diff --git a/nix/modules/nixos/containers/authelia/default.nix b/nix/modules/nixos/containers/authelia/default.nix new file mode 100644 index 0000000..8a4c7c0 --- /dev/null +++ b/nix/modules/nixos/containers/authelia/default.nix @@ -0,0 +1,158 @@ +{ + config, + lib, + namespace, + inputs, + ... +}: +with lib; +with lib.custom; let + cfg = config.${namespace}.containers.authelia; +in { + options.${namespace}.containers.authelia = with types; { + enable = mkBoolOpt false "Enable authelia nixos-container;"; + cf_secret_file = mkOpt str "secrets/serverz/default.yaml" "SOPS secret to get cloudflare creds from"; + dataPath = mkOpt str "/tank/authelia" "Traefik data path on host machine"; + host = mkOpt str "authelia.sbulav.ru" "The host to serve authentik on"; + domain = mkOpt str "sbulav.ru" "The domain session cookie to protect"; + hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; + localAddress = mkOpt str "172.16.64.103" "With privateNetwork, which address to use in container"; + }; + + config = mkIf cfg.enable { + sops.secrets = { + authelia-env = { + sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}"; + uid = 999; + restartUnits = ["container@authelia.service"]; + }; + authelia-storage-encryption-key = { + sopsFile = lib.snowfall.fs.get-file "${cfg.cf_secret_file}"; + uid = 999; + restartUnits = ["container@authelia.service"]; + }; + }; + containers.authelia = { + ephemeral = true; + autoStart = true; + + privateNetwork = true; + # Need to add 172.16.64.0/18 on router + hostAddress = "${cfg.hostAddress}"; + localAddress = "${cfg.localAddress}"; + + # Mounting Cloudflare creds(email and dns api token) as file + bindMounts = { + "${config.sops.secrets.authelia-env.path}" = { + isReadOnly = true; + }; + "${config.sops.secrets.authelia-storage-encryption-key.path}" = { + isReadOnly = true; + }; + + "/var/lib/authelia-main/users/" = { + hostPath = "${cfg.dataPath}/users/"; + isReadOnly = false; + }; + "/var/lib/authelia-main/logs/" = { + hostPath = "${cfg.dataPath}/logs/"; + isReadOnly = false; + }; + "/var/lib/authelia-main/storage/" = { + hostPath = "${cfg.dataPath}/storage/"; + isReadOnly = false; + }; + }; + config = {...}: { + systemd.services.authelia-main.serviceConfig.EnvironmentFile = "/run/secrets/authelia-env"; + services.authelia.instances = { + main = { + enable = true; + secrets = { + storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path; + # jwtSecretFile = config.sops.secrets.authelia_jwt_secret_file.path; + # sessionSecretFile = config.sops.secrets.authelia_session_secret_file.path; + manual = true; + }; + + settings = { + log = { + level = "info"; + file_path = "/var/lib/authelia-main/logs/authelia.log"; + }; + authentication_backend = { + file.path = "/var/lib/authelia-main/users/users_database.yml"; + password_reset.disable = true; + }; + + storage.local.path = "/var/lib/authelia-main/storage/db.sqlite3"; + server.disable_healthcheck = true; + regulation = { + ban_time = 300; + find_time = 120; + max_retries = 3; + }; + session = { + domain = "${cfg.domain}"; + expiration = 604800; + inactivity = 300; + name = "authelia_session"; + }; + notifier = { + disable_startup_check = false; + filesystem = { + filename = "/var/lib/authelia-main/logs/notification.txt"; + }; + }; + access_control = { + # default_policy = "deny"; + default_policy = "one_factor"; + rules = [ + { + domain = "*.sbulav.ru"; + policy = "one_factor"; + } + ]; + }; + }; + }; + }; + networking = { + firewall = { + enable = true; + allowedTCPPorts = [9091]; + }; + # Use systemd-resolved inside the container + # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "24.11"; + }; + }; + + containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable { + routers.authelia = { + entrypoints = ["websecure"]; + rule = "Host(`${cfg.host}`)"; + service = "authelia"; + middlewares = [ + "secure-headers" + ]; + tls = { + certResolver = "production"; + }; + }; + services.authelia = { + loadBalancer = { + passHostHeader = true; + servers = [ + { + url = "http://${cfg.localAddress}:9091"; + } + ]; + }; + }; + }; + }; +} diff --git a/nix/modules/nixos/containers/authentik/default.nix b/nix/modules/nixos/containers/authentik/default.nix new file mode 100644 index 0000000..377a86a --- /dev/null +++ b/nix/modules/nixos/containers/authentik/default.nix @@ -0,0 +1,88 @@ +# DISABLED, builds too long +{ + config, + lib, + namespace, + inputs, + ... +}: +with lib; +with lib.custom; let + cfg = config.${namespace}.containers.authentik; +in { + options.${namespace}.containers.authentik = with types; { + enable = mkBoolOpt false "Enable authentik nixos-container;"; + host = mkOpt str "authentik.sbulav.ru" "The host to serve authentik on"; + hostAddress = mkOpt str "172.16.64.10" "With private network, which address to use on Host"; + localAddress = mkOpt str "172.16.64.102" "With privateNetwork, which address to use in container"; + }; +} +# config = mkIf cfg.enable { +# containers.authentik = { +# ephemeral = true; +# autoStart = true; +# privateNetwork = true; +# # Need to add 172.16.64.0/18 on router +# hostAddress = "${cfg.hostAddress}"; +# localAddress = "${cfg.localAddress}"; +# config = {...}: { +# imports = [ +# inputs.authentik-nix.nixosModules.default +# ]; +# services.authentik = { +# enable = true; +# # The environmentFile needs to be on the target host! +# # Best use something like sops-nix or agenix to manage it +# environmentFile = "/run/secrets/authentik/authentik-env"; +# settings = { +# # email = { +# # host = "smtp.example.com"; +# # port = 587; +# # username = "authentik@example.com"; +# # use_tls = true; +# # use_ssl = false; +# # from = "authentik@example.com"; +# # }; +# disable_startup_analytics = true; +# avatars = "initials"; +# }; +# }; +# networking = { +# firewall = { +# enable = false; +# allowedTCPPorts = [80]; +# }; +# # Use systemd-resolved inside the container +# # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686 +# useHostResolvConf = lib.mkForce false; +# }; +# services.resolved.enable = true; +# system.stateVersion = "24.11"; +# }; +# }; +# containers.traefik.config.services.traefik.dynamicConfigOptions.http = lib.mkIf config.