From abf8f95a34da90dbb3296bb0845226ff84837484 Mon Sep 17 00:00:00 2001
From: Jakob Lechner <mail@jalr.de>
Date: Tue, 3 Dec 2024 22:45:57 +0100
Subject: [PATCH] Add authelia

---
 machines/raven/secrets.yaml          |  9 ++--
 machines/raven/services/authelia.nix | 71 ++++++++++++++++++++++++++++
 machines/raven/services/default.nix  |  1 +
 3 files changed, 78 insertions(+), 3 deletions(-)
 create mode 100644 machines/raven/services/authelia.nix

diff --git a/machines/raven/secrets.yaml b/machines/raven/secrets.yaml
index 102766e..f20282e 100644
--- a/machines/raven/secrets.yaml
+++ b/machines/raven/secrets.yaml
@@ -5,6 +5,9 @@ asterisk-voicemail: ENC[AES256_GCM,data:4/Kbt/XMUGIIVpF9/KIMIi/Gx344dIleieVWch5J
 prometheus-htpasswd: ENC[AES256_GCM,data:kUU0TqnVxQ8jLfjUpBje3eGxJw+ItD/YSNhiny1XPM0PDksnOO8Ecbyqm9W5p3WZIFc+h/FH1AsyNdhXdAhbgMNNxjebq2PNbJr/DeMWTxuf1D9q5iYpDrFGuK6r65DeCPvwN1tlTKkzJnLCqy3LLWbziANplMpmoUL7Ay3S2r5UQNgl4QIL,iv:o23da3kSbMAiF6H3zgja95As89aDK/+jWofvw9ZIjj8=,tag:VPB9YD33Xuk8IKxoBVEXdQ==,type:str]
 unpoller-password: ENC[AES256_GCM,data:nvbKOzS657tfumP93kNAD2Edw3+BN3xQ,iv:FZ169TIyHrhazji+b2V4o0XvyzqwNelnR4TkKXuNqWg=,tag:62Y1LTlI+2KdSjq8dHiuSQ==,type:str]
 nextcloud-adminpass: ENC[AES256_GCM,data:8yX92evqkh5XDuKaPdaOxXX474mE2m5b,iv:2gKYS2s2oW0s4hhug6Y8n+8M9YMxIzcTLAp5gbktfkQ=,tag:eoT892rpSKvReve4Au+uSA==,type:str]
+authelia:
+    jwtSecret: ENC[AES256_GCM,data:SvFGmrW+eYQr3J9xRpo1IT2H54eX58+Li+aT461bwjS0B6cswlLF/l8O2lRduLghXy80bQDYFOzfO8t0ENowhA==,iv:0jODFRL/ic07B8hLY/6LhY/ll+2uYyKbJJZAV2aZ6sw=,tag:oyTdsbRdzheq1VJRg9/PYw==,type:str]
+    storageEncryptionKey: ENC[AES256_GCM,data:4v2mpLvi3hRfQJCgek7RZmF/y0zb9WjQewckpp8IAOqq+YggFA2QLoDJW1fIINLNe0ACuPBdVCKQlgqt3ecqXQ==,iv:1qOSty0pNXCW5R4vSH4HTSAvQu/YelKVXUQqWfPcFhM=,tag:WZ7oDQSVn44jVyppeMQYUg==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -20,8 +23,8 @@ sops:
             T2VuTEpzYmhESnJZTW5IS3orRk44ODAK/KBOctiKRH5y/zuI4sIKNK9nze6aDOmc
             Eg7zjCXX3hvmowFt45rMKODJ56Dy6uJEgu6OWMWV2M87CphyHKA5fg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-03T21:52:11Z"
-    mac: ENC[AES256_GCM,data:z4hl4FIVp9ZfsmEEv8ZkK6K5ndI0jMuumrLUtdhNsb9YFvwS+YIrqcdqytV1e2DSb5mlogN5L50ioCAhDljA15pKTUpu3LJRSfTS1b5U/dYZyZu6+PywlPOmSVYjCMP3E4nGuUR4n/gE2Z76Pt0FBI14PAph/iTeF90f64rYDv4=,iv:3IWUOUaH4Yh/g1D57b/u/C2vBR2dPH7Ma24CI0hAmas=,tag:2KIeAbZfOuORO3GmV3drpA==,type:str]
+    lastmodified: "2024-12-03T21:53:44Z"
+    mac: ENC[AES256_GCM,data:HFbHfL1i24LyNx+5QYgcMmBUwfQeZscdPFQHlgtJcM9Tsx/Y0wyn2B/veYR30GepQ0CBhC0IKsBDfL4K6AooqkhhBKHTVBINTn4ec9yholIJoepn4OmM4A6CE3xEkyE/PQwTEtABbJkMeUbLuZ1FcLYSo0vXfe4Jvs79o/svivk=,iv:lYZyVlvBuZrP7wzWWh+hJ1nlUXsLKQHpFhOZuXdQtqA=,tag:uxRhOkrjRFVhJYPsahxEFw==,type:str]
     pgp:
