msyds/sydnix
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix(authelia,lldap): Persist important state directories

Browse Source
This commit is contained in:
Madeleine Sydney
2025-02-21 18:20:21 -07:00
parent 01d8e5986c
commit a29fcde32d
2 changed files with 139 additions and 145 deletions
Download Patch File Download Diff File Expand all files Collapse all files

280
modules/nixos/deertopia/authelia.nix
View File

@@ -11,13 +11,6 @@ in {
type = lib.types.port; type = lib.types.port;
default = 9091; default = 9091;
}; };
stateDirectory = lib.mkOption {
description = ''
The directory under which Authelia's general state will be stored.
'';
type = lib.types.path;
default = "/var/lib/authelia-deertopia";
};
bindUserName = lib.mkOption { bindUserName = lib.mkOption {
description = '' description = ''
The name of the LDAP user Authelia will bind as. The name of the LDAP user Authelia will bind as.
@@ -27,157 +20,154 @@ in {
}; };
}; };
config = lib.mkIf cfg.enable { config = lib.mkIf cfg.enable
sydnix.sops.secrets = (let authelia-state-dir = "/var/lib/authelia-deertopia";
let e = { in {
mode = "0600"; sydnix.sops.secrets =
owner = config.services.authelia.instances."deertopia".user; let e = {
group = config.services.authelia.instances."deertopia".group; mode = "0600";
}; owner = config.services.authelia.instances."deertopia".user;
in { group = config.services.authelia.instances."deertopia".group;
authelia-jwt-secret = e; };
authelia-session-secret = e; in {
authelia-storage-encryption-key = e; authelia-jwt-secret = e;
authelia-authentication-backend-ldap-password = e; authelia-session-secret = e;
}; authelia-storage-encryption-key = e;
authelia-authentication-backend-ldap-password = e;
};
# I don't think the Authelia NixOS module exposes or even creates any paths sydnix.impermanence.directories = [
# for the service's state. No big deal, we'll do it ourselves… authelia-state-dir
# ];
# It is obligatory that I mention tmpfiles.d(5) every time this setting is used.
systemd.tmpfiles.settings."10-authelia".${cfg.stateDirectory} = {
v.user = config.services.authelia.instances."deertopia".user;
v.group = config.services.authelia.instances."deertopia".group;
};
# See: # See:
# - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml # - https://github.com/authelia/authelia/blob/v4.38.19/config.template.yml
# - https://matwick.ca/authelia-nginx-sso/ # - https://matwick.ca/authelia-nginx-sso/
# - https://www.gandalfk7.it/posts/20220713_01_sso-with-lldap-authelia-and-nginx/ # - https://www.gandalfk7.it/posts/20220713_01_sso-with-lldap-authelia-and-nginx/
services.authelia.instances."deertopia" = { services.authelia.instances."deertopia" = {
enable = true; enable = true;
# "Automatic" secrets are seemingly broken and offer little more than # "Automatic" secrets are seemingly broken and offer little more than
# some assertions from the Nix module. # some assertions from the Nix module.
secrets.manual = true; secrets.manual = true;
environmentVariables = { environmentVariables = {
AUTHELIA_JWT_SECRET_FILE = AUTHELIA_JWT_SECRET_FILE =
"/run/secrets/authelia-jwt-secret"; "/run/secrets/authelia-jwt-secret";
AUTHELIA_SESSION_SECRET_FILE = AUTHELIA_SESSION_SECRET_FILE =
"/run/secrets/authelia-session-secret"; "/run/secrets/authelia-session-secret";
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE =
"/run/secrets/authelia-storage-encryption-key"; "/run/secrets/authelia-storage-encryption-key";
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
"/run/secrets/authelia-authentication-backend-ldap-password"; "/run/secrets/authelia-authentication-backend-ldap-password";
}; };
settings = { settings = {
default_2fa_method = "totp"; default_2fa_method = "totp";
theme = "auto"; theme = "auto";
server = { server = {
address = "tcp://:${builtins.toString cfg.httpPort}"; address = "tcp://:${builtins.toString cfg.httpPort}";
asset_path = "${cfg.stateDirectory}/assets"; asset_path = "${authelia-state-dir}/assets";
# Necessary for Nginx integration. No, I do not understand what it # Necessary for Nginx integration. No, I do not understand what it
# does. # does.
endpoints.authz.auth-request.implementation = "AuthRequest"; endpoints.authz.auth-request.implementation = "AuthRequest";
}; };
authentication_backend = authentication_backend =
let base-dn = config.services.lldap.settings.ldap_base_dn; let base-dn = config.services.lldap.settings.ldap_base_dn;
ldap-port = ldap-port =
builtins.toString config.services.lldap.settings.ldap_port; builtins.toString config.services.lldap.settings.ldap_port;
in { in {
password_reset.disable = false; password_reset.disable = false;
refresh_interval = "1 minutes"; refresh_interval = "1 minutes";
ldap = { ldap = {
implementation = "custom"; implementation = "custom";
address = "ldap://127.0.0.1:${ldap-port}"; address = "ldap://127.0.0.1:${ldap-port}";
