Skip to content

Commit

Permalink
feat(nix): add authelia TOTP, require auth for all domains
Browse files Browse the repository at this point in the history
  • Loading branch information
@sbulav
sbulav committed Nov 15, 2024
1 parent 8bcf3b7 commit c5ca76d
Show file tree
Hide file tree
Showing 9 changed files with 63 additions and 31 deletions.
4 changes: 1 addition & 3 deletions nix/modules/nixos/containers/adguard/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -87,9 +87,7 @@ in {
entrypoints = ["websecure"];
rule = "Host(`${cfg.host}`)";
service = "adguard";
middlewares = [
"secure-headers"
];
middlewares = ["auth-chain"];
tls = {
certResolver = "production";
};
Expand Down
21 changes: 15 additions & 6 deletions nix/modules/nixos/containers/authelia/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -93,11 +93,18 @@ in {
max_retries = 3;
};
session = {
domain = "${cfg.domain}";
expiration = 604800;
inactivity = 300;
name = "authelia_session";
cookies = [
{
domain = "${cfg.domain}";
authelia_url = "https://${cfg.host}";
default_redirection_url = "https://homepage.${cfg.domain}";
}
];
};
default_2fa_method = "totp";
# TODO: change notifier to smtp/2fa
#used to send 2FA registration emails etc
notifier = {
disable_startup_check = false;
filesystem = {
Expand All @@ -106,11 +113,13 @@ in {
};
access_control = {
# default_policy = "deny";
default_policy = "one_factor";
# default_policy = "one_factor";
default_policy = "two_factor";
rules = [
{
domain = "*.sbulav.ru";
policy = "one_factor";
domain = "*.${cfg.domain}";
# policy = "one_factor";
policy = "two_factor";
}
];
};
Expand Down
4 changes: 1 addition & 3 deletions nix/modules/nixos/containers/flood/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,9 +73,7 @@ in {
entrypoints = ["websecure"];
rule = "Host(`${cfg.host}`)";
service = "flood";
middlewares = [
"secure-headers"
];
middlewares = ["auth-chain"];
tls = {
certResolver = "production";
};
Expand Down
8 changes: 3 additions & 5 deletions nix/modules/nixos/containers/homepage/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -83,7 +83,7 @@ in {
href = "https://adguard.sbulav.ru";
widget = {
type = "adguard";
url = "https://adguard.sbulav.ru";
url = "http://${config.${namespace}.containers.adguard.localAddress}:3000";
};
};
}
Expand All @@ -93,7 +93,7 @@ in {
href = "https://flood.sbulav.ru";
widget = {
type = "flood";
url = "https://flood.sbulav.ru";
url = "http://${config.${namespace}.containers.flood.localAddress}:3000";
};
};
}
Expand Down Expand Up @@ -121,9 +121,7 @@ in {
entrypoints = ["websecure"];
rule = "Host(`${cfg.host}`)";
service = "homepage";
middlewares = [
"secure-headers"
];
middlewares = ["auth-chain"];
tls = {
certResolver = "production";
};
Expand Down
4 changes: 1 addition & 3 deletions nix/modules/nixos/containers/nextcloud/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -155,9 +155,7 @@ in {
entrypoints = ["websecure"];
rule = "Host(`${cfg.host}`)";
service = "nextcloud";
middlewares = [
"secure-headers"
];
middlewares = ["auth-chain"];
tls = {
certResolver = "production";
};
Expand Down
18 changes: 13 additions & 5 deletions nix/modules/nixos/containers/traefik/default.nix
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,12 @@ in {
domain = mkOpt str "" "The domain to get certificates to";
dataPath = mkOpt str "/tank/traefik" "Traefik data path on host machine";
};
imports = [
# Middlewares
./middleware_authelia.nix
./middleware_allow-lan.nix
./middleware_secure-headers.nix
];

config = mkIf cfg.enable {
sops.secrets = {
Expand Down Expand Up @@ -62,9 +68,7 @@ in {
routers.traefik-dashboard = {
rule = "Host(`traefik.${cfg.domain}`)";
service = "api@internal";
middlewares = [
"secure-headers"
];
middlewares = ["secure-headers" "allow-lan"];
tls = {
certResolver = "production";
domains = {
Expand All @@ -76,8 +80,12 @@ in {
};
};

# TODO: implement authelia auth
middlewares = import ./middleware_secure-headers.nix;
middlewares.auth-chain = {
chain.middlewares = [
"secure-headers"
"authelia"
];
};
};
};
};
Expand Down
10 changes: 10 additions & 0 deletions nix/modules/nixos/containers/traefik/middleware_allow-lan.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
{
containers.traefik.config.services.traefik.dynamicConfigOptions.http.middlewares.allow-lan = {
ipAllowList.sourceRange = [
"127.0.0.1/32"
"172.16.64.0/24"
"192.168.88.0/24"
"192.168.89.0/24"
];
};
}
18 changes: 18 additions & 0 deletions nix/modules/nixos/containers/traefik/middleware_authelia.nix
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
{
namespace,
config,
...
}: {
containers.traefik.config.services.traefik.dynamicConfigOptions.http.middlewares.authelia = {
forwardAuth = {
address = "http://${config.${namespace}.containers.authelia.localAddress}:9091/api/authz/forward-auth";
trustForwardHeader = true;
authResponseHeaders = [
"Remote-User"
"Remote-Groups"
"Remote-Name"
"Remote-Email"
];
};
};
}
7 changes: 1 addition & 6 deletions nix/modules/nixos/containers/traefik/middleware_secure-headers.nix
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
{
secure-headers = {
containers.traefik.config.services.traefik.dynamicConfigOptions.http.middlewares.secure-headers = {
headers = {
sslRedirect = true;
accessControlMaxAge = "100";
Expand Down Expand Up @@ -27,9 +27,4 @@
};
};
};
auth-chain = {
chain.middlewares = [
"secure-headers"
];
};
}

0 comments on commit c5ca76d

Please sign in to comment.