From c6933ae16a03ecf08beb037a66e71bcd26a8f1d5 Mon Sep 17 00:00:00 2001 From: Chris Kruining Date: Tue, 1 Apr 2025 19:58:31 +0200 Subject: [PATCH] wip --- hosts/ulmo/default.nix | 2 + lib/nixos.nix | 25 ++-- modules/system/services/auth.nix | 160 ++++++++++++++++------- modules/system/services/default.nix | 9 +- modules/system/services/media.nix | 4 +- modules/system/services/nextcloud.nix | 23 ++-- modules/system/services/oidc_clients.yml | 5 - 7 files changed, 150 insertions(+), 78 deletions(-) delete mode 100644 modules/system/services/oidc_clients.yml diff --git a/hosts/ulmo/default.nix b/hosts/ulmo/default.nix index ea76e2a..75df708 100644 --- a/hosts/ulmo/default.nix +++ b/hosts/ulmo/default.nix @@ -11,7 +11,9 @@ networking.ssh.enable = true; services = { + auth.enable = true; media.enable = true; + nextcloud.enable = true; games = { minecraft.enable = true; diff --git a/lib/nixos.nix b/lib/nixos.nix index d558eed..a2fd2ca 100644 --- a/lib/nixos.nix +++ b/lib/nixos.nix @@ -39,22 +39,27 @@ in rec mutableUsers = true; # Set this to false when I get sops with passwords set up properly users = mkIf (pathExists "${path}/users") (mapModules "${path}/users" mkSysUser); }; - - home-manager = { - backupFileExtension = "bak"; - useGlobalPkgs = true; - sharedModules = [ - inputs.plasma-manager.homeManagerModules.plasma-manager - ]; - - users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ [ "root" ])); - }; }) (filterAttrs (n: v: !elem n ["system"]) attrs) (import path) (args@{ inputs, lib, pkgs, config, options, ... }: { imports = mapModulesRec' ../modules/home (file: (import file (args // { user = "root"; }))); }) + ({config, ...}: { + imports = []; + + config = { + home-manager = { + backupFileExtension = "bak"; + useGlobalPkgs = true; + sharedModules = [ + inputs.plasma-manager.homeManagerModules.plasma-manager + ]; + + users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users)); + }; + }; + }) ] ++ (map (user: (args@{ inputs, lib, pkgs, config, options, ... }: { imports = mapModulesRec' ../modules/home (file: (import file (args // { inherit user; }))); diff --git a/modules/system/services/auth.nix b/modules/system/services/auth.nix index 67a2531..30f5152 100644 --- a/modules/system/services/auth.nix +++ b/modules/system/services/auth.nix @@ -1,11 +1,12 @@ -{ config, options, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let +inherit (lib.options) mkEnableOption; inherit (lib.modules) mkIf; + + user = "authelia-testing"; in { - options.modules.services.auth = let - inherit (lib.options) mkEnableOption; - in { + options.modules.services.auth = { enable = mkEnableOption "Auth"; }; @@ -16,66 +17,137 @@ in services.authelia.instances.testing = { enable = true; - secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile"; - secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile"; + + secrets = { + storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile"; + jwtSecretFile = "/etc/authelia/testing/jwtSecretFile"; + sessionSecretFile = "/etc/authelia/testing/sessionSecrets"; + }; + settings = { - log.level = "info"; - authentication_backend.file.path = "/etc/authelia/users_database.yml"; - access_control.default_policy = "one_factor"; - session.domain = "kruining.eu"; - storage.local.path = "/tmp/db.sqlite3"; - notifier.filesystem.filename = "/tmp/notifications.txt"; - server.endpoints.authz.forward-auth.implementation = "ForwardAuth"; - identity_providers.oidc.clients = []; + theme = "auto"; + + server = { + address = "tcp://127.0.0.1:9091"; + }; + + log = { + level = "info"; + format = "json"; + }; + + authentication_backend.file.path = "/etc/authelia/testing/users_database.yml"; + + access_control = { + default_policy = "deny"; + + rules = [ + { + domain = ["auth.kruining.eu"]; + policy = "bypass"; + } + { + domain = ["*.kruining.eu"]; + policy = "one_factor"; + } + ]; + }; + + session = { + name = "authelia_testing_session"; + expiration = "12h"; + inactivity = "45m"; + remember_me = "1m"; + # redis.host = "/run/redis-authelia-testing/redis.sock"; + cookies = [ + { + domain = "kruining.eu"; + authelia_url = "https://auth.kruining.eu"; + default_redirection_url = "https://kaas.kruining.eu"; + name = "authelia_session"; + } + ]; + }; + + regulation = { + max_retries = 300; + find_time = "5m"; + ban_time = "15m"; + }; + + storage = { + local.path = "/var/authelia/testing/db.sqlite3"; + }; + + notifier = { + disable_startup_check = false; + filesystem.filename = "/var/authelia/testing/notifications.txt"; + }; + + # identity_providers.oidc.clients = []; }; }; - # systemd.services."authelia-testing" = { - # serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template"; - # }; + systemd = { + tmpfiles.rules = [ + "d /var/authelia/testing 400 ${user} ${user} -" + ]; + }; # These should not be set from nix but through other means to not leak the secret! # This is purely for testing purposes! - environment.etc."authelia/storageEncryptionKeyFile" = { - mode = "0400"; - user = "authelia-testing"; - text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this"; - }; - environment.etc."authelia/jwtSecretFile" = { - mode = "0400"; - user = "authelia-testing"; - text = "a_very_important_secret"; - }; - environment.etc."authelia/users_database.yml" = { - mode = "0400"; - user = "authelia-testing"; - text = '' - users: - bob: - disabled: false - displayname: bob - # password of password - password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs - email: bob@jim.com - groups: - - admin - - dev - ''; + environment.etc = { + "authelia/testing/storageEncryptionKeyFile" = { + mode = "0400"; + user = user; + text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this"; + }; + + "authelia/testing/jwtSecretFile" = { + mode = "0400"; + user = user; + text = "a_very_important_secret"; + }; + + "authelia/testing/sessionSecrets" = { + mode = "0400"; + user = user; + text = "some_session_secrets"; + }; + + "authelia/testing/users_database.yml" = { + mode = "0400"; + user = user; + text = '' + users: + chris: + disabled: false + displayname: chris + # password of password + password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs + email: chris@kruining.eu + groups: + - admin + - dev + ''; + }; }; services.caddy = { enable = true; virtualHosts = { "auth.kruining.eu".extraConfig = '' - reverse_proxy :9091 + reverse_proxy authelia:9091 ''; "kaas.kruining.eu".extraConfig = '' + import auth + respond "KAAS" ''; }; extraConfig = '' (auth) { - forward_auth :9091 { + forward_auth authelia:9091 { uri /api/authz/forward-auth copy_headers Remote-User Remote-Groups Remote-Email Remote-Name } diff --git a/modules/system/services/default.nix b/modules/system/services/default.nix index 2fb9ae1..4afadc5 100644 --- a/modules/system/services/default.nix +++ b/modules/system/services/default.nix @@ -1,9 +1,4 @@ -{ config, options, lib, pkgs, ... }: -let - inherit (lib.modules) mkIf; -in +{ ... }: { - options.modules.services = let - inherit (lib.options) mkEnableOption; - in {}; + options.modules.services = {}; } diff --git a/modules/system/services/media.nix b/modules/system/services/media.nix index 74df3df..18ecb70 100644 --- a/modules/system/services/media.nix +++ b/modules/system/services/media.nix @@ -27,11 +27,11 @@ in ]; users = { - users."${user}" = { + users.${user} = { isSystemUser = true; group = group; }; - groups."${group}" = {}; + groups.${group} = {}; }; system.activationScripts.var = mkForce '' diff --git a/modules/system/services/nextcloud.nix b/modules/system/services/nextcloud.nix index 7c61aa3..687de65 100644 --- a/modules/system/services/nextcloud.nix +++ b/modules/system/services/nextcloud.nix @@ -1,22 +1,24 @@ -{ config, options, lib, pkgs, ... }: +{ config, lib, pkgs, ... }: let + inherit (lib.options) mkEnableOption; inherit (lib.modules) mkIf; user = "nextcloud"; in { - options.modules.services.nextcloud = let - inherit (lib.options) mkEnableOption; - in { + options.modules.services.nextcloud = { enable = mkEnableOption "Nextcloud"; }; config = mkIf config.modules.services.nextcloud.enable { - users.users.${user} = { - name = user; - isSystemUser = true; - home = "/home/${user}"; - group = user; + users = { + users.${user} = { + name = user; + isSystemUser = true; + home = "/home/${user}"; + group = user; + }; + groups.${user} = {}; }; home-manager.users.${user}.home.file.".netrc".text = '' @@ -30,6 +32,7 @@ in Description = "Automatic nextcloud sync"; After = "network-online.target"; }; + WantedBy = [ "multi-user.target" ]; Service = { Type = "simple"; ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/music /home/${user}/Music https://cloud.kruining.eu"; @@ -37,8 +40,8 @@ in KillMode = "process"; KillSignal = "SIGINT"; }; - Install.WantedBy = [ "multi-user.target" ]; }; + timers.nextcloud-autosync = { Unit.Description = "Automatic nextcloud sync"; Timer.OnBootSec = "5min"; diff --git a/modules/system/services/oidc_clients.yml b/modules/system/services/oidc_clients.yml deleted file mode 100644 index 665daf5..0000000 --- a/modules/system/services/oidc_clients.yml +++ /dev/null @@ -1,5 +0,0 @@ -# Hashed client secrets go here, and unhashed ones go in the client configurations - -identity_providers: - oidc: - clients: