progress in multi user config

2025-03-18 16:43:07 +01:00 · 2025-03-18 16:43:07 +01:00 · 3a2f52f45e
commit 3a2f52f45e
parent f7891e1f30
68 changed files with 384 additions and 663 deletions
--- a/modules/services/auth.nix
+++ b/modules/services/auth.nix
@ -1,88 +0,0 @@
-{ config, options, lib, pkgs, ... }:
-let
-  inherit (lib.modules) mkIf;
-in
-{
-  options.modules.services.auth = let
-    inherit (lib.options) mkEnableOption;
-  in {
-    enable = mkEnableOption "Auth";
-  };
-
-  config = mkIf config.modules.services.auth.enable {
-    environment.systemPackages = with pkgs; [
-      authelia
-    ];
-
-    services.authelia.instances.testing = {
-      enable = true;
-      secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile";
-      secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile";
-      settings = {
-        log.level = "info";
-        authentication_backend.file.path = "/etc/authelia/users_database.yml";
-        access_control.default_policy = "one_factor";
-        session.domain = "kruining.eu";
-        storage.local.path = "/tmp/db.sqlite3";
-        notifier.filesystem.filename = "/tmp/notifications.txt";
-        server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
-        identity_providers.oidc.clients = [];
-      };
-    };
-
-    # systemd.services."authelia-testing" = {
-    #   serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template";
-    # };
-
-    # These should not be set from nix but through other means to not leak the secret!
-    # This is purely for testing purposes!
-    environment.etc."authelia/storageEncryptionKeyFile" = {
-      mode = "0400";
-      user = "authelia-testing";
-      text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
-    };
-    environment.etc."authelia/jwtSecretFile" = {
-      mode = "0400";
-      user = "authelia-testing";
-      text = "a_very_important_secret";
-    };
-    environment.etc."authelia/users_database.yml" = {
-      mode = "0400";
-      user = "authelia-testing";
-      text = ''
-        users:
-          bob:
-            disabled: false
-            displayname: bob
-            # password of password
-            password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
-            email: bob@jim.com
-            groups:
-              - admin
-              - dev
-      '';
-    };
-
-    services.caddy = {
-      enable = true;
-      virtualHosts = {
-        "auth.kruining.eu".extraConfig = ''
-          reverse_proxy :9091
-        '';
-        "kaas.kruining.eu".extraConfig = ''
-          respond "KAAS"
-        '';
-      };
-      extraConfig = ''
-        (auth) {
-          forward_auth :9091 {
-            uri /api/authz/forward-auth
-            copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
-          }
-        }
-      '';
-    };
-
-    networking.firewall.allowedTCPPorts = [ 80 443 ];
-  };
-}