feat: Added ldap and authelia oidc

2025-07-29 04:26:12 +05:30
parent b05f18bac5
commit 26b5ab00d5
10 changed files with 179 additions and 80 deletions
--- a/home/apps/zed.nix
+++ b/home/apps/zed.nix
@@ -7,9 +7,9 @@
    pkgs.zed-editor
  ];

-  zed-editor = {
-    enable = true;
-  };
+  # zed-editor = {
+  #   enable = true;
+  # };
  # xdg.configFile = {
  #   "zed/keymaps.json" = '''';
  #   "zed/settings.json".source = '''';
--- a/home/services/hyprland.nix
+++ b/home/services/hyprland.nix
@@ -52,7 +52,6 @@

    settings = {
      source = "${pkgs.catppuccinThemes.hyprland}/themes/mocha.conf";
-      "render:explicit_sync" = true;
      "render:cm_fs_passthrough" = 1;
      monitor = [
        "${device.monitors.primary},    2560x1440@360,          0x0,     1, transform, 0, bitdepth, 10, cm, hdr, sdrbrightness, 1.1, sdrsaturation, 1.2"
--- a/home/services/swaync.nix
+++ b/home/services/swaync.nix
@@ -3,14 +3,14 @@
    enable = device.is "ryu";
    settings = {
      notification-inline-replies = true;
-      cssPriority = "user";
+      # cssPriority = "user";
    };
  };
-  xdg.configFile = {
-    "swaync/style.css".text = ''
-      .floating-notifications {
-          background: rgba(0, 0, 0, 0.0);
-      }
-    '';
-  };
+  # xdg.configFile = {
+  #   "swaync/style.css".text = ''
+  #     .floating-notifications {
+  #         background: rgba(0, 0, 0, 0.0);
+  #     }
+  #   '';
+  # };
 }
--- a/5
+++ b/5
@@ -25,3 +25,8 @@ home:

 nvim:
    nix run .#neovim
+
+
+[linux]
+rollback:
+	sudo nixos-rebuild switch --rollback --flake .
--- a/nixos/mirai/services/authelia.nix
+++ b/nixos/mirai/services/authelia.nix
@@ -7,8 +7,9 @@
      "authelia/servers/darksailor/storageEncryptionSecret".owner = user;
      "authelia/servers/darksailor/sessionSecret".owner = user;
      "authelia/users/servius".owner = user;
-      "authelia/oidc/immich".owner = user;
+      "lldap/users/authelia".owner = user;
      users.owner = user;
+      "authelia/oidc/jwks".owner = user;
    };
  };
  services = {
@@ -18,44 +19,22 @@
        settings = {
          authentication_backend = {
            password_reset.disable = false;
-            file = {
-              path = "/run/secrets/users";
+            password_change.disable = false;
+            # file = {
+            #   path = "/run/secrets/users";
+            # };
+            ldap = {
+              address = "ldap://localhost:389";
+              timeout = "5s";
+              # start_tls = false;
+              base_dn = "dc=darksailor,dc=dev";
+              user = "cn=authelia,ou=people,dc=darksailor,dc=dev";
+              users_filter = "(&({username_attribute}={input})(objectClass=person))";
+              groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
+              additional_users_dn = "OU=people";
+              additional_groups_dn = "OU=groups";
            };
          };
-          # identity_providers = {
-          #   oidc = {
-          #     clients = [
-          #       {
-          #         client_id = "immich";
-          #         client_name = "immich";
-          #         client_secret = ''{{ fileContent "${config.sops.secrets."authelia/oidc/immich".path}" }}'';
-          #         public = false;
-          #         authorization_policy = "two_factor";
-          #         require_pkce = false;
-          #         pkce_challenge_method = "";
-          #         redirect_uris = [
