diff --git a/flake.lock b/flake.lock
index c7b0f2f..6daf0a5 100644
--- a/flake.lock
+++ b/flake.lock
@@ -86,10 +86,7 @@
"neovim-flake": {
"inputs": {
"flake-utils": "flake-utils",
- "nixpkgs": [
- "neovim-nightly-overlay",
- "nixpkgs"
- ]
+ "nixpkgs": "nixpkgs"
},
"locked": {
"dir": "contrib",
@@ -131,16 +128,16 @@
},
"nixpkgs": {
"locked": {
- "lastModified": 1646011258,
- "narHash": "sha256-+aen4zu5uVp52arEcgL2maCS0zQDuG1t+Azwd/O1gN4=",
- "owner": "NixOS",
+ "lastModified": 1645433236,
+ "narHash": "sha256-4va4MvJ076XyPp5h8sm5eMQvCrJ6yZAbBmyw95dGyw4=",
+ "owner": "nixos",
"repo": "nixpkgs",
- "rev": "a25df4c2b79c4343bcc72ad671200e5a3e286c41",
+ "rev": "7f9b6e2babf232412682c09e57ed666d8f84ac2d",
"type": "github"
},
"original": {
- "owner": "NixOS",
- "ref": "nixos-21.11",
+ "owner": "nixos",
+ "ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
@@ -175,6 +172,22 @@
"type": "indirect"
}
},
+ "nixpkgs_2": {
+ "locked": {
+ "lastModified": 1646011258,
+ "narHash": "sha256-+aen4zu5uVp52arEcgL2maCS0zQDuG1t+Azwd/O1gN4=",
+ "owner": "NixOS",
+ "repo": "nixpkgs",
+ "rev": "a25df4c2b79c4343bcc72ad671200e5a3e286c41",
+ "type": "github"
+ },
+ "original": {
+ "owner": "NixOS",
+ "ref": "nixos-21.11",
+ "repo": "nixpkgs",
+ "type": "github"
+ }
+ },
"nur": {
"locked": {
"lastModified": 1646051576,
@@ -194,7 +207,7 @@
"home-manager": "home-manager",
"homepage": "homepage",
"neovim-nightly-overlay": "neovim-nightly-overlay",
- "nixpkgs": "nixpkgs",
+ "nixpkgs": "nixpkgs_2",
"nur": "nur",
"simple-nixos-mailserver": "simple-nixos-mailserver",
"sops-nix": "sops-nix",
diff --git a/machines/lambda/default.nix b/machines/lambda/default.nix
index 1e8439a..127dcc8 100644
--- a/machines/lambda/default.nix
+++ b/machines/lambda/default.nix
@@ -24,6 +24,11 @@
];
# File systems configuration for using the installer's partition layout
+
+
+ nix.package = lib.mkForce pkgs.nixUnstable;
+
+
fileSystems = {
"/" = {
device = "/dev/disk/by-label/NIXOS_SD";
diff --git a/modules/authelia/configuration.yml b/modules/authelia/authelia-config.nix
similarity index 59%
rename from modules/authelia/configuration.yml
rename to modules/authelia/authelia-config.nix
index 8b9a623..f49130e 100644
--- a/modules/authelia/configuration.yml
+++ b/modules/authelia/authelia-config.nix
@@ -1,16 +1,21 @@
-host: 0.0.0.0
-port: 9091
+# Taken from 'config.template.yml' for Authelia v4.32.2.
+# Update along with 'pkgs/authelia.nix'.
+
+{ cfg }:
+''
server:
+ host: 0.0.0.0
+ port: 9091
read_buffer_size: 4096
write_buffer_size: 4096
path: "authelia"
-log_level: debug
+log.level: debug
jwt_secret: somethingsomethingrandomrecret
-default_redirection_url: https://auth.julienmalka.me
+default_redirection_url: https://autheliafailed.julienmalka.me
authentication_backend:
disable_reset_password: false
file:
- path: /config/users_database.yml
+ path: ${./config/users.yml}
password:
algorithm: argon2id
iterations: 1
@@ -18,19 +23,24 @@ authentication_backend:
salt_length: 16
memory: 512
parallelism: 8
+
access_control:
default_policy: deny
rules:
- domain:
- - series.julienmalka.me
+ - "auth.julienmalka.me"
+ policy: bypass
+ - domain:
+ - "series.julienmalka.me"
policy: one_factor
+
session:
name: authelia_session
secret: somerandomsecret
expiration: 1h
inactivity: 5m
remember_me_duration: 1M
- domain: series.julienmalka.me
+ domain: julienmalka.me
regulation:
max_retries: 3
find_time: 2m
@@ -38,8 +48,10 @@ regulation:
storage:
encryption_key: a_very_important_secret
local:
- path: /config/db.sqlite3
+ path: /var/lib/authelia/storage.db
notifier:
disable_startup_check: false
filesystem:
- filename: /config/notification.txt
+ filename: /var/lib/authelia/notification.txt
+''
+
diff --git a/modules/authelia/users.yml b/modules/authelia/config/users.yml
similarity index 100%
rename from modules/authelia/users.yml
rename to modules/authelia/config/users.yml
diff --git a/modules/authelia/default.nix b/modules/authelia/default.nix
index a778f81..16fd262 100644
--- a/modules/authelia/default.nix
+++ b/modules/authelia/default.nix
@@ -1,6 +1,8 @@
{ pkgs, lib, config, ... }:
with lib; let
cfg = config.luj.authelia;
+ autheliaConfig = pkgs.writeText "authelia-config.yml"
+ (import ./authelia-config.nix { inherit cfg; });
in
{
options.luj.authelia = {
@@ -8,72 +10,86 @@ in
};
