Setup sops

Disable
Add lldap and use for authelia
2024-12-04 22:04:03 +01:00 · 2024-12-04 22:04:03 +01:00 · 2024-12-04 22:04:03 +01:00 · 2024-12-04 22:04:03 +01:00 · 2024-12-04 22:04:03 +01:00
5 changed files with 231 additions and 9 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -0,0 +1,9 @@
+keys:
+  - &admin_age age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+  - &tien_age age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+creation_rules:
+  - path_regex: tien/secrets.yaml$
+    key_groups:
+    - age:
+      - *admin_age
+      - *tien_age
--- a/flake.lock
+++ b/flake.lock
@ -71,11 +71,46 @@
        "type": "github"
      }
    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
    "root": {
      "inputs": {
        "disko": "disko",
        "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1732186149,
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
      }
    }
  },
--- a/flake.nix
+++ b/flake.nix
@ -6,9 +6,10 @@
    nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
    home-manager.url = "github:nix-community/home-manager/release-24.11";
    home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:mic92/sops-nix";
  };

-  outputs = { self, nixpkgs, home-manager, disko,...}:
+  outputs = inputs@{ self, nixpkgs,...}:
    let
      system = "x86_64-linux";
      pkgs = nixpkgs.legacyPackages.${system};
@ -24,15 +25,16 @@
        };
        tien = nixpkgs.lib.nixosSystem {
          system = "x86_64-linux";
+          specialArgs = { inherit inputs; };
          modules = [
-            disko.nixosModules.disko
+            inputs.disko.nixosModules.disko
            ./vps-configuration.nix
            ./vps-hardware-configuration.nix
          ];
        };
      };
      homeConfigurations = {
-        "rothe@lift" = home-manager.lib.homeManagerConfiguration {
+        "rothe@lift" = inputs.home-manager.lib.homeManagerConfiguration {
          inherit pkgs;
          modules = [ 
            ./home/rothe.nix
@ -42,7 +44,7 @@
            mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
          };
        };
-        "rothe@johannes-powermachine" = home-manager.lib.homeManagerConfiguration {
+        "rothe@johannes-powermachine" = inputs.home-manager.lib.homeManagerConfiguration {
          inherit pkgs;
          modules = [ 
            ./home/rothe.nix
@ -51,7 +53,7 @@
            mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
          };
        };
-        "rothe@pdemu1cml000301" = home-manager.lib.homeManagerConfiguration {
+        "rothe@pdemu1cml000301" = inputs.home-manager.lib.homeManagerConfiguration {
          inherit pkgs;
          modules = [ 
            ./home/rothe.nix
--- a/nixos/tien/secrets.yaml
+++ b/nixos/tien/secrets.yaml
@ -0,0 +1,30 @@
+foo: ENC[AES256_GCM,data:HqMg,iv:LdYZPucCO7rOgOFtuzSwSoOsW/GvPoysLfZa2w+E03E=,tag:DpE52f6iWiQ691bwJNFBZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdkRUVWpSbjVvRUpiUTNj
+            RDQ5aDNKNGZCd0ZGWkczQWRVUWRraTk3bHlvCjQ2ZGtvM3dJQnl0Wjc2ZmJYNGJV
+            QnhuMG1UVEZDUXdMK2M0L3c5Um4rQ28KLS0tIGtQcGVkQktmUkwwbSsrdC8rVnZE
+            T3VhOFF5NGlER2FCQlUrWFN0RHNSeW8KTFwMDtofyqFrnIFs9qy1gHiw8eVX7pcm
+            2k6yLOeyP2NaksDl74OSrmUECxZKMRPspgn1ZlznibDQKyCVXVVKZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGhZQnBld1lEeGNZVkpi
+            TzFKaFJyVVNqKzNQQkN0M3ZWRUlkY1g3SzE4CmlnVVlMbWRTVHd4KzV3ZHNuR21S
+            bmdJZDJ4YzVDZ3JTcDVucmhpd2xJNFUKLS0tIGRzcUt6cjl3UGpldVBTeG01V1dX
+            eWx2UWdkUXdrSkxPT1NXS2xHengreWsKR31+5SpYGOJyd/SFmzrThBWOVt1GU1hr
+            qTQqyc2/XbMQCc/SrYCa/FhRLboKUFkAO2XbMoH5zEwmkFtuCEoNvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T21:34:05Z"
+    mac: ENC[AES256_GCM,data:xx007JasOAWh2Os1DKkDQ3QMGmxN3oBpmL/t8/UWleYHVR3CTjYOTiSEguurFFIOqW7sK3ZAxnKbIr3mwDXs2VA1LO6L2UvBA0NaFgP6Qws+YvjF+dzRrxl+fXOMJz5wxOJROYo3VVI4zH7xnI22ENGc7VLDholwbx5EZDbUL7Y=,iv:KZxPU6RbLY2wZIX/hsO8OLweAxGe30LOSHWa9MI1ydA=,tag:oewmLJbInGoX7ZwpljRAkA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@ -1,9 +1,13 @@
-{  config, modulesPath, lib, pkgs, ... }:
+{  config, inputs, modulesPath, lib, pkgs, ... }:
+let
+  hostname = "tien";
+in
 {
  imports = [
    (modulesPath + "/installer/scan/not-detected.nix")
    (modulesPath + "/profiles/qemu-guest.nix")
    ./vps-disk-config.nix
+    inputs.sops-nix.nixosModules.sops
  ];
  boot.loader.grub = {
    # no need to set devices, disko will add all devices that have a EF02 partition to the list already
@ -12,11 +16,22 @@
    efiInstallAsRemovable = true;
  };

