diff --git a/nixos/mirai/configuration.nix b/nixos/mirai/configuration.nix index 064c6bae..327379b2 100644 --- a/nixos/mirai/configuration.nix +++ b/nixos/mirai/configuration.nix @@ -17,6 +17,11 @@ secrets."nextcloud/adminpass".owner = config.users.users.nextcloud.name; secrets."llama/user".owner = config.services.caddy.user; secrets."builder/mirai/cache/private" = {}; + secrets.users = { + sopsFile = ../../secrets/users.yaml; + format = "yaml"; + key = ""; + }; }; # Use the systemd-boot EFI boot loader. diff --git a/nixos/mirai/services.nix b/nixos/mirai/services.nix index 15917c8a..ac9019d9 100644 --- a/nixos/mirai/services.nix +++ b/nixos/mirai/services.nix @@ -4,13 +4,13 @@ pkgs, ... }: { - environment.systemPackages = with pkgs; [ - factorio-headless - ]; sops = { secrets = { - "authelia/darksailor/jwtSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; - "authelia/darksailor/storageEncryptionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/servers/darksailor/jwtSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/servers/darksailor/storageEncryptionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/servers/darksailor/sessionSecret".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + "authelia/users/servius".owner = config.systemd.services.authelia-darksailor.serviceConfig.User; + users.owner = config.systemd.services.authelia-darksailor.serviceConfig.User; }; }; services = { @@ -21,32 +21,42 @@ authentication_backend = { password_reset.disable = false; file = { - path = "/etc/authelia/users.yml"; + path = "/run/secrets/users"; }; }; session = { - cookies = { - secure = true; - same_site = "Strict"; - }; + cookies = [ + { + domain = "darksailor.dev"; + authelia_url = "https://auth.darksailor.dev"; + name = "authelia_session"; + } + ]; }; access_control = { default_policy = "one_factor"; }; storage = { local = { - path = "/var/lib/authelia/darksailor.sqlite3"; + path = "/var/lib/authelia-darksailor/authelia.sqlite3"; }; }; theme = "dark"; - notifier.filesystem.filename = "/var/log/authelia/notifications.txt"; + notifier.filesystem.filename = "/var/lib/authelia-darksailor/authelia-notifier.log"; server = { address = "127.0.0.1:5555"; + endpoints.authz.forward-auth = { + implementation = "ForwardAuth"; + }; }; + # log = { + # file_path = "/tmp/authelia.log"; + # }; }; secrets = { - jwtSecretFile = config.sops.secrets."authelia/darksailor/jwtSecret".path; - storageEncryptionKeyFile = config.sops.secrets."authelia/darksailor/storageEncryptionSecret".path; + jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path; + storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path; + sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path; }; }; }; @@ -76,10 +86,6 @@ tailscale = { enable = true; }; - factorio = { - enable = true; - openFirewall = true; - }; navidrome = { enable = true; settings = { @@ -131,6 +137,10 @@ reverse_proxy localhost:8080 ''; virtualHosts."llama.darksailor.dev".extraConfig = '' + forward_auth localhost:5555 { + uri /api/authz/forward-auth + copy_headers Remote-User Remote-Groups Remote-Email Remote-Name + } reverse_proxy localhost:3000 ''; virtualHosts."auth.darksailor.dev".extraConfig = '' diff --git a/secrets/secrets.yaml b/secrets/secrets.yaml index c786f8e0..7fd17052 100644 --- a/secrets/secrets.yaml +++ b/secrets/secrets.yaml @@ -3,9 +3,13 @@ nextcloud: llama: user: ENC[AES256_GCM,data:qWbhnc/XLotWzqbEa6ekuMe5kD/GwC9SW8omXvgWqCG1BPPCOI3DtlS4YqKxsIhYmw8MQw+4DPnaWHqjrbIsVSrQ79M=,iv:VeqkKb1N9NSKfuilG6dzYdha8cO4JqJ+YUzmkjrPU+0=,tag:SYwR1oU6VWzNoCBPsMg0uQ==,type:str] authelia: - darksailor: - jwtSecret: ENC[AES256_GCM,data:7xRxh+1DkA+CRtgbdnfQWM205DZnkhX7VvUw9Xf6sPn1TpxU6wKTVA==,iv:82Z59P2ZZAMj8bHUvWfMsIRZDdLBXOmCkLq82m6ZbRo=,tag:DwwuUs4jva4gZRhgrIdRyg==,type:str] - storageEncryptionSecret: ENC[AES256_GCM,data:s6BtWvvF+kWmejlWCFbfl382L9hsAIItz7BvWD3mA2s3qVUV0pl92WrOS6d3gXqrRqnSy9djhk3pqmHH,iv:ChUd8CqcFvXRlCRXWOqd5U55Yn4UXImG3jJDz+kTa6s=,tag:uPnAZjI+O6kFjzZWbmFzKQ==,type:str] + users: + servius: ENC[AES256_GCM,data:CLhthyoNV1JwrSJubnQ60mIcKHlQm4j4rMJOzraKTYJytdFadbUHHNu9rTGOOEnf8Bp66zWHwb7Nw8djEjCyGjmS2mz4kke9xg/2pIePCcnMVAvjMvrrqDqW7ictz/pRbg==,iv:rvk/Hrq7/JGA7MucBfU6jGBmnwnpKlg/HgqJlxC8/DI=,tag:OeqbIfbnkNiOeJrnk5BWXQ==,type:str] + servers: + darksailor: + jwtSecret: ENC[AES256_GCM,data:oRK/nkkcziFVma7WHHyIxtSjQIKIwfBXZ3TYhZ6qDz9aDxzuU/nWBg==,iv:e3IyqU242YZK/qV/x541jrRAkBKLwhW3ifyGP/9MJIk=,tag:PiN2YOSDLcf10HkAgEgz7Q==,type:str] + storageEncryptionSecret: ENC[AES256_GCM,data:cJx0HpsAXqqt4cSQduh4NUVb+czQCkMnSn35HNtLDzqoAMAZOxnNCNsd9Rpq0VySyZc4TzSiN+9tPLj1,iv:r1w4hYKWn/Guwuk13Fg831r5bUm02PJw/IoNDTMbdOg=,tag:5vMdpJ6fTT4YvT/5gGy94Q==,type:str] + sessionSecret: ENC[AES256_GCM,data:50h5JbQneCjEdTO34T6zDNzXSeeyV1MyuS034gZgwddg8Z/KAGMDWQ==,iv:SsD8YmzXzF2KhRg76tjNRyjpOZsD/jP6M8PgNCuSlcg=,tag:dfW1m6UUubD6Go1HS5yoLw==,type:str] builder: mirai: cache: @@ -26,8 +30,8 @@ sops: VGZKdHpVeFRpQUxtSEkyaEhLMlBJcGsKLb0DvPNZosPBUuiX6qz1s5IO5INQh8CK ZtXTVClwMSmaUYhdSB2gKFrKVZHXTJZ4oAL5t/BpC0pOHyr+o96T3Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-22T14:39:51Z" - mac: