From ad68106bd3dbcb82489f923f16fb6412a2ad2ddb Mon Sep 17 00:00:00 2001 From: Adrian G L Date: Tue, 3 Feb 2026 12:59:50 +0100 Subject: [PATCH] authelia --- hosts/galadriel/configuration.nix | 1 + modules/authelia.nix | 41 ++++++++++++++++++++++++++++--- secrets/secrets.yaml | 5 ++-- 3 files changed, 41 insertions(+), 6 deletions(-) diff --git a/hosts/galadriel/configuration.nix b/hosts/galadriel/configuration.nix index 0a6f11f..7f9909b 100644 --- a/hosts/galadriel/configuration.nix +++ b/hosts/galadriel/configuration.nix @@ -30,6 +30,7 @@ ../../modules/develPackages.nix ../../modules/vaultvarden.nix + ../../modules/authelia.nix ../../modules/jellyfin.nix ../../modules/jupyterhub.nix ../../modules/qbittorrent.nix diff --git a/modules/authelia.nix b/modules/authelia.nix index b5db883..222ffe1 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -5,18 +5,51 @@ ... }: { - sops.secrets."authelia/jwtSecretFile" = { }; - sops.secrets."authelia/storageEncryptionKeyFile" = { }; + sops.secrets."authelia/usersFile" = { + owner = "authelia-main"; + group = "authelia-main"; + mode = "0400"; + }; sops.secrets."authelia/jwtSecretFile" = { + owner = "authelia-main"; + group = "authelia-main"; + mode = "0400"; + }; + sops.secrets."authelia/storageEncryptionKeyFile" = { + owner = "authelia-main"; + group = "authelia-main"; + mode = "0400"; + }; + services.authelia.instances.main = { enable = true; secrets.storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKeyFile".path; secrets.jwtSecretFile = config.sops.secrets."authelia/jwtSecretFile".path; + settings = { theme = "dark"; default_2fa_method = "totp"; - log.level = "warning"; + log.level = "warn"; server.disable_healthcheck = false; - }; + server.address = "tcp://0.0.0.0:9091/"; + authentication_backend = { + file = { + path = lib.mkDefault = config.sops.secrets."authelia/usersFile".path; + }; + }; + access_control = { + default_policy = "one_factor"; + }; + storage = { + local = { + path = lib.mkDefault "/var/lib/authelia/main/db.sqlite3"; + }; + }; + notifier = { + filesystem = { + filename = lib.mkDefault "/var/lib/authelia/main/notification.txt"; + }; + }; + }; }; } diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index a9227f2..3935378 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -23,6 +23,7 @@ ai: authelia: storageEncryptionKeyFile: ENC[AES256_GCM,data:zP2i8Ni6MqHpAJeVdcxr6V0eCXobcgbTyu6cDxsi4x4eG2HIFv7waxsCsa+erQgOf5g8+T5c7kIOa99Z5+Zq3kLAhGrIMqtZxn44oemw5Wl2U4ION2yZTdo/C8otpZMqu9rC9l+k4K3XiKN1Aqhyglx9TXNG6FgS8ygx5aBIBwUM,iv:spQdJ3otiZynCleiCG+u3mk/K3axKrfNtSOCzCGnnWQ=,tag:bMbjwOMCxi/+t+x0Xy0jnQ==,type:str] jwtSecretFile: ENC[AES256_GCM,data:gVRyazB5RZ0fVrZ5/8eUuvJjdPBxjQg0vOrhXvgnv07sawti5Wj350UPBlBKthlvya8V6gZdBSl+Aj1nllP1Fl1tC8hDYb93ZmJdHo6CTicsu9lkMvWWfLe112Dhuptbg5AQAlWLu5TpjSGMT4UfXpLlKYdrzaDnIcWBAVn8k9lN,iv:hcHrAK/squwRyXQCx8pJXxVpq+KtcRwCqJ1NQpHpnL0=,tag:eQdM0gzYNw3/TfDBJYrkdg==,type:str] + usersFile: ENC[AES256_GCM,data:uJ03GLDPWWCeTV/FQNdkLfpQiG4FeoP5LnfuW8isHDT2dYhTnDZ7bTb3kTH0lps+79mUF5puaX3XrUO0J1cUV3EjkJkgH/FMnQ7D2mA2jJBCjmvnVerwRDtNJXiwtoM7a5N6RQl9stwDCZE7ODGs9YIqg//HQME73K+l4Hp/thA08GKG/ionT+f7ljlM+yL++guNtp/l5dPZS8/OXfTMBL9jtLlG7AmXbE9hoWcdqGK3OLxGWGdzrxkdQByvDrIxYu9i77o+NMRx0JU1LN8UpMQAYVqmBnbln/zNj5m5iuoa5cwpTKvG5rI=,iv:Iwz5tiUZ8Hr4ywjdkEXvA5cl5TZeyz24BVzMmm8q1vg=,tag:PdXguz6B7cpvUjzzMRlsTA==,type:str] vaultwarden: environmentFile: ENC[AES256_GCM,data:HUFCO4di1hSEMitCSGy5wiDNPZ858NIlW/BnaxrFkE4Tws9RwvmhJ+l89/w7A0VGHAp3yNC+t1GUHgNadA15/Ymr7qL8Zby6o69CqZ3tFnMFmBJ9BL3ni0v1E/4iN5YFInMpmM+c8FjlGfTU2nRRu0WUOGR+5s7C8YSGILrDR+jr98YOKuTfiEKqvsGg8o0dc95CjhEtejeaVGimt9f+bWA54BPGkCT1HzD5boAoTwVbD4sxKDP5l5SnBC+mpzX3sECFkoE5E7SnQQEhKtrL+IffnMrcA3nG6AAyAGODuYZ7VNYQ3zNWBhR2nP0ospDelxaTu9aH6IMgMn4h4Y9LU+nCSHkJGykxGt4W6S8DnHxiaqJCpYwAeOaWFlItlsqlMSjYR2nB7OgUHIv5HLaC1Heyn9azZc/HQyHEjsDa0EsHX8HnmJ6kr2PkAXno+zCBZHnZvxKDWPfV9QqUPakZX9VwPg724zFFe+4OsFBzRiJLePA3hXdmnKJFJUr8cFj0QC/JXlkG3FbfogrnBE2BV6YH8PBmjLuZCII0St1LwB77YPcZDbNLnXUbbiM5/F+fGy04qg3/97sE7Sk/ZXh/Yv+SyvrqrizhXcnOlaciC0zY6DGirHzPuPAYraCkIpPmvTV+MGOICOg77sLSronoN7QohCw6SEZdPD9wSDpRMcbIs5PjfqlVu0rziyl8D1cbT6pmktrGcPKnzKeCpBJNgKE+EwwnB7Zymfj3xRxLZSl/x/1GPFuFtvDvwcWWBIU3IDEtI1zaH0PXbErtuvrttIYWx0+Il9VbxLpxjYl2NxEwfwdUmhU+O2Xw18h8leyu4hfX6a2BvLzLR7cLmSJdIeWiW7rU+qy+H9AMZ5TIZNgepXcN9TmVfTmoEm3HCzG+WJD66iMkdspkggpOxxyIMXia3ws80Eht+m0lrSM2eU6NFfVXxixEylQsxZJuiTqof7mQ71OlGlwWYyY11w2QZNeWmmZIOWwrH2L4u7Npj0qUxurafWOFr/022Y70BxpYO+CKysYppSjTKhiPLS5/8d0u4R3a30gnf/JigXisE06DiLYV6LYRxd003Q41A9UOUoZ7j+A115GUqwAuyD9mEHsH9e2zb3bF+a4QCQ2EaVTaWLHWN/pKnDTY4tSUnpr2HiBcF/dRYh9hMZ3S9khiG+7mj/8Wj1eHMB0dEkUMlU5HE/3Qgoga0oKmATekv6gFyRJ5FQxNNJH9RMN4h6ej6BxDbs5g2bdNScs3qPahpefJA/ITipe1y3qrsfHP4dgqGEn8oaiQxDnNvf5TwbHoX+kS5rlLi4x42cS9v8Ov9oZV92O3c+EuXwDVKW8FAoJh1wMNkJhHjjSCVmQWG1UQngkl3HPDjuPadhec0dWCxQh7/TIaS2JJXeHrURYSLmUV9RlzhGYJqmCZbw7oLU//EukfD9vjm591gX7U3rhu1aQNioZWdFtoGj88BJdHtSa2pxhJnwhruDrwpLOV7xXEK8FsV0SOXWP+MNAgCCWxL2KoLBqDvbr21x6rXS4a6M0+iYxIEIZRsODwTKW7hf+g7mLdKLTIv8ptJVX+zhCaFOR0JMAm/P+L48FPH9ccEUoNCwlSnl02wC9oxB+bTvIDnE7OB705ezwSi8Okh8V1fiQopRIKSutXVhMN7J+wda3Y39UzdEiVr/Qzf+pVkOY2RBp4pNQ2G4Umb31qbtamxOf5JoPqmXQhFopdFttC+iHNa0b13aj4kQITUX/lo7gzssSHyTABpkD5mBaA4HRGkVDTo2bAwsVttVH399NYXmSoGU8XKoLbtJ3caa38KrxN8czTl+oDMurds2xrWHIG+fU4nHIeRW3HxuTz+1zwuYoZD2L+813VEZ3+fcnH1AjdoZ21Ioi1P496s4v4huLC/NMq6A==,iv:n41XecN53vEw2xzCO+gS46TwH7Qy08Hra2NFJNHTEHg=,tag:4ypcVk6TvJbDoG11A5miCw==,type:str] openvpn: @@ -52,7 +53,7 @@ sops: TEhuRFBFQUppVjFKL3JKa0ozNmRLcTAKDrrS8mpHoQoZ54VkY+SYbjoE6AS0fLjc uHuFCrUWqQIwfqHXGlXn7EPUweTfwQ7Od+4JeVp1GbgNLIyH5xNN1g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-01-30T16:10:56Z" - mac: ENC[AES256_GCM,data:k4xzmrHO6k1kt4XJ/w4I0YuGP+xjRuwLXueXnSVdXMNoZMAUv+0n0U1bkPGaNi2iyAc8pW/8gwG6dP2CeDS7+9EPCTLa2/BETI85M2kQYonN2STLakUmFltOE6RuxAfxbokZxZOv9qZRwyIFXeIYZeQDtUg5s0ygEql5zQ/s3FI=,iv:Q4+4314QmjOgjCBIZ4cqPBLtQFm8XR6Vdexk6cwLUTg=,tag:mDiQ0nqmxvIq1uE/I1PRKA==,type:str] + lastmodified: "2026-02-03T11:56:50Z" + mac: ENC[AES256_GCM,data:cQuN3XRdN34ZH0VJ6j5JtqgQGJq9r7WqcemaHCLx3tCFnaXU0tOjjDB5ICfJPS+K6E1+noydmEeJqeTrVInsxeK/8QQDibKTragiY9Awk6rz3lY/xmaBQJ0sz2O8YO9M7/eqekJ3Vc58eol/mknDXYfSSbfQBnMV3aLBSqXnL7g=,iv:gfrgZi0CU+M6xLHEAFPYE8yc4nyd33Yjo+xUDCYkhnQ=,tag:xu5jjIuVtYnMiR5ivEPigQ==,type:str] unencrypted_suffix: _unencrypted version: 3.11.0