+  sops = {
+    defaultSopsFile = ./nixos/tien/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      foo = {};
+    };
+  };
+
+
  environment.systemPackages = with pkgs; [
+    authelia
    curl
+    vim
  ];

-  networking.hostName = "tien";
+  networking.hostName = hostname;
  # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
  networking.useDHCP = pkgs.lib.mkForce false;
  networking.firewall = {
@ -25,6 +40,118 @@
    trustedInterfaces = [ "tailscale0" ];
  };

+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
+      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
+      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
+    };
+    settings = {
+      theme = "auto";
+      default_redirection_url = "https://auth.johannes-rothe.de";
+
+      server = {
+        host = "127.0.0.1";
+        port = 9091;
+      };
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        #file = {
+        #  path = "/var/lib/authelia-main/users_database.yml";
+        #};
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://localhost:3890";
+          timeout = "5s";
+          start_tls = false;
+          base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
+          additional_users_dn = "ou=people";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+          # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+          user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
+          # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+          password = "REPLACE_ME";
+        };
+      };
+
+      access_control = {
+        default_policy = "one_factor";
+        rules = [
+          #{
+          #  domain = ["auth.example.com"];
+          #  policy = "bypass";
+          #}
+          #{
+          #  domain = ["*.example.com"];
+          #  policy = "one_factor";
+          #}
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me_duration = "1M";
+        domain = "example.com";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
+  services.headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        dns_config.base_domain= "johannes-rothe.de";
+        server_url = "https://headscale.johannes-rothe.de";
+      };
+  };
+
+
  services.caddy = {
    enable = true;
    email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
@ -35,6 +162,12 @@
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
+      #"accounts.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:9095
+      #'';
+      #"auth.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:9091
+      #'';
      "cloud.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5002
      '';
@ -44,6 +177,9 @@
      "git.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:3001
      '';
+      #"headscale.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:8080
+      #'';
      "radicale.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:5232
      '';
@ -54,7 +190,17 @@
    enable = true;
    network.enable = true;
    settings = {
-      hostname = "tien";
+      hostname = hostname;
+    };
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_host = "127.0.0.1";
+      http_port = 9095;
+      http_url = "https://accounts.johannes-rothe.de";
+      ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
    };
  };
Author	SHA1	Message	Date
Johannes Rothe	93d221d79b	Setup sops	2024-12-04 22:04:03 +01:00
Johannes Rothe	8c2d814a6c	Disable	2024-12-04 22:04:03 +01:00
Johannes Rothe	fc189c0865	Add lldap and use for authelia	2024-12-04 22:04:03 +01:00
Johannes Rothe	8531d066ad	Add Authelia	2024-12-04 22:04:03 +01:00
Johannes Rothe	d6ac70abab	Configure headscale on VPS	2024-12-04 22:04:03 +01:00