timeout = "5s"; timeout = "5s";
start_tls = "false"; start_tls = "false";
base_dn = base-dn; base_dn = base-dn;
additional_users_dn = "ou=people"; additional_users_dn = "ou=people";
additional_groups_dn = "ou=groups"; additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})"; groups_filter = "(member={dn})";
users_filter = "(&({username_attribute}={input})(objectClass=person))"; users_filter = "(&({username_attribute}={input})(objectClass=person))";
attributes = { attributes = {
username = "uid"; username = "uid";
group_name = "cn"; group_name = "cn";
mail = "mail"; mail = "mail";
display_name = "displayName"; display_name = "displayName";
}; };
user = "uid=${cfg.bindUserName},ou=people,${base-dn}"; user = "uid=${cfg.bindUserName},ou=people,${base-dn}";
}; };
}; };
access_control = { access_control = {
default_policy = "deny"; default_policy = "deny";
rules = [ rules = [
{ {
# TODO: Remove this. It's only used for a quick demo for myself. # TODO: Remove this. It's only used for a quick demo for myself.
# The domain choice is arbitrary. It's just one I happen to have # The domain choice is arbitrary. It's just one I happen to have
# set up. # set up.
domain = "ldap.deertopia.net"; domain = "ldap.deertopia.net";
policy = "one_factor"; policy = "one_factor";
} }
]; ];
}; };
session = { session = {
name = "authelia_session"; name = "authelia_session";
same_site = "lax"; same_site = "lax";
inactivity = "5 minutes"; inactivity = "5 minutes";
expiration = "1 hour"; expiration = "1 hour";
remember_me = "1 month"; remember_me = "1 month";
cookies = [ cookies = [
{ {
domain = "deertopia.net"; domain = "deertopia.net";
authelia_url = "https://auth.deertopia.net"; authelia_url = "https://auth.deertopia.net";
# TODO: Remove this. It's only used for a quick demo for myself. # TODO: Remove this. It's only used for a quick demo for myself.
# The domain choice is arbitrary. It's just one I happen to have # The domain choice is arbitrary. It's just one I happen to have
# set up. # set up.
default_redirection_url = "https://ldap.deertopia.net"; default_redirection_url = "https://ldap.deertopia.net";
} }
]; ];
}; };
storage.local.path = "${cfg.stateDirectory}/db.sqlite"; storage.local.path = "${authelia-state-dir}/db.sqlite";
notifier = { notifier = {
disable_startup_check = false; disable_startup_check = false;
filesystem.filename = "${cfg.stateDirectory}/notifications"; filesystem.filename = "${authelia-state-dir}/notifications";
}; };
# Default is false, which prevents anything from showing up when you run # Default is false, which prevents anything from showing up when you run
# `systemctl status authelia-deertopia`, which is really, really confusing. # `systemctl status authelia-deertopia`, which is really, really confusing.
log = { log = {
keep_stdout = true; keep_stdout = true;
file_path = "${cfg.stateDirectory}/authelia.log"; file_path = "${authelia-state-dir}/authelia.log";
}; };
}; };
}; };
sydnix.deertopia.nginx.vhosts."auth".vhost = { sydnix.deertopia.nginx.vhosts."auth".vhost = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
set $upstream http://127.0.0.1:${builtins.toString cfg.httpPort}; set $upstream http://127.0.0.1:${builtins.toString cfg.httpPort};
''; '';
locations."/".extraConfig = '' locations."/".extraConfig = ''
include ${./authelia/proxy.conf}; include ${./authelia/proxy.conf};
proxy_pass $upstream; proxy_pass $upstream;
''; '';
locations."/api/verify".proxyPass = "$upstream"; locations."/api/verify".proxyPass = "$upstream";
locations."/api/authz".proxyPass = "$upstream"; locations."/api/authz".proxyPass = "$upstream";
}; };
# TODO: Remove this. It's only used for a quick demo for myself. The # TODO: Remove this. It's only used for a quick demo for myself. The
# domain choice is arbitrary. It's just one I happen to have set up. # domain choice is arbitrary. It's just one I happen to have set up.
sydnix.deertopia.nginx.vhosts."ldap" = { sydnix.deertopia.nginx.vhosts."ldap" = {
directory = null; directory = null;
vhost = { vhost = {
forceSSL = true; forceSSL = true;
enableACME = true; enableACME = true;
extraConfig = '' extraConfig = ''
include ${./authelia/authelia-location.conf}; include ${./authelia/authelia-location.conf};
''; '';
locations."/".extraConfig = '' locations."/".extraConfig = ''
include ${./authelia/authelia-authrequest.conf}; include ${./authelia/authelia-authrequest.conf};
include ${./authelia/proxy.conf}; include ${./authelia/proxy.conf};
root /persist/deertopia.net/ldap; root /persist/deertopia.net/ldap;
''; '';
}; };
}; };
}; });
} }

4
modules/nixos/deertopia/lldap.nix
View File

@@ -18,6 +18,10 @@ in {
}; };
users.groups.lldap = {}; users.groups.lldap = {};
sydnix.impermanence.directories = [
"/var/lib/private/lldap"
];
sydnix.sops.secrets = sydnix.sops.secrets =
let e = { let e = {
mode = "0440"; mode = "0440";