config = mkIf cfg.enable {
- virtualisation.docker.enable = true;
- virtualisation.oci-containers.containers."authelia" = {
- image = "authelia/authelia";
- environment = {
- "TZ" = "Europe/Paris";
- };
- volumes = [
- "/srv/authelia:/config/"
- ];
+ systemd = {
+ services.authelia = {
- ports = [ "9091:9091" ];
+
+ serviceConfig = {
+ User = "authelia";
+
+ StateDirectory = "authelia";
+ RuntimeDirectory = "authelia";
+ StateDirectoryMode = "0700";
+ RuntimeDirectoryMode = "0700";
+
+ };
+
+ script = ''
+ exec ${pkgs.authelia}/bin/authelia --config ${autheliaConfig}
+ '';
+ };
};
- services.nginx.appendHttpConfig = ''
- server {
- server_name auth.julienmalka.me;
- listen 80;
- return 301 https://$server_name$request_uri;
- }
+ users = {
+ users.authelia = {
+ group = "authelia";
+ isSystemUser = true;
+ };
- server {
- server_name auth.julienmalka.me;
- listen 443 ssl http2;
+ groups.authelia = {
+ members = [ "nginx" ];
+ };
+ };
- location / {
- set $upstream_authelia http://127.0.0.1:9091;
- proxy_pass $upstream_authelia;
- client_body_buffer_size 128k;
- #Timeout if the real server is dead
- proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
- # Advanced Proxy Config
- send_timeout 5m;
- proxy_read_timeout 360;
- proxy_send_timeout 360;
- proxy_connect_timeout 360;
+ services.nginx.virtualHosts."auth.julienmalka.me" = {
+ enableACME = true;
+ forceSSL = true;
+ locations."/" = {
+ extraConfig = ''
+ set $upstream_authelia http://127.0.0.1:9091;
+ proxy_pass $upstream_authelia;
- # Basic Proxy Config
- proxy_set_header Host $host;
- proxy_set_header X-Real-IP $remote_addr;
- proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
- proxy_set_header X-Forwarded-Proto $scheme;
- proxy_set_header X-Forwarded-Host $http_host;
- proxy_set_header X-Forwarded-Uri $request_uri;
- proxy_set_header X-Forwarded-Ssl on;
- proxy_redirect http:// $scheme://;
- proxy_http_version 1.1;
- proxy_set_header Connection "";
- proxy_cache_bypass $cookie_session;
- proxy_no_cache $cookie_session;
- proxy_buffers 64 256k;
+ client_body_buffer_size 128k;
- # If behind reverse proxy, forwards the correct IP
- set_real_ip_from 10.0.0.0/8;
- set_real_ip_from 172.0.0.0/8;
- set_real_ip_from 192.168.0.0/16;
- set_real_ip_from fc00::/7;
- real_ip_header X-Forwarded-For;
- real_ip_recursive on;
- }
- }
- '';
-
+ #Timeout if the real server is dead
+ proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+ # Advanced Proxy Config
+ send_timeout 5m;
+ proxy_read_timeout 360;
+ proxy_send_timeout 360;
+ proxy_connect_timeout 360;
+
+ # Basic Proxy Config
+ proxy_set_header Host $host;
+ proxy_set_header X-Real-IP $remote_addr;
+ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+ proxy_set_header X-Forwarded-Proto $scheme;
+ proxy_set_header X-Forwarded-Host $http_host;
+ proxy_set_header X-Forwarded-Uri $request_uri;
+ proxy_set_header X-Forwarded-Ssl on;
+ proxy_redirect http:// $scheme://;
+ proxy_http_version 1.1;
+ proxy_set_header Connection "";
+ proxy_cache_bypass $cookie_session;
+ proxy_no_cache $cookie_session;
+ proxy_buffers 64 256k;
+
+ # If behind reverse proxy, forwards the correct IP
+ set_real_ip_from 10.0.0.0/8;
+ set_real_ip_from 172.0.0.0/8;
+ set_real_ip_from 192.168.0.0/16;
+ set_real_ip_from fc00::/7;
+ real_ip_header X-Forwarded-For;
+ real_ip_recursive on;
+
+ '';
+ };
+ };
};
}
diff --git a/modules/status/checks.csv b/modules/status/checks.csv
index f729975..ed86002 100644
--- a/modules/status/checks.csv
+++ b/modules/status/checks.csv
@@ -3,15 +3,10 @@ http, 200, Homepage, https://julienmalka.me
http, 200, CI, https://ci.julienmalka.me
http, 200, Binary Cache, https://bin.julienmalka.me/nix-cache-info
http, 200, Jellyfin, https://tv.julienmalka.me
-http, 200, Deluge, https://downloads.julienmalka.me
-http, 200, Sonarr, https://series.julienmalka.me
-http, 200, Radarr, https://films.julienmalka.me
-http, 200, Jackett, https://jackett.julienmalka.me/UI/Dashboard
port, 0, Newton, newton.julienmalka.me 45
http, 200, Cloud, cloud.julienmalka.me
port, 0, Mail, mail.julienmalka.me 993
http, 200, Docs, https://docs.julienmalka.me
http, 200, Lambda, https://nixos.org
-http, 200, Lidarr, https://songs.julienmalka.me
http, 200, Navidrome, https://music.julienmalka.me
http, 200, Bruit https://bruit.julienmalka.me