-          #           "https://photos.darksailor.dev/auth/login"
-          #           "https://photos.darksailor.dev/user-settings"
-          #           "app.immich:///oauth-callback"
-          #         ];
-          #         scopes = [
-          #           "openid"
-          #           "profile"
-          #           "email"
-          #         ];
-          #         response_types = [
-          #           "code"
-          #         ];
-          #         grant_types = [
-          #           "authorization_code"
-          #         ];
-          #         access_token_signed_response_alg = "none";
-          #         userinfo_signed_response_alg = "none";
-          #         token_endpoint_auth_method = "client_secret_post";
-          #       }
-          #     ];
-          #   };
-          # };
          session = {
            cookies = [
              {
@@ -91,6 +70,11 @@
          jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path;
          storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path;
          sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
+          oidcHmacSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
+          oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc/jwks".path;
+        };
+        environmentVariables = {
+          AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."lldap/users/authelia".path;
        };
      };
    };
--- a/nixos/mirai/services/homepage.nix
+++ b/nixos/mirai/services/homepage.nix
@@ -1,4 +1,4 @@
-{...}: {
+{config, ...}: {
  services = {
    homepage-dashboard = {
      enable = true;
@@ -107,6 +107,13 @@
                href = "https://llama.darksailor.dev";
              };
            }
+            {
+              "Immich" = {
+                icon = "immich.png";
+                description = "Immich: Self-hosted Photo and Video Backup";
+                href = "https://photos.darksailor.dev";
+              };
+            }
          ];
        }
      ];
@@ -163,8 +170,22 @@
            uri /api/authz/forward-auth
            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
        }
-        reverse_proxy localhost:8082
+        reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
      '';
    };
+    authelia = {
+      instances.darksailor = {
+        settings = {
+          access_control = {
+            rules = [
+              {
+                domain = "dashboard.darksailor.dev";
+                policy = "one_factor";
+              }
+            ];
+          };
+        };
+      };
+    };
  };
 }
--- a/nixos/mirai/services/immich.nix
+++ b/nixos/mirai/services/immich.nix
@@ -1,5 +1,78 @@
-{...}: {
+{config, ...}: {
+  sops = {
+    secrets."authelia/oidc/immich/client_id" = {
+      owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+      mode = "0440";
+    };
+    secrets."authelia/oidc/immich/client_secret" = {
+      owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
+      mode = "0440";
+    };
+    templates = {
+      "OAUTH_CLIENT.env" = {
+        content = ''
+          OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"}
+          OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"}
+        '';
+        mode = "0400";
+        owner = config.services.immich.user;
+      };
+    };
+  };
+  users.users.immich.extraGroups = [config.systemd.services.authelia-darksailor.serviceConfig.Group];
  services.immich = {
