wip

hosts/ulmo/default.nix

@@ -11,7 +11,9 @@
     networking.ssh.enable = true;
 
     services = {
+      auth.enable = true;
       media.enable = true;
+      nextcloud.enable = true;
 
       games = {
         minecraft.enable = true;

lib/nixos.nix

@@ -39,22 +39,27 @@ in rec
             mutableUsers = true; # Set this to false when I get sops with passwords set up properly
             users = mkIf (pathExists "${path}/users") (mapModules "${path}/users" mkSysUser);
           };
-
-          home-manager = {
-            backupFileExtension = "bak";
-            useGlobalPkgs = true;
-            sharedModules = [
-              inputs.plasma-manager.homeManagerModules.plasma-manager
-            ];
-
-            users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (users ++ [ "root" ]));
-          };
         })
         (filterAttrs (n: v: !elem n ["system"]) attrs)
         (import path)
         (args@{ inputs, lib, pkgs, config, options, ... }: {
           imports = mapModulesRec' ../modules/home (file: (import file (args // { user = "root"; })));
         })
+        ({config, ...}: {
+          imports = [];
+
+          config = {
+            home-manager = {
+              backupFileExtension = "bak";
+              useGlobalPkgs = true;
+              sharedModules = [
+                inputs.plasma-manager.homeManagerModules.plasma-manager
+              ];
+
+              users = listToAttrs (map (user: (nameValuePair user { home = { inherit stateVersion; }; })) (attrNames config.users.users));
+            };
+          };
+        })
       ]
       ++ (map (user: (args@{ inputs, lib, pkgs, config, options, ... }: {
         imports = mapModulesRec' ../modules/home (file: (import file (args // { inherit user; })));

modules/system/services/auth.nix

@@ -1,11 +1,12 @@
-{ config, options, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
+inherit (lib.options) mkEnableOption;
   inherit (lib.modules) mkIf;
+
+  user = "authelia-testing";
 in
 {
-  options.modules.services.auth = let
+  options.modules.services.auth = {
-    inherit (lib.options) mkEnableOption;
-  in {
     enable = mkEnableOption "Auth";
   };
 
@@ -16,66 +17,137 @@ in
 
     services.authelia.instances.testing = {
       enable = true;
-      secrets.storageEncryptionKeyFile = "/etc/authelia/storageEncryptionKeyFile";
+
-      secrets.jwtSecretFile = "/etc/authelia/jwtSecretFile";
+      secrets = {
+        storageEncryptionKeyFile = "/etc/authelia/testing/storageEncryptionKeyFile";
+        jwtSecretFile = "/etc/authelia/testing/jwtSecretFile";
+        sessionSecretFile = "/etc/authelia/testing/sessionSecrets";
+      };
+
       settings = {
-        log.level = "info";
+        theme = "auto";
-        authentication_backend.file.path = "/etc/authelia/users_database.yml";
+
-        access_control.default_policy = "one_factor";
+        server = {
-        session.domain = "kruining.eu";
+          address = "tcp://127.0.0.1:9091";
-        storage.local.path = "/tmp/db.sqlite3";
+        };
-        notifier.filesystem.filename = "/tmp/notifications.txt";
+
-        server.endpoints.authz.forward-auth.implementation = "ForwardAuth";
+        log = {
-        identity_providers.oidc.clients = [];
+          level = "info";
+          format = "json";
+        };
+
+        authentication_backend.file.path = "/etc/authelia/testing/users_database.yml";
+
+        access_control = {
+          default_policy = "deny";
+
+          rules = [
+            {
+              domain = ["auth.kruining.eu"];
+              policy = "bypass";
+            }
+            {
+              domain = ["*.kruining.eu"];
+              policy = "one_factor";
+            }
+          ];
+        };
+
+        session = {
+          name = "authelia_testing_session";
+          expiration = "12h";
+          inactivity = "45m";
+          remember_me = "1m";
+          # redis.host = "/run/redis-authelia-testing/redis.sock";
+          cookies = [
+            {
+              domain = "kruining.eu";
+              authelia_url = "https://auth.kruining.eu";
+              default_redirection_url = "https://kaas.kruining.eu";
+              name = "authelia_session";
+            }
+          ];
+        };
+
+        regulation = {
+          max_retries = 300;
+          find_time = "5m";
+          ban_time = "15m";
+        };
+
+        storage = {
+          local.path = "/var/authelia/testing/db.sqlite3";
+        };
+
+        notifier = {
+          disable_startup_check = false;
+          filesystem.filename = "/var/authelia/testing/notifications.txt";
+        };
+
+        # identity_providers.oidc.clients = [];
       };
     };
 
-    # systemd.services."authelia-testing" = {
+    systemd = {
-    #   serviceConfig.Environment = "X_AUTHELIA_CONFIG_FILTERS=template";
+      tmpfiles.rules = [
-    # };
+        "d /var/authelia/testing 400 ${user} ${user} -"
+      ];
+    };
 
