Added Authelia : en chantier

machines/lisa/default.nix

@@ -1,5 +1,4 @@
 { config, lib, pkgs, modulesPath, ... }:
-
 {
   imports =
     [
@@ -38,6 +37,7 @@
         subdomain = "docs";
       };
     };
+    homer.enable = true;
     bruit = {
       enable = true;
       nginx = {
@@ -76,8 +76,7 @@
   system.stateVersion = "21.11";
 
 
-    networking.firewall = {
-    allowedTCPPorts = [ ];
+  networking.firewall = {
     allowedUDPPorts = [ 51820 ];
   };
   networking.nat.enable = true;
@@ -126,7 +125,11 @@
           allowedIPs = [ "10.100.0.8/32" ];
           publicKey = "EmWRWnZfr60ekm4ZLdwa6gXU6V3p39p6tWOZ03dL+DA=";
         }
-      ]; 
+        {
+          allowedIPs = [ "10.100.0.9/32" ];
+          publicKey = "z85y4nc+7O7t2I4VqP0SAKJOD46PlkXoEPiuGOBS+SI=";
+        }
+      ];
 
     };
   };
@@ -134,10 +137,13 @@
 
 
 
-
-
-
-
-
+  services.nginx.virtualHosts."jellyfin.mondon.me" = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/" = {
+      proxyWebsockets = true;
+      proxyPass = "http://10.100.0.4";
+    };
+  };
 
 }

modules/authelia/authelia.conf

@@ -0,0 +1,38 @@
+# Virtual endpoint created by nginx to forward auth requests.
+location /authelia {
+    internal;
+    set $upstream_authelia http://127.0.0.1:9091/api/verify;
+    proxy_pass_request_body off;
+    proxy_pass $upstream_authelia;    
+    proxy_set_header Content-Length "";
+
+    # Timeout if the real server is dead
+    proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
+
+    # [REQUIRED] Needed by Authelia to check authorizations of the resource.
+    # Provide either X-Original-URL and X-Forwarded-Proto or
+    # X-Forwarded-Proto, X-Forwarded-Host and X-Forwarded-Uri or both.
+    # Those headers will be used by Authelia to deduce the target url of the     user.
+    # Basic Proxy Config
+    client_body_buffer_size 128k;
+    proxy_set_header Host $host;
+    proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
+    proxy_set_header X-Real-IP $remote_addr;
+    proxy_set_header X-Forwarded-For $remote_addr; 
+    proxy_set_header X-Forwarded-Proto $scheme;
+    proxy_set_header X-Forwarded-Host $http_host;
+    proxy_set_header X-Forwarded-Uri $request_uri;
+    proxy_set_header X-Forwarded-Ssl on;
+    proxy_redirect  http://  $scheme://;
+    proxy_http_version 1.1;
+    proxy_set_header Connection "";
+    proxy_cache_bypass $cookie_session;
+    proxy_no_cache $cookie_session;
+    proxy_buffers 4 32k;
+
+    # Advanced Proxy Config
+    send_timeout 5m;
+    proxy_read_timeout 240;
+    proxy_send_timeout 240;
+    proxy_connect_timeout 240;
+}

modules/authelia/configuration.yml

@@ -0,0 +1,45 @@
+host: 0.0.0.0
+port: 9091
+server:
+  read_buffer_size: 4096
+  write_buffer_size: 4096
+  path: "authelia"
+log_level: debug
+jwt_secret: somethingsomethingrandomrecret
+default_redirection_url: https://auth.julienmalka.me
+authentication_backend:
+  disable_reset_password: false
+  file:
+    path: /config/users_database.yml
+    password:
+      algorithm: argon2id
+      iterations: 1
+      key_length: 32
+      salt_length: 16
+      memory: 512
+      parallelism: 8
+access_control:
+  default_policy: deny
+  rules:
+    - domain:
+      - series.julienmalka.me
+      policy: one_factor
+session:
+  name: authelia_session
+  secret: somerandomsecret
+  expiration: 1h
+  inactivity: 5m
+  remember_me_duration: 1M
+  domain: series.julienmalka.me
+regulation:
+  max_retries: 3
+  find_time: 2m
+  ban_time: 5m
+storage:
+  encryption_key: a_very_important_secret
+  local:
+    path: /config/db.sqlite3
+notifier:
+  disable_startup_check: false
+  filesystem:
+    filename: /config/notification.txt

modules/authelia/default.nix

@@ -0,0 +1,80 @@
+{ pkgs, lib, config, ... }:
+with lib; let
+  cfg = config.luj.authelia;
+in
+{
+  options.luj.authelia = {
+    enable = mkEnableOption "enable authelia";
+  };
+  config = mkIf cfg.enable {
+
+    virtualisation.docker.enable = true;
+    virtualisation.oci-containers.containers."authelia" = {
+      image = "authelia/authelia";
+      environment = {
+        "TZ" = "Europe/Paris";
+      };
+      volumes = [
+        "/srv/authelia:/config/"
+      ];
+
+      ports = [ "9091:9091" ];
+
+    };
+
+    services.nginx.appendHttpConfig = ''
+        server {
+            server_name auth.julienmalka.me;
+            listen 80;
+            return 301 https://$server_name$request_uri;
+        }
+
+        server {
+            server_name auth.julienmalka.me;
+            listen 443 ssl http2;
+
+            location / {
+                set $upstream_authelia http://127.0.0.1:9091;
+                proxy_pass $upstream_authelia;
+
+                client_body_buffer_size 128k;
+
+                #Timeout if the real server is dead
+                proxy_next_upstream error timeout invalid_header http_500 http_502     http_503;
+
+                # Advanced Proxy Config
+                send_timeout 5m;
+                proxy_read_timeout 360;
+                proxy_send_timeout 360;
+                proxy_connect_timeout 360;
+
+                # Basic Proxy Config
+                proxy_set_header Host $host;
+                proxy_set_header X-Real-IP $remote_addr;
+                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+                proxy_set_header X-Forwarded-Proto $scheme;
+                proxy_set_header X-Forwarded-Host $http_host;
+                proxy_set_header X-Forwarded-Uri $request_uri;
+                proxy_set_header X-Forwarded-Ssl on;
+                proxy_redirect  http://  $scheme://;
+                proxy_http_version 1.1;
+                proxy_set_header Connection "";
+                proxy_cache_bypass $cookie_session;
+                proxy_no_cache $cookie_session;
+                proxy_buffers 64 256k;
+
+                # If behind reverse proxy, forwards the correct IP
+                set_real_ip_from 10.0.0.0/8;
+                set_real_ip_from 172.0.0.0/8;
+                set_real_ip_from 192.168.0.0/16;
+                set_real_ip_from fc00::/7;
+                real_ip_header X-Forwarded-For;
+                real_ip_recursive on;
+            }
+        }
+      '';
+    
+
+  };
+}
+

modules/authelia/secure.conf

@@ -0,0 +1,23 @@
+# Basic Authelia Config
+# Send a subsequent request to Authelia to verify if the user is authenticated
+# and has the right permissions to access the resource.
+auth_request /authelia;
+# Set the `target_url` variable based on the request. It will be used to build the portal
+# URL with the correct redirection parameter.
+auth_request_set $target_url $scheme://$http_host$request_uri;
+# Set the X-Forwarded-User and X-Forwarded-Groups with the headers
+# returned by Authelia for the backends which can consume them.
+# This is not safe, as the backend must make sure that they come from the
+# proxy. In the future, it's gonna be safe to just use OAuth.
+auth_request_set $user $upstream_http_remote_user;
+auth_request_set $groups $upstream_http_remote_groups;
+auth_request_set $name $upstream_http_remote_name;
+auth_request_set $email $upstream_http_remote_email;
+proxy_set_header Remote-User $user;
+proxy_set_header Remote-Groups $groups;
+proxy_set_header Remote-Name $name;
+proxy_set_header Remote-Email $email;
+# If Authelia returns 401, then nginx redirects the user to the login portal.
+# If it returns 200, then the request pass through to the backend.
+# For other type of errors, nginx will handle them as usual.
+error_page 401 =302 https://auth.julienmalka.me/?rd=$target_url;

modules/authelia/users.yml

@@ -0,0 +1,7 @@
+users:
+  julien:
+    displayname: "Julien Malka"
+    email: julien@malka.sh
+    groups:
+      - admins
+      - dev

modules/homer/default.nix

@@ -0,0 +1,24 @@
+{ lib, pkgs, inputs, config, ... }:
+with lib;
+let
+  cfg = config.luj.homer;
+in
+{
+  options.luj.homer = {
+    enable = mkEnableOption "enable homer";
+  };
+
+  config = mkIf cfg.enable
+    {
+      luj.nginx.enable = true;
+
+      services.nginx.virtualHosts."luj.home" = {
+        sslCertificate = "/etc/nginx/certs/home/cert.pem";
+        sslCertificateKey = "/etc/nginx/certs/home/key.pem";
+        forceSSL = true;
+        root = "/srv/homer/";
+      };
+
+
+    };
+}