         - created_at: "2024-09-24T19:30:34Z"
           enc: |-
@@ -55,4 +58,4 @@ sops:
             -----END PGP MESSAGE-----
           fp: 47E7559E037A35652DBBF8AA8D3C82F9F309F8EC
     unencrypted_suffix: _unencrypted
-    version: 3.8.1
+    version: 3.9.1
diff --git a/machines/raven/services/authelia.nix b/machines/raven/services/authelia.nix
new file mode 100644
index 0000000..f46fb31
--- /dev/null
+++ b/machines/raven/services/authelia.nix
@@ -0,0 +1,71 @@
+{ config, ... }:
+
+let
+  domain = "authelia.fablab-nea.de";
+  cfg = config.services.authelia.instances.default;
+  port = 9001;
+in
+{
+  sops.secrets."authelia/jwtSecret" = {
+    sopsFile = ../secrets.yaml;
+    owner = cfg.user;
+  };
+  sops.secrets."authelia/storageEncryptionKey" = {
+    sopsFile = ../secrets.yaml;
+    owner = cfg.user;
+  };
+  services.authelia.instances.default = {
+    enable = true;
+    settings = {
+      server.address = "tcp://127.0.0.1:${toString port}/";
+      access_control = {
+        default_policy = "one_factor";
+      };
+      notifier.filesystem = {
+        filename = "/var/lib/authelia-${cfg.name}/notif.txt";
+      };
+      storage.postgres = {
+        address = "unix:///run/postgresql";
+        database = "authelia-${cfg.name}";
+        username = "authelia-${cfg.name}";
+        password = "authelia-${cfg.name}";
+      };
+      authentication_backend = {
+        file.path = "/var/lib/authelia-${cfg.name}/user.yml";
+      };
+      session = {
+        cookies = [
+          {
+            domain = domain;
+            authelia_url = "https://${domain}";
+            name = "authelia_session";
+          }
+        ];
+      };
+    };
+    secrets = {
+      jwtSecretFile = config.sops.secrets."authelia/jwtSecret".path;
+      storageEncryptionKeyFile = config.sops.secrets."authelia/storageEncryptionKey".path;
+    };
+  };
+
+  services.postgresql = {
+    ensureUsers = [{
+      name = "authelia-${cfg.name}";
+      ensureDBOwnership = true;
+    }];
+    ensureDatabases = [ "authelia-${cfg.name}" ];
+  };
+
+  services.nginx.virtualHosts."${domain}" = {
+    enableACME = true;
+    forceSSL = true;
+    extraConfig = ''
+      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
+    '';
+    locations."/" = {
+      proxyPass = "http://127.0.0.1:${toString port}";
+      recommendedProxySettings = true;
+    };
+  };
+}
diff --git a/machines/raven/services/default.nix b/machines/raven/services/default.nix
index 3485c4a..20effd4 100644
--- a/machines/raven/services/default.nix
+++ b/machines/raven/services/default.nix
@@ -1,6 +1,7 @@
 {
   imports = [
     ./asterisk.nix
+    ./authelia.nix
     ./colorchord.nix
     ./dnsmasq.nix
     ./dyndns.nix