nullbite/nixfiles
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

rpi4: switch authentication to Authelia

Browse Source
This commit is contained in:
NullBite 2024-07-15 02:20:59 -04:00
parent 87d062036f
commit ef1aa3e37b
Signed by: nullbite
GPG Key ID: 6C4D545385D4925A
1 changed files with 49 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
hosts/rpi4/services.nix
View File

@ -22,6 +22,24 @@
mode = "0750"; mode = "0750";
}; };
age.secrets.authelia-users = {
file = ../../secrets/authelia-users.age;
group = "authelia-main";
mode = "0750";
};
age.secrets.authelia-jwt = {
file = ../../secrets/authelia-jwt.age;
group = "authelia-main";
mode = "0750";
};
age.secrets.authelia-storage = {
file = ../../secrets/authelia-storage.age;
group = "authelia-main";
mode = "0750";
};
users.groups.secrets = {}; users.groups.secrets = {};
users.users.acme.extraGroups = [ "secrets" ]; users.users.acme.extraGroups = [ "secrets" ];
@ -61,6 +79,21 @@
8123 8123
]; ];
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = config.age.secrets.authelia-jwt.path;
storageEncryptionKeyFile = config.age.secrets.authelia-storage.path;
};
settings = {
access_control.default_policy = "one_factor";
storage.local.path = "/var/lib/authelia-main/db.sqlite";
session.domain = "protogen.io";
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
authentication_backend.file.path = config.age.secrets.authelia-users.path;
};
};
services.nginx = { services.nginx = {
enable = true; enable = true;
recommendedProxySettings = true; recommendedProxySettings = true;
@ -73,7 +106,7 @@
virtualHosts = let virtualHosts = let
useACMEHost = "protogen.io"; useACMEHost = "protogen.io";
mkProxy = args@{ upstream ? "http://127.0.0.1:${builtins.toString args.port}", auth ? false, extraConfig ? {}, ... }: mkProxy = args@{ upstream ? "http://127.0.0.1:${builtins.toString args.port}", auth ? false, authelia ? false, extraConfig ? {}, ... }:
lib.mkMerge [ lib.mkMerge [
{ {
inherit useACMEHost; inherit useACMEHost;
@ -86,6 +119,10 @@
(lib.mkIf auth { (lib.mkIf auth {
basicAuthFile = config.age.secrets.htpasswd.path; basicAuthFile = config.age.secrets.htpasswd.path;
}) })
(lib.mkIf authelia {
authelia.instance = "main";
authelia.endpointURL = "https://auth.protogen.io";
})
extraConfig extraConfig
]; ];
@ -98,10 +135,15 @@
# }; # };
# }; # };
mkAuthProxy = port: mkProxy { inherit port; auth = true; }; mkAuthProxy = port: mkProxy { inherit port; authelia = true; };
mkReverseProxy = port: mkProxy { inherit port; }; mkReverseProxy = port: mkProxy { inherit port; };
in { in {
"auth.protogen.io" = {
forceSSL = true;
inherit useACMEHost;
authelia.endpoint.instance = "main";
};
# TODO change all these with a vim macro when i learn how to extend submodules # TODO change all these with a vim macro when i learn how to extend submodules
"changedetection.protogen.io" = mkReverseProxy 5000; "changedetection.protogen.io" = mkReverseProxy 5000;
"firefly.protogen.io" = mkReverseProxy 8083; "firefly.protogen.io" = mkReverseProxy 8083;
@ -119,22 +161,24 @@
"rss.protogen.io" = mkReverseProxy 8082; "rss.protogen.io" = mkReverseProxy 8082;
"blahaj.protogen.io" = mkReverseProxy 8086; "blahaj.protogen.io" = mkReverseProxy 8086;
# octoprint (proxy_addr is 10.10.1.8) # octoprint (proxy_addr is 10.10.1.8)
"print.protogen.io" = lib.mkMerge [ (mkProxy { auth = true; upstream = "http://10.10.1.8:80"; }) "print.protogen.io" = lib.mkMerge [ (mkProxy { authelia = true; upstream = "http://10.10.1.8:80"; })
{ {
locations."/webcam" = { locations."/webcam" = {
proxyPass = "http://10.10.1.8:80$request_uri"; proxyPass = "http://10.10.1.8:80$request_uri";
proxyWebsockets = true; proxyWebsockets = true;
basicAuthFile = config.age.secrets.htpasswd-cam.path; basicAuthFile = config.age.secrets.htpasswd-cam.path;
authelia.method = null;
}; };
}]; }];
# searx auth 8088 (none for /favicon.ico, /autocompleter, /opensearch.xml) # searx auth 8088 (none for /favicon.ico, /autocompleter, /opensearch.xml)
"search.protogen.io".locations."/".return = "302 https://searx.protogen.io$request_uri"; "search.protogen.io".locations."/".return = "302 https://searx.protogen.io$request_uri";
"searx.protogen.io" = let "searx.protogen.io" = let
port = 8088; port = 8088;
in mkProxy { auth = true; inherit port; extraConfig = { in mkProxy { authelia = true; inherit port; extraConfig = {
locations = lib.genAttrs [ "/favicon.ico" "/autocompleter" "/opensearch.xml" ] (attr: { locations = lib.genAttrs [ "/favicon.ico" "/autocompleter" "/opensearch.xml" ] (attr: {
proxyPass = "http://localhost:${builtins.toString port}"; proxyPass = "http://localhost:${builtins.toString port}";
proxyWebsockets = true; proxyWebsockets = true;
authelia.method = null;
extraConfig = '' extraConfig = ''
auth_basic off; auth_basic off;
''; '';
@ -143,7 +187,7 @@
# nbt.sh alias proot.link 8090 # nbt.sh alias proot.link 8090
"nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; }; "nbt.sh" = mkProxy { port = 8090; extraConfig.serverAliases = [ "proot.link" ]; };
# admin.nbt.sh alias admin.proot.link 8091 auth # admin.nbt.sh alias admin.proot.link 8091 auth
"admin.nbt.sh" = mkProxy { auth = true; port = 8091; extraConfig.serverAliases = [ "admin.proot.link" ]; }; "admin.nbt.sh" = mkProxy { authelia = true; port = 8091; extraConfig.serverAliases = [ "admin.proot.link" ]; };
# create track map todo later # create track map todo later
"uptime.protogen.io" = mkReverseProxy 3001; "uptime.protogen.io" = mkReverseProxy 3001;
"kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io"; "kuma.protogen.io".locations."/".return = "301 https://uptime.protogen.io";