set to $target_url. This requires users update 'auth.deertopia.net/' with their external authelia URL.
+# error_page 401 =302 https://auth.deertopia.net/?rd=$target_url;

modules/nixos/deertopia/authelia/authelia-location.conf

@@ -0,0 +1,34 @@
+# Adapted from https://www.authelia.com/integration/proxies/nginx/#authelia-locationconf
+
+set $upstream_authelia http://127.0.0.1:9091/api/authz/auth-request;
+
+## Virtual endpoint created by nginx to forward auth requests.
+location /internal/authelia/authz {
+    ## Essential Proxy Configuration
+    internal;
+    proxy_pass $upstream_authelia;
+
+    ## Headers
+    ## The headers starting with X-* are required.
+    proxy_set_header X-Original-Method $request_method;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Content-Length "";
+    proxy_set_header Connection "";
+
+    ## Basic Proxy Configuration
+    proxy_pass_request_body off;
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Timeout if the real server is dead
+    proxy_redirect http:// $scheme://;
+    proxy_http_version 1.1;
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+    client_body_buffer_size 128k;
+
+    ## Advanced Proxy Configuration
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

modules/nixos/deertopia/authelia/proxy.conf

@@ -0,0 +1,36 @@
+# Adapted from https://www.authelia.com/integration/proxies/nginx/#proxyconf
+
+## Headers
+proxy_set_header Host $host;
+proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+proxy_set_header X-Forwarded-Proto $scheme;
+proxy_set_header X-Forwarded-Host $http_host;
+proxy_set_header X-Forwarded-URI $request_uri;
+proxy_set_header X-Forwarded-Ssl on;
+proxy_set_header X-Forwarded-For $remote_addr;
+proxy_set_header X-Real-IP $remote_addr;
+
+## Basic Proxy Configuration
+client_body_buffer_size 128k;
+proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; ## Timeout if the real server is dead.
+proxy_redirect  http://  $scheme://;
+proxy_http_version 1.1;
+proxy_cache_bypass $cookie_session;
+proxy_no_cache $cookie_session;
+proxy_buffers 64 256k;
+
+## Trusted Proxies Configuration
+## Please read the following documentation before configuring this:
+##     https://www.authelia.com/integration/proxies/nginx/#trusted-proxies
+# set_real_ip_from 10.0.0.0/8;
+# set_real_ip_from 172.16.0.0/12;
+# set_real_ip_from 192.168.0.0/16;
+# set_real_ip_from fc00::/7;
+real_ip_header X-Forwarded-For;
+real_ip_recursive on;
+
+## Advanced Proxy Configuration
+send_timeout 5m;
+proxy_read_timeout 360;
+proxy_send_timeout 360;
+proxy_connect_timeout 360;

modules/nixos/deertopia/lldap.nix

@@ -20,7 +20,7 @@ in {
 
     sydnix.sops.secrets =
       let e = {
-            mode = "0600";
+            mode = "0440";
             owner = "lldap";
             group = "lldap";
           };
@@ -63,39 +63,5 @@ in {
       enable = true;
       keysZoneName = "auth_cache";
     };
-    sydnix.deertopia.nginx.vhosts."ldap".vhost =
-      let consultant = "http://localhost:9090";
-          port = builtins.toString config.services.lldap.settings.http_port;
-          base-dn = config.services.lldap.settings.ldap_base_dn;
-          nginx-bind-user = "nginx-bind-user";
-      in {
-        forceSSL = true;
-        enableACME = true;
-        locations."/".extraConfig = ''
-          auth_request /auth-proxy;
-          error_page 401 =200 /login;
-          proxy_pass ${consultant};
-        '';
-        locations."/login".extraConfig = ''
-          proxy_pass ${consultant}/login;
-          proxy_set_header X-Target $request_uri;
-        '';
-        locations."= /auth-proxy".extraConfig = ''
-          internal;
-          proxy_pass ${consultant};
-          proxy_pass_request_body off;
-          proxy_pass_request_headers off;
-          proxy_set_header Content-Length "";
-          proxy_cache auth_cache;
-          proxy_cache_valid 200 10m;
-          proxy_cache_key "$http_authorization$cookie_nginxauth";
-          # proxy_set_header X-Ldap-URL "ldap://localhost:${port}";
-          # proxy_set_header X-Ldap-BaseDN "cn=people,${base-dn}";
-          # proxy_set_header X-Ldap-BindDN "cn=${nginx-bind-user},${base-dn}";
-          # proxy_set_header X-Ldap-BindPass "secret123";
-          # proxy_set_header X-CookieName "nginxauth";
-          proxy_set_header Cookie nginxauth=$cookie_nginxauth;
-        '';
-      };
   };
 }

modules/nixos/deertopia/nginx.nix

@@ -38,7 +38,7 @@ in
           };
           directory = lib.mkOption {
             description = "Host's root directory.";
-            type = lib.types.str;
+            type = lib.types.nullOr lib.types.path;
             default = "${cfg.root}/${name}";
           };
           user = lib.mkOption {