ENC[AES256_GCM,data:IbgSuP9+6fzS7MqPPDwqH1JPLvoeJOUuGTlPGQDdMBkO03A8dLwjMLwipHmSX4HBMX3sUkUyZanDHFoW3LBdMSpP3jSCOUSYo2K0NeUDKKKrbuJE2J9xFRuCpQIABXfdJrbaQhG/xK1jQEkV8u6nq4bthDhyxhgV7HZmL0nqLl8=,iv:LpXyJYITejYg2zlPy9KOWr+YkHUztw3WrwgL8Ii2qzk=,tag:0s2RGAMfMGzVoNSEwPXknA==,type:str] + lastmodified: "2024-11-22T17:16:32Z" + mac: ENC[AES256_GCM,data:T7EMjSsNXYgQ1wS4byOk28SCxSWZnd+n1H2zkAsVZztDutk/iN7QFi82UbkVZIKbOky76bNk8UYcF7d1mEHcvzZSgdCM9FhOmyW2p9bA8fu9W7YCQEDNorNO5lL0WSQUBkABfZvBYPsRNErzxaSgIAdHTrdoEolA1ZJNqUpIs6M=,iv:SvMywOMP1ypW2eJ7d9xFLh3wo88SzjhgLZKHNrIVJ0A=,tag:34IamPwZw+RwK9bLUiqp7Q==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.1 diff --git a/secrets/users.yaml b/secrets/users.yaml new file mode 100644 index 00000000..3fb142a9 --- /dev/null +++ b/secrets/users.yaml @@ -0,0 +1,29 @@ +users: + servius: + disabled: ENC[AES256_GCM,data:R3gix3A=,iv:8+SBTTk7JcPsG1afohBNkbyJpjinDVRtOeeauQLNUvA=,tag:1o10ClJyOvzmPBDyWq7EIg==,type:bool] + displayname: ENC[AES256_GCM,data:HTVApGQdAg==,iv:iMIKLgjTtt/Lz6ifhGd1CJhRpObT77O7Kp7ctKOrJrs=,tag:aNr61UE2TB4mZQYVjlHaXQ==,type:str] + password: ENC[AES256_GCM,data:24poT3nyXrUdjfvmkvt9O1TGkS+lF6C4aqnBFQawX3NkkQcJNS51JVFmbMa+sRIyBb3+uhyhFb43d6Sh/3phDLyXh6wRa31vXmusCs+UjKlI6Cw7ShftPqKLB8HKQmgaVQ==,iv:0nUt8FD2Yz/hbuXfuF0ZtcTZuiwOmPpKfagP+OjI0Go=,tag:rFJrGNepuQqfrwxGQpGH1Q==,type:str] + email: ENC[AES256_GCM,data:8JnsPaCrEVSURs1jyKN2WMgO,iv:0NsUGz2aFdw0vmYNPqi9VWOHXpJ1pxZ/sUBlYXKSCs8=,tag:SXBB8HdvE5Kop7sjCOwzPw==,type:str] + groups: + - ENC[AES256_GCM,data:F4Qu4EGg,iv:egQpvUbKgGLb2StKVNEV4qxKJIzfpk5XyGKBNOuBJBo=,tag:HSuGqTNi8zPTm+hesBEgGg==,type:str] + - ENC[AES256_GCM,data:yuEG,iv:K4ZA+h+H780A43Kp5YEExq0qvWPIHsM8/BFOcl/nc7g=,tag:C9bhTiDuc5IYHqlJI0I++Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1pw7kluxp7872c63ne4jecq75glj060jkmqwzkk6esatuyck9egfswufdpk + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzSC9SMDlzNkJFcXltV215 + UFlJTmFRaGtQeVNKOUFyV0tYVm9HbXRJcmc0ClpnaVUveEVlQXZ4dHpmOG5LSmNq + aGtwT3Q2KzdGUmwycVRwdmJ4UzJRcjgKLS0tIGpmelVDK0xoRFlRR2k2Z2dKSWpU + czNSTCttVXI1M2dmWkRpN1RURVF3cmsKAmq6p2MWLdsyCHOHoS9JXO0McJlnzZOV + cjSy31XglND0ak62boCzwfgAdi8w0OPfrjDdZQGzRa8s4JqbFAa58g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-22T18:03:33Z" + mac: ENC[AES256_GCM,data:j+Y4u9RdrL4QqQVKn3qHONQ2lGvHxISCHppeLPQo8Ea8nlIrYPiIqRZybgs6D1lPigTM4XDHTrym78N0t9dxaC5Lf2ivEh9GpPCg2tzYdiutIEqnbxHfM15O9lMc9vYwNyxnccCR47C8Ikzait7x+elT+D/AEKmBkKMzoC9S4sQ=,iv:e6r/ntstS0zGinuVQ53ES//J8o6nNZkZtDoXnISEnzo=,tag:24rwLP8S72TnxHOp7TOT3w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1