-    enable = false;
+    enable = true;
+    mediaLocation = "/media/photos/immich";
+    settings = {
+      oauth = {
+        enabled = true;
+        autoLaunch = true;
+        autoRegister = true;
+        buttonText = "Login with Authelia";
+        clientId = "immich";
+        scope = "openid email profile";
+        issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration";
+      };
+      passwordLogin = {
+        enabled = false;
+      };
+    };
+    secretsFile = config.sops.templates."OAUTH_CLIENT.env".path;
+  };
+  services.caddy = {
+    virtualHosts."photos.darksailor.dev".extraConfig = ''
+      reverse_proxy localhost:${builtins.toString config.services.immich.port}
+    '';
+  };
+  services.authelia = {
+    instances.darksailor = {
+      settings = {
+        identity_providers = {
+          oidc = {
+            clients = [
+              {
+                client_name = "immich";
+                client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
+                client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
+                public = false;
+                authorization_policy = "one_factor";
+                require_pkce = false;
+                redirect_uris = [
+                  "https://photos.darksailor.dev/auth/login"
+                  "https://photos.darksailor.dev/user-settings"
+                  "app.immich:///oauth-callback"
+                ];
+                scopes = ["openid" "profile" "email"];
+                response_types = ["code"];
+                grant_types = ["authorization_code"];
+                access_token_signed_response_alg = "none";
+                userinfo_signed_response_alg = "none";
+                token_endpoint_auth_method = "client_secret_post";
+              }
+            ];
+          };
+        };
+      };
+    };
  };
 }
--- a/nixos/mirai/services/llama.nix
+++ b/nixos/mirai/services/llama.nix
@@ -43,13 +43,13 @@
    };

    caddy = {
-      # virtualHosts."llama.darksailor.dev".extraConfig = ''
-      #   forward_auth localhost:5555 {
-      #       uri /api/authz/forward-auth
-      #       copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-      #   }
-      #   reverse_proxy localhost:7070
-      # '';
+      virtualHosts."llama.darksailor.dev".extraConfig = ''
+        forward_auth localhost:5555 {
+            uri /api/authz/forward-auth
+            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
+        }
+        reverse_proxy localhost:${builtins.toString config.services.open-webui.port}
+      '';
      virtualHosts."ollama.darksailor.dev".extraConfig = ''
        @apikey {
            header Authorization "Bearer {env.LLAMA_API_KEY}"
@@ -61,12 +61,26 @@
            Access-Control-Allow-Origin *
            -Authorization "Bearer {env.LLAMA_API_KEY}"  # Remove the header after validation
          }
-          reverse_proxy localhost:11434
+          reverse_proxy localhost:${builtins.toString config.services.ollama.port}
        }

        respond "Unauthorized" 403
      '';
    };
+    authelia = {
+      instances.darksailor = {
+        settings = {
+          access_control = {
+            rules = [
+              {
+                domain = "llama.darksailor.dev";
+                policy = "one_factor";
+              }
+            ];
+          };
+        };
+      };
+    };
  };
  systemd.services.caddy = {
    serviceConfig = {