${namespace}.containers.traefik.enable { +# routers.authentik = { +# entrypoints = ["websecure"]; +# rule = "Host(`${cfg.host}`)"; +# service = "authentik"; +# middlewares = [ +# "secure-headers" +# ]; +# tls = { +# certResolver = "production"; +# }; +# }; +# services.authentik = { +# loadBalancer = { +# passHostHeader = true; +# servers = [ +# { +# url = "http://${cfg.localAddress}:80"; +# } +# ]; +# }; +# }; +# }; +# }; +# } + diff --git a/nix/modules/nixos/containers/homepage/default.nix b/nix/modules/nixos/containers/homepage/default.nix index e0d578c..6453f91 100644 --- a/nix/modules/nixos/containers/homepage/default.nix +++ b/nix/modules/nixos/containers/homepage/default.nix @@ -30,7 +30,56 @@ in { pkgs, ... }: { - services.homepage-dashboard.enable = true; + networking.hosts = { + "${cfg.hostAddress}" = ["traefik.sbulav.ru"]; + }; + + services.homepage-dashboard = { + enable = true; + # Example https://github.com/notohh/snowflake/blob/647a7f5af9647a2fbb9c46b218e6575c2dcf8828/hosts/yuki/services/homepage/services.nix#L2 + widgets = [ + { + resources = { + cpu = true; + disk = "/"; + memory = true; + }; + } + ]; + services = [ + { + "My First Group" = [ + { + "My First Service" = { + description = "Homepage is awesome"; + href = "http://localhost/"; + }; + } + ]; + } + { + "Network" = [ + { + "My Second Service" = { + description = "Homepage is the best"; + href = "http://localhost/"; + }; + } + + { + "Traefik" = { + icon = "traefik"; + href = "https://traefik.sbulav.ru"; + widget = { + type = "traefik"; + url = "https://traefik.sbulav.ru"; + }; + }; + } + ]; + } + ]; + }; networking = { firewall = { diff --git a/nix/secrets/serverz/default.yaml b/nix/secrets/serverz/default.yaml index 07d0ab0..f4cb26f 100644 --- a/nix/secrets/serverz/default.yaml +++ b/nix/secrets/serverz/default.yaml @@ -1,4 +1,6 @@ traefik-cf-env: ENC[AES256_GCM,data:g7Xw9UM1FeOFh+R0jGmPl9Gipix2WNilkCw30iDutxduhYCRmh3cye4D43Zy5x31kvdHej0pwlaSgEVbDOfBMoeENezrcDnLd3xqZHks75QleXv8Ujqoag==,iv:w/byUzrl/9+qcMnUERmO7RYpk991WbhRtcBJkIQIF1o=,tag:CxFiyegx/ZhzU+CU0Bkabg==,type:str] +authelia-env: ENC[AES256_GCM,data:6fFB2jhyMiGKY/Y/cbel3p9wkEX72OPYHjoEereC7vj6kVH6fne7ctCKFgzZF0bGyET6iS7sh01Xgj+BNCejdSAoqjouoUHBcFc3VE7Vrecg/0LLDjLZ4sc1Fd1ZGLvcPNDTVL0j7UQTBX0MirB1yy4t2s1gNLUvjunwxtglLaAxjDIi541pZb4d9FL/BJ1g76dvGLIlyF4tKssSPSujLls/JrlG3/jbdrmS4sbA+ZI=,iv:eqeV4P1Rw0RxQqs//oYTzEQLyavLfbvKkz2JXs9fkmc=,tag:1rsGSeGVn3c3IYAsfghTXw==,type:str] +authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str] sops: kms: [] gcp_kms: [] @@ -23,8 +25,8 @@ sops: SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-09T13:41:56Z" - mac: ENC[AES256_GCM,data:6ytcjeG2iT4+1B047wTuLl9dvbsH8mcB6xiTHE44PlWYDZGkEf4+vMgJNoXJp4XSkeNad+tKqcVLEnNXzX+7EM9D1uFdSlFwF59Z5JIKJcIXW4MqG75DqQXF4hr+BltEW5L4ffDacQPip3FdQL3XSREdPNCTtQhQWfiratKnEg8=,iv:8SeLg69BNaTkKi1tsWGxNPNIZQeSzUiRKaiynqk6sm0=,tag:hImVGNPhuSzHRdsxRm6/nQ==,type:str] + lastmodified: "2024-11-11T15:03:08Z" + mac: ENC[AES256_GCM,data:gIT8+GGrup4dAqVG0iTZDiJV/2vc5H9Gw6OhKqGxWKWLd02awHEvSP54saLGRTOel704UNCSeAvOmttAE1sSCGKCxffFh7rsJnp8U06v9GFNA4A4EmacfjQJ4eVTzETkbTf3OOghkA5NNxiRwAlwmdMVOW2DBp7cxW7O+RuCg/k=,iv:+qHNrk06eIiJj9smg67QaqQvWoapjVYNv3qVvPhlEbw=,tag:UqPtQYyP2JC8lX4DP4ormw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/nix/systems/x86_64-linux/serverz/default.nix b/nix/systems/x86_64-linux/serverz/default.nix index 0630f94..56a593a 100644 --- a/nix/systems/x86_64-linux/serverz/default.nix +++ b/nix/systems/x86_64-linux/serverz/default.nix @@ -47,6 +47,12 @@ in { hostAddress = "172.16.64.10"; localAddress = "172.16.64.101"; }; + authelia = { + enable = true; + host = "authelia.sbulav.ru"; + hostAddress = "172.16.64.10"; + localAddress = "172.16.64.102"; + }; }; environment.systemPackages = with pkgs; [