     # These should not be set from nix but through other means to not leak the secret!
     # This is purely for testing purposes!
-    environment.etc."authelia/storageEncryptionKeyFile" = {
+    environment.etc = {
-      mode = "0400";
+      "authelia/testing/storageEncryptionKeyFile" = {
-      user = "authelia-testing";
+        mode = "0400";
-      text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
+        user = user;
-    };
+        text = "you_must_generate_a_random_string_of_more_than_twenty_chars_and_configure_this";
-    environment.etc."authelia/jwtSecretFile" = {
+      };
-      mode = "0400";
+
-      user = "authelia-testing";
+      "authelia/testing/jwtSecretFile" = {
-      text = "a_very_important_secret";
+        mode = "0400";
-    };
+        user = user;
-    environment.etc."authelia/users_database.yml" = {
+        text = "a_very_important_secret";
-      mode = "0400";
+      };
-      user = "authelia-testing";
+
-      text = ''
+      "authelia/testing/sessionSecrets" = {
-        users:
+        mode = "0400";
-          bob:
+        user = user;
-            disabled: false
+        text = "some_session_secrets";
-            displayname: bob
+      };
-            # password of password
+
-            password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
+      "authelia/testing/users_database.yml" = {
-            email: bob@jim.com
+        mode = "0400";
-            groups:
+        user = user;
-              - admin
+        text = ''
-              - dev
+          users:
-      '';
+            chris:
+              disabled: false
+              displayname: chris
+              # password of password
+              password: $argon2id$v=19$m=65536,t=3,p=4$2ohUAfh9yetl+utr4tLcCQ$AsXx0VlwjvNnCsa70u4HKZvFkC8Gwajr2pHGKcND/xs
+              email: chris@kruining.eu
+              groups:
+                - admin
+                - dev
+        '';
+      };
     };
 
     services.caddy = {
       enable = true;
       virtualHosts = {
         "auth.kruining.eu".extraConfig = ''
-          reverse_proxy :9091
+          reverse_proxy authelia:9091
         '';
         "kaas.kruining.eu".extraConfig = ''
+          import auth
+
           respond "KAAS"
         '';
       };
       extraConfig = ''
         (auth) {
-          forward_auth :9091 {
+          forward_auth authelia:9091 {
             uri /api/authz/forward-auth
             copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
           }

modules/system/services/default.nix

@@ -1,9 +1,4 @@
-{ config, options, lib, pkgs, ... }:
+{ ... }:
-let
-  inherit (lib.modules) mkIf;
-in
 {
-  options.modules.services = let
+  options.modules.services = {};
-    inherit (lib.options) mkEnableOption;
-  in {};
 }

modules/system/services/media.nix

@@ -27,11 +27,11 @@ in
     ];
 
     users = {
-      users."${user}" = {
+      users.${user} = {
         isSystemUser = true;
         group = group;
       };
-      groups."${group}" = {};
+      groups.${group} = {};
     };
 
     system.activationScripts.var = mkForce ''

modules/system/services/nextcloud.nix

@@ -1,22 +1,24 @@
-{ config, options, lib, pkgs, ... }:
+{ config, lib, pkgs, ... }:
 let
+  inherit (lib.options) mkEnableOption;
   inherit (lib.modules) mkIf;
 
   user = "nextcloud";
 in
 {
-  options.modules.services.nextcloud = let
+  options.modules.services.nextcloud = {
-    inherit (lib.options) mkEnableOption;
-  in {
     enable = mkEnableOption "Nextcloud";
   };
 
   config = mkIf config.modules.services.nextcloud.enable {
-    users.users.${user} = {
+    users = {
-      name = user;
+      users.${user} = {
-      isSystemUser = true;
+        name = user;
-      home = "/home/${user}";
+        isSystemUser = true;
-      group = user;
+        home = "/home/${user}";
+        group = user;
+      };
+      groups.${user} = {};
     };
 
     home-manager.users.${user}.home.file.".netrc".text = ''
@@ -30,6 +32,7 @@ in
           Description = "Automatic nextcloud sync";
           After = "network-online.target";
         };
+        WantedBy = [ "multi-user.target" ];
         Service = {
           Type = "simple";
           ExecStart = "${pkgs.nextcloud-client}/bin/nextcloudcmd -h -n --path /var/music /home/${user}/Music https://cloud.kruining.eu";
@@ -37,8 +40,8 @@ in
           KillMode = "process";
           KillSignal = "SIGINT";
         };
-        Install.WantedBy = [ "multi-user.target" ];
       };
+
       timers.nextcloud-autosync = {
         Unit.Description = "Automatic nextcloud sync";
         Timer.OnBootSec = "5min";

modules/system/services/oidc_clients.yml

@@ -1,5 +0,0 @@
-# Hashed client secrets go here, and unhashed ones go in the client configurations
-
-identity_providers:
-  oidc:
-    clients: