Skip to content

Commit

Permalink
feat(nix): add authelia and homepage
Browse files Browse the repository at this point in the history
  • Loading branch information
@sbulav
sbulav committed Nov 12, 2024
1 parent 9c61756 commit 7d23375
Show file tree
Hide file tree
Showing 5 changed files with 306 additions and 3 deletions.
158 changes: 158 additions & 0 deletions nix/modules/nixos/containers/authelia/default.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,158 @@
{
config,
lib,
namespace,
inputs,
...
}:
with lib;
with lib.custom; let
cfg = config.${namespace}.containers.authelia;
in {
options.${namespace}.containers.authelia = with types; {
enable = mkBoolOpt false "Enable authelia nixos-container;";
cf_secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get cloudflare creds from";
dataPath = mkOpt str "/tank/authelia" "Traefik data path on host machine";
host = mkOpt str "authelia.sbulav.ru" "The host to serve authentik on";
domain = mkOpt str "sbulav.ru" "The domain session cookie to protect";
hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
localAddress = mkOpt str "172.16.64.103" "With privateNetwork, which address to use in container";
};

config = mkIf cfg.enable {
sops.secrets = {
authelia-env = {
sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}";
uid = 999;
restartUnits = ["[email protected]"];
};
authelia-storage-encryption-key = {
sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}";
uid = 999;
restartUnits = ["[email protected]"];
};
};
containers.authelia = {
ephemeral = true;
autoStart = true;

privateNetwork = true;
# Need to add 172.16.64.0/18 on router
hostAddress = "${cfg.hostAddress}";
localAddress = "${cfg.localAddress}";

# Mounting Cloudflare creds(email and dns api token) as file
bindMounts = {
"${config.sops.secrets.authelia-env.path}" = {
isReadOnly = true;
};
"${config.sops.secrets.authelia-storage-encryption-key.path}" = {
isReadOnly = true;
};

"/var/lib/authelia-main/users/" = {
hostPath = "${cfg.dataPath}/users/";
isReadOnly = false;
};
"/var/lib/authelia-main/logs/" = {
hostPath = "${cfg.dataPath}/logs/";
isReadOnly = false;
};
"/var/lib/authelia-main/storage/" = {
hostPath = "${cfg.dataPath}/storage/";
isReadOnly = false;
};
};
config = {...}: {
systemd.services.authelia-main.serviceConfig.EnvironmentFile = "/run/secrets/authelia-env";
services.authelia.instances = {
main = {
enable = true;
secrets = {
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
# jwtSecretFile = config.sops.secrets.authelia_jwt_secret_file.path;
# sessionSecretFile = config.sops.secrets.authelia_session_secret_file.path;
manual = true;
};

settings = {
log = {
level = "info";
file_path = "/var/lib/authelia-main/logs/authelia.log";
};
authentication_backend = {
file.path = "/var/lib/authelia-main/users/users_database.yml";
password_reset.disable = true;
};

storage.local.path = "/var/lib/authelia-main/storage/db.sqlite3";
server.disable_healthcheck = true;
regulation = {
ban_time = 300;
find_time = 120;
max_retries = 3;
};
session = {
domain = "${cfg.domain}";
expiration = 604800;
inactivity = 300;
name = "authelia_session";
};
notifier = {
disable_startup_check = false;
filesystem = {
filename = "/var/lib/authelia-main/logs/notification.txt";
};
};
access_control = {
# default_policy = "deny";
default_policy = "one_factor";
rules = [
{
domain = "*.sbulav.ru";
policy = "one_factor";
}
];
};
};
};
};
networking = {
firewall = {
enable = true;
allowedTCPPorts = [9091];
};
# Use systemd-resolved inside the container
# Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
useHostResolvConf = lib.mkForce false;
};
services.resolved.enable = true;
system.stateVersion = "24.11";
};
};

containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
routers.authelia = {
entrypoints = ["websecure"];
rule = "Host(`${cfg.host}`)";
service = "authelia";
middlewares = [
"secure-headers"
];
tls = {
certResolver = "production";
};
};
services.authelia = {
loadBalancer = {
passHostHeader = true;
servers = [
{
url = "http://${cfg.localAddress}:9091";
}
];
};
};
};
};
}
88 changes: 88 additions & 0 deletions nix/modules/nixos/containers/authentik/default.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
# DISABLED, builds too long
{
config,
lib,
namespace,
inputs,
...
}:
with lib;
with lib.custom; let
cfg = config.${namespace}.containers.authentik;
in {
options.${namespace}.containers.authentik = with types; {
enable = mkBoolOpt false "Enable authentik nixos-container;";
host = mkOpt str "authentik.sbulav.ru" "The host to serve authentik on";
hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host";
localAddress = mkOpt str "172.16.64.102" "With privateNetwork, which address to use in container";
};
}
# config = mkIf cfg.enable {
# containers.authentik = {
# ephemeral = true;
# autoStart = true;
# privateNetwork = true;
# # Need to add 172.16.64.0/18 on router
# hostAddress = "${cfg.hostAddress}";
# localAddress = "${cfg.localAddress}";
# config = {...}: {
# imports = [
# inputs.authentik-nix.nixosModules.default
# ];
# services.authentik = {
# enable = true;
# # The environmentFile needs to be on the target host!
# # Best use something like sops-nix or agenix to manage it
# environmentFile = "/run/secrets/authentik/authentik-env";
# settings = {
# # email = {
# # host = "smtp.example.com";
# # port = 587;
# # username = "[email protected]";
# # use_tls = true;
# # use_ssl = false;
# # from = "[email protected]";
# # };
# disable_startup_analytics = true;
# avatars = "initials";
# };
# };
# networking = {
# firewall = {
# enable = false;
# allowedTCPPorts = [80];
# };
# # Use systemd-resolved inside the container
# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
# useHostResolvConf = lib.mkForce false;
# };
# services.resolved.enable = true;
# system.stateVersion = "24.11";
# };
# };
# containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable {
# routers.authentik = {
# entrypoints = ["websecure"];
# rule = "Host(`${cfg.host}`)";
# service = "authentik";
# middlewares = [
# "secure-headers"
# ];
# tls = {
# certResolver = "production";
# };
# };
# services.authentik = {
# loadBalancer = {
# passHostHeader = true;
# servers = [
# {
# url = "http://${cfg.localAddress}:80";
# }
# ];
# };
# };
# };
# };
# }

51 changes: 50 additions & 1 deletion nix/modules/nixos/containers/homepage/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,56 @@ in {
pkgs,
...
}: {
services.homepage-dashboard.enable = true;
networking.hosts = {
"${cfg.hostAddress}" = ["traefik.sbulav.ru"];
};

services.homepage-dashboard = {
enable = true;
# Example https://github.com/notohh/snowflake/blob/647a7f5af9647a2fbb9c46b218e6575c2dcf8828/hosts/yuki/services/homepage/services.nix#L2
widgets = [
{
resources = {
cpu = true;
disk = "/";
memory = true;
};
}
];
services = [
{
"My First Group" = [
{
"My First Service" = {
description = "Homepage is awesome";
href = "http://localhost/";
};
}
];
}
{
"Network" = [
{
"My Second Service" = {
description = "Homepage is the best";
href = "http://localhost/";
};
}

{
"Traefik" = {
icon = "traefik";
href = "https://traefik.sbulav.ru";
widget = {
type = "traefik";
url = "https://traefik.sbulav.ru";
};
};
}
];
}
];
};

networking = {
firewall = {
Expand Down
6 changes: 4 additions & 2 deletions nix/secrets/serverz/default.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,6 @@
traefik-cf-env: ENC[AES256_GCM,data:g7Xw9UM1FeOFh+R0jGmPl9Gipix2WNilkCw30iDutxduhYCRmh3cye4D43Zy5x31kvdHej0pwlaSgEVbDOfBMoeENezrcDnLd3xqZHks75QleXv8Ujqoag==,iv:w/byUzrl/9+qcMnUERmO7RYpk991WbhRtcBJkIQIF1o=,tag:CxFiyegx/ZhzU+CU0Bkabg==,type:str]
authelia-env: ENC[AES256_GCM,data:6fFB2jhyMiGKY/Y/cbel3p9wkEX72OPYHjoEereC7vj6kVH6fne7ctCKFgzZF0bGyET6iS7sh01Xgj+BNCejdSAoqjouoUHBcFc3VE7Vrecg/0LLDjLZ4sc1Fd1ZGLvcPNDTVL0j7UQTBX0MirB1yy4t2s1gNLUvjunwxtglLaAxjDIi541pZb4d9FL/BJ1g76dvGLIlyF4tKssSPSujLls/JrlG3/jbdrmS4sbA+ZI=,iv:eqeV4P1Rw0RxQqs//oYTzEQLyavLfbvKkz2JXs9fkmc=,tag:1rsGSeGVn3c3IYAsfghTXw==,type:str]
authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str]
sops:
kms: []
gcp_kms: []
Expand All @@ -23,8 +25,8 @@ sops:
SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA
Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-11-09T13:41:56Z"
mac: ENC[AES256_GCM,data:6ytcjeG2iT4+1B047wTuLl9dvbsH8mcB6xiTHE44PlWYDZGkEf4+vMgJNoXJp4XSkeNad+tKqcVLEnNXzX+7EM9D1uFdSlFwF59Z5JIKJcIXW4MqG75DqQXF4hr+BltEW5L4ffDacQPip3FdQL3XSREdPNCTtQhQWfiratKnEg8=,iv:8SeLg69BNaTkKi1tsWGxNPNIZQeSzUiRKaiynqk6sm0=,tag:hImVGNPhuSzHRdsxRm6/nQ==,type:str]
lastmodified: "2024-11-11T15:03:08Z"
mac: ENC[AES256_GCM,data:gIT8+GGrup4dAqVG0iTZDiJV/2vc5H9Gw6OhKqGxWKWLd02awHEvSP54saLGRTOel704UNCSeAvOmttAE1sSCGKCxffFh7rsJnp8U06v9GFNA4A4EmacfjQJ4eVTzETkbTf3OOghkA5NNxiRwAlwmdMVOW2DBp7cxW7O+RuCg/k=,iv:+qHNrk06eIiJj9smg67QaqQvWoapjVYNv3qVvPhlEbw=,tag:UqPtQYyP2JC8lX4DP4ormw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.9.1
6 changes: 6 additions & 0 deletions nix/systems/x86_64-linux/serverz/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,12 @@ in {
hostAddress = "172.16.64.10";
localAddress = "172.16.64.101";
};
authelia = {
enable = true;
host = "authelia.sbulav.ru";
hostAddress = "172.16.64.10";
localAddress = "172.16.64.102";
};
};

environment.systemPackages = with pkgs; [
Expand Down

0 comments on commit 7d23375

Please sign in to comment.