--- a/nixos/mirai/services/lldap.nix
+++ b/nixos/mirai/services/lldap.nix
@@ -6,23 +6,24 @@
  services.lldap = {
    enable = true;
    settings = {
-      # ldap_user_dn = "admin";
+      ldap_user_dn = "admin";
      ldap_base_dn = "dc=darksailor,dc=dev";
-      # ldap_user_email = "admin@darksailor.dev";
-      # http_host = "127.0.0.1";
+      ldap_user_email = "admin@darksailor.dev";
+      http_host = "127.0.0.1";
      http_port = 5090;
      ldap_port = 389;
-      # ldap_host = "::";
-      environment = {
-        LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path;
-        LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path;
-        # LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path;
-        LLDAP_LDAP_USER_PASS = "foobar123";
-      };
+      ldap_host = "::";
+      # environment = {
+      # };
+      environmentFile = ''
+        LLDAP_LDAP_USER_PASS_FILE = ${config.sops.secrets."lldap/admin".path};
+        LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
+        LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
+      '';
    };
  };
  services.caddy = {
-    virtualHosts."console.darksailor.dev".extraConfig = ''
+    virtualHosts."ldap.darksailor.dev".extraConfig = ''
      reverse_proxy localhost:5090
    '';
  };
@@ -34,15 +35,12 @@
  };
  users.groups.lldap = {};

-  # systemd.services.sops-install-secrets = {
-  #   after = ["lldap.service"];
-  # };
-
  systemd.services.lldap = {
-    # wants = ["sops-install-secrets.service"];
    serviceConfig = {
      AmbientCapabilities = "CAP_NET_BIND_SERVICE";
      DynamicUser = lib.mkForce false;
+      User = "lldap";
+      Group = "lldap";
    };
  };
  sops = {
--- a/secrets/secrets.yaml
+++ b/secrets/secrets.yaml
@@ -26,11 +26,16 @@ authelia:
            storageEncryptionSecret: ENC[AES256_GCM,data:cJx0HpsAXqqt4cSQduh4NUVb+czQCkMnSn35HNtLDzqoAMAZOxnNCNsd9Rpq0VySyZc4TzSiN+9tPLj1,iv:r1w4hYKWn/Guwuk13Fg831r5bUm02PJw/IoNDTMbdOg=,tag:5vMdpJ6fTT4YvT/5gGy94Q==,type:str]
            sessionSecret: ENC[AES256_GCM,data:50h5JbQneCjEdTO34T6zDNzXSeeyV1MyuS034gZgwddg8Z/KAGMDWQ==,iv:SsD8YmzXzF2KhRg76tjNRyjpOZsD/jP6M8PgNCuSlcg=,tag:dfW1m6UUubD6Go1HS5yoLw==,type:str]
    oidc:
-        immich: ENC[AES256_GCM,data:p11v+4I07FSW/pYk4l5fBlOQ2YczU0eoOvyLq/V62hY=,iv:NuHdsdLL+krQR2BZtMOcZL2zTHYjzoXbvKZLDWe36io=,tag:E8dkaQpSf+pzW18M+lqFGw==,type:str]
+        immich:
+            client_id: ENC[AES256_GCM,data:LpB+nR7SGI2EV4YK0VptF5zJ6Ai/LDfikUpoAnFWnT8krMOQ/voqjS6jhqaFz9IKhtPQL9TNZOONr5JjkDZR7sI63Ohv4Lnx,iv:J96CL8EHHj88YbQW7rdQK9C6MxXaHnMt+mgL3iL5Heg=,tag:aXD/HdWXO/e6aKGnay0W+g==,type:str]
+            client_secret: ENC[AES256_GCM,data:mZ9bxeuKEYtZRRncsXBRgFeu0exO+VN9MRXFEF/KQxrDHnGkiFGQH8/wbeHnqIO8Xpmhd5PJEz5Q29rNKJE6hsomVFHASYe6w/JCaxP24Qu2nQH60YBYsk0vfVgB8QyfpbIN1lDeW+3F8YZLa1IJuxt1Cpg9cgMtaZ4AZh4cGgBxSDE=,iv:QErPIwOTBs3UJMRDTyLpNFc8unucQKzLl6WbSuJ97fY=,tag:NRQYmn6GfIMPAUKyI7QxMQ==,type:str]
+        jwks: ENC[AES256_GCM,data:1efhdlYmiD/y4kzK0hFfLAmY6rXK0hvZez/tu1cb2hfUhIM/DzNNthKQjH8Cu2TlZwDQpUIrCO7Tr0BbkiREC+VNK4vYgi+GWswnG7VCZS40xRAZhSArNO2uQ4dpf/KAHRSSJa3i7gGOqSG/Pnrl3TRhzkhkfWSRk+7koPWKpYJOKLem+ZLN75yssCsEbYIOHjcXyizNHt6SE2ylqqCjyWnlhlnRQStYaFPWAAABcm96MkSThSyRd6hTAifC/aZiM1IMlLw7wJJk01uwjJytlxBxDiFrdr4Grg0PzOsOAocex9Siw5fzcr7dFpVBoaS7e7nD/sccGSyEysw/t+wvkMou1Ewr5U2Pnew8lPjSrEiiGxuPwmK9kHxD3L6cADxF6xs4bn+Iqa/yy9FWbtGZfBYOxJiRvXgxBPiO7CH4tJyVIbnLfi8K/zCJC9u5vO+WFXiVIzXxAPVUL7VKQQZGxV7989LMdcjzck+B1zFHVQz25siwbpu0FxMxiJsVtBxu1U+QBRfQrwLacX2NAJvqYNZxr+9l43Fh0x8dS5CBheVEy39sXge9jLyS7kIW0FfvgJaHuLL2/GhDGsvfi7zFPOc8Thg+8LP58L8wzPT+LvVoidq/j3K2Ct6udn9JsOnbZT3Gs1RiY+E77H09GbdwIrP0sGVi4ZJe++w+sKNjyzLzceEYGkfa1EiMQhYPHzqUAwqtgmJZo9tY+2jOBJb9ZU+Kj0xtqZsjFpHaGWsRj8XGkPrAFEh6Z6/Ak9/BpYaapPeAO3Wa6tzNVlTCtaX786nSTjfGC7v9O4Uz8XQr0HV3A7wj36Fw3dqERZFKea7BJbiiAiEZtnOsbWVqQXpIUVfCvPhfwuFcOU/ClyM1fGyZXaCIeB62Tkqa+ZlqRQgzzf3bSFUK0PgxE3Ny5pIPzNEINqse+6DeFuF91uY1dLQB4Vizyzv1H+X/OecO9K8kECM1wUy3Fbbyh4tYYxt4VvqFQZ1o4A7Jd04WCIf3hdAHmwvOQW+/8dfnyLa8kqTcQYeI3jfjtRvD6TaZl21K9kFY2VJAexdno9bbozDOus1Ep92ublwonVjfvzbyDURHGF6Cw2OL7xcbHQIMz/ZmkVHMra49NHgWlI6X0slgYDxKKDszHhZ9SHkEXF8pJf+uogbwSwz1glRkEdn1oprbs8GsFoc7HGVvSHRgOWKHwvhZD2tMiSE4cEFZ9/2nSPISQMNGuS7wgnVkalKPW+gF1EWVXczanzKsrpcDtpMdFufMRVusaJBV5Jw62I++cx1AMW2dRTseQyWLchRWtOba6dd9gbNzGi39+njHClHIEUxaxXzxIQLhSgCA9loXRc26ZA6DpwHQR+gtH2OybeFEiH390YoSfFeZuU+f0E2awMdpiEsBL/AniUcboDaBEaDQYpwUawNL+II7rmSn4rTJM64n5z3B88U/vAQh9BQFhf7SDKb05n/ArCibkdy3gbo8rTVH1gGbmW53DTxzuW+AEpFcuueiP3yz1vGzEwKSX+LMkCwFwk6Y/VcqHXW+PdZ88SFUr5WELGPkZxT3AvmduBCifE0KDzKWrN3yy1xwEQDGrYiqeHqeqHpEuk/KpxeAwepqWayGMq6iT4BWUBojNo6quoXkPPodSsotbBFLjyRHoDGm0NZSbgluOUyERrN6M+ELdHqQjeNTS046KB6QnG5s+uTA+uxyonvmPCPBgFAd0q0qfq4T/SISHrPe13Y7nHnATxoMBszvIfKznqFthTBsc3V9C5+g/kcOzcEQpAC6baGe+eq23m/Go3uDa7O84Euxhj9C5NBcidvgmYmRZuY6l2ehnxf1oGoGwHBJEaYEuCk7sc3Wac6u2OvqCIKPxRdi2tUiZ9FwCGLqd8qcLEPtsSaBNk2CVlK9ZkgPzSYH794qpNQDWkyv5SJ4V9zy2LL+s9MHtHNQu6QxALZ8c0GfQetTI5ArkC3cBz/3mRdDMy9k7HpO7b6USoxqGAZ+H4kzJhus9QwjaqJnnB+fJI5O2ek5TVLY9RWXo+W2pCBDjt925BVoChkvkUEg4GtvR+8/yChgYEgYWUPqRV4vMEwQiRoaJamL/E+lRaUx+c0f9ga8+k0JdfxfzoIPUA3/rBGcfO8Y12RF8Ool4hreP409KjdPP0PeeOVKg58MPYNO5O0BdT62nyL+fSvJkw7uPGcOwtOtcxjcBsNhoFv0twrCp8S3cLX45GTNaTw+JHcxsTzG9ibL3bFtVkAAiZHZGMisEjTSGElSGIDk+MoPt68hq4BRioab,iv:gGKyTUigpnqg3Fgd76INrESRT27hJRzYQ3xk8heNkWk=,tag:fVc8rg1Or63X/14neG+8Cw==,type:str]
 lldap:
    jwt: ENC[AES256_GCM,data:61dwC1ElOOGaf0CmalzXZnxImEyufKjUUWcNaEcOuv3TEODhQyHK7g==,iv:CVEJVuaCc2gDmSYWHS3fPL8FjbvblF6IladAzGoGb0o=,tag:OMm/OdKjliHjsGqJripLbg==,type:str]
    seed: ENC[AES256_GCM,data:zMBZP4GeGkQ4chC9eQ4tG8vTqbxZj4iQMKCj0WQd1qOWVTibpk6VylnFz5ugmeMR,iv:5ZFf/r683AHVlpp7iN9B6nY1b8tD/JSCxRN4vXT1cRM=,tag:MmeGpK9d2GFP3etr9Ouvkg==,type:str]
    admin: ENC[AES256_GCM,data:6eLFuyt9hBzoAGfaDLi9cwxFj/yq20BDCSzbHzakZLo=,iv:qjczQ/hswAzVVS7gCUapzqhRx1dAE7FhRUvtovlMuY0=,tag:aMBFJy+USOd5Vy2QKjoD6Q==,type:str]
+    users:
+        authelia: ENC[AES256_GCM,data:6zddaWEBqJqfLaSzeANlSfldpw==,iv:jx3P9FThq7+LbwX0LpNK7qll3RJ5ibNfdDybS+KZG6U=,tag:RHNPLdbpkPy2aAcibljxAg==,type:str]
 builder:
    mirai:
        cache:
@@ -55,7 +60,7 @@ sops:
            VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK
            ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-28T11:23:30Z"
-    mac: ENC[AES256_GCM,data:lAaVNBji1kslL5pCYBABP3X8n1AFQ1ocFgPCRmlipLPt9dVVwzKDokI75xWztOTVU/ydkz/AQjHkeunPc0bl3lhukrpLAulpQLFTV/+zy2ku3nStCrpx93bmjO0KWb9GvjidITVOvr4WzOZUSsq45Im4gJgpFXDyCXg/8HsY6K0=,iv:vh7GdrwU+T4AkZS7uWljagA11itG1QEs2JdwSqbqmtc=,tag:VpCVyr4TxWYCWfssXz4QyQ==,type:str]
+    lastmodified: "2025-07-28T22:24:11Z"
+    mac: ENC[AES256_GCM,data:k7nnnBg4/5i0JdRXIvQK/zM9Xm6Ex14UTu9ZjZntal6IJuccNvMvbNLIDa4+cnjVjwaOHAXCzmCP5xQZ2R5k7b8EJ853lahMYy4ORbg0Ve5nCIZOVc0A43CfErPz4SdK+NMALP7s7z5aeb1grJ6U3RBRBTrKib//1oo5u44ozNw=,iv:6UiMxysglG0CeSUWXAPlL7qjXR876JS4yUGwBqlwcyU=,tag:mCFw+UU+7SOjw1k+A6jAqQ==,type:str]
    unencrypted_suffix: _unencrypted
    version: 3.10.2