chris/sneeuwvlok
chris/sneeuwvlok
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

woop woop got auth working in caddy, now figuring out oidc

Browse source
This commit is contained in:
Chris Kruining 2025-04-01 23:47:49 +02:00
parent 9793f795ee
commit 100923f290
Signed by: chris
SSH key fingerprint: SHA256:nG82MUfuVdRVyCKKWqhY+pCrbz9nbX6uzUns4RKa1Pg
5 changed files with 84 additions and 32 deletions
Download patch file Download diff file Expand all files Collapse all files

46
hosts/ulmo/default.nix
View file

@ -2,32 +2,34 @@
{ {
imports = [ ./hardware.nix ]; imports = [ ./hardware.nix ];
fileSystems."/var/media" = { config = {
device = "/dev/disk/by-label/data"; fileSystems."/var/media" = {
fsType = "ext4"; device = "/dev/disk/by-label/data";
}; fsType = "ext4";
modules = {
networking.ssh.enable = true;
services = {
auth.enable = true;
media.enable = true;
# nextcloud.enable = true;
games = {
minecraft.enable = true;
};
}; };
root = { modules = {
user = { networking.ssh.enable = true;
full_name = "__ROOT__";
email = "__ROOT__@${config.networking.hostName}"; services = {
auth.enable = true;
media.enable = true;
# nextcloud.enable = true;
games = {
minecraft.enable = true;
};
}; };
shell = { root = {
default = "zsh"; user = {
full_name = "__ROOT__";
email = "__ROOT__@${config.networking.hostName}";
};
shell = {
default = "zsh";
};
}; };
}; };
}; };

2
lib/nixos.nix
View file

@ -56,7 +56,7 @@ in rec
inputs.plasma-manager.homeManagerModules.plasma-manager inputs.plasma-manager.homeManagerModules.plasma-manager
]; ];
users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users)); users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ ["root"]));
}; };
}; };
}) })

34
modules/system/services/auth.nix
View file

@ -43,7 +43,7 @@ in
rules = [ rules = [
{ {
domain = ["auth.kruining.eu"]; domain = ["kaas2.kruining.eu"];
policy = "bypass"; policy = "bypass";
} }
{ {
@ -62,7 +62,7 @@ in
cookies = [ cookies = [
{ {
domain = "kruining.eu"; domain = "kruining.eu";
authelia_url = "https://auth.kruining.eu"; authelia_url = "https://kaas2.kruining.eu";
default_redirection_url = "https://kaas.kruining.eu"; default_redirection_url = "https://kaas.kruining.eu";
name = "authelia_session"; name = "authelia_session";
} }
@ -76,21 +76,35 @@ in
}; };
storage = { storage = {
local.path = "/var/authelia/testing/db.sqlite3"; local.path = "/var/lib/authelia-testing/db.sqlite3";
}; };
notifier = { notifier = {
disable_startup_check = false; disable_startup_check = false;
filesystem.filename = "/var/authelia/testing/notifications.txt"; filesystem.filename = "/var/lib/authelia-testing/notifications.txt";
}; };
# identity_providers.oidc.clients = []; identity_providers.oidc = {
jwks = [
{ key = ''{{ secret "/config/secrets/oidc/jwks/rsa.2048.key" | mindent 10 "|" | msquote }}''; }
];
clients = [
{
client_id = "jellyfin";
client_name = "Jellyfin";
client_secret = "$pbkdf2-sha512$310000$X1uesLwLAp4Uy4kR7EWJDQ$uuhPXujOJeR/1YmoVCZAX.V5oHQMpnioeXgDYQN8zLcWbOOWMIqKWSeLvPXPQoxhFKE8o/hOlfqJOuHUug6eTQ";
token_endpoint_auth_method = "client_secret_post";
authorization_policy = "one_factor";
redirect_uris = [ "https://jellyfin.kruining.eu/sso/OID/redirect/" ];
}
];
};
}; };
}; };
systemd = { systemd = {
tmpfiles.rules = [ tmpfiles.rules = [
"d /var/authelia/testing 400 ${user} ${user} -" "d /var/lib/authelia-testing 400 ${user} ${user} -"
]; ];
}; };
@ -137,17 +151,21 @@ in
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"auth.kruining.eu".extraConfig = '' "auth.kruining.eu".extraConfig = ''
reverse_proxy authelia:9091 respond "AUTH"
# reverse_proxy http://127.0.0.1:9091
''; '';
"kaas.kruining.eu".extraConfig = '' "kaas.kruining.eu".extraConfig = ''
import auth import auth
respond "KAAS" respond "KAAS"
''; '';
"kaas2.kruining.eu".extraConfig = ''
reverse_proxy http://127.0.0.1:9091
'';
}; };
extraConfig = '' extraConfig = ''
(auth) { (auth) {
forward_auth authelia:9091 { forward_auth http://127.0.0.1:9091 {
uri /api/authz/forward-auth uri /api/authz/forward-auth
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
} }

5
modules/system/services/media.nix
View file

@ -19,6 +19,7 @@ in
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
podman-tui podman-tui
jellyfin jellyfin
jellyfin-web
jellyfin-ffmpeg jellyfin-ffmpeg
jellyseerr jellyseerr
mediainfo mediainfo
@ -91,6 +92,8 @@ in
enable = true; enable = true;
virtualHosts = { virtualHosts = {
"media.kruining.eu".extraConfig = '' "media.kruining.eu".extraConfig = ''
import auth
reverse_proxy http://127.0.0.1:9494 reverse_proxy http://127.0.0.1:9494
''; '';
"jellyfin.kruining.eu".extraConfig = '' "jellyfin.kruining.eu".extraConfig = ''
@ -106,7 +109,7 @@ in
# reverse_proxy http://127.0.0.1:9696 # reverse_proxy http://127.0.0.1:9696
# ''; # '';
# "torrents.kruining.eu".extraConfig = '' # "torrents.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:58080 # reverse_proxy http://127.0.0.1:5000
# ''; # '';
# "usenet.kruining.eu".extraConfig = '' # "usenet.kruining.eu".extraConfig = ''
# reverse_proxy http://127.0.0.1:8080 # reverse_proxy http://127.0.0.1:8080

29
modules/system/services/security.nix Normal file
View file

@ -0,0 +1,29 @@
{ config, lib, pkgs, ... }:
let
inherit (lib.options) mkEnableOption;
inherit (lib.modules) mkIf;
cfg = config.modules.services.auth;
in
{
options.modules.services.security = {
enable = mkEnableOption "Auth";
};
config = mkIf cfg.enable {
environment.systemPackages = with pkgs; [
vaultwarden
vaultwarden-postgresql
];
services.vaultwarden = {
enable = true;
dbBackend = "postgresql";
config = {
SIGNUPS_ALLOWED = false;
DOMAIN = "https://passwords.kruining.eu";
};
};
};
}