Setup sops

.sops.yaml

@@ -0,0 +1,9 @@
+keys:
+  - &admin_age age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+  - &tien_age age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+creation_rules:
+  - path_regex: tien/secrets.yaml$
+    key_groups:
+    - age:
+      - *admin_age
+      - *tien_age

flake.lock

@@ -71,11 +71,46 @@
         "type": "github"
       }
     },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1731763621,
+        "narHash": "sha256-ddcX4lQL0X05AYkrkV2LMFgGdRvgap7Ho8kgon3iWZk=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "c69a9bffbecde46b4b939465422ddc59493d3e4d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixpkgs-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
     "root": {
       "inputs": {
         "disko": "disko",
         "home-manager": "home-manager",
-        "nixpkgs": "nixpkgs_2"
+        "nixpkgs": "nixpkgs_2",
+        "sops-nix": "sops-nix"
+      }
+    },
+    "sops-nix": {
+      "inputs": {
+        "nixpkgs": "nixpkgs_3"
+      },
+      "locked": {
+        "lastModified": 1732186149,
+        "narHash": "sha256-N9JGWe/T8BC0Tss2Cv30plvZUYoiRmykP7ZdY2on2b0=",
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "rev": "53c853fb1a7e4f25f68805ee25c83d5de18dc699",
+        "type": "github"
+      },
+      "original": {
+        "owner": "mic92",
+        "repo": "sops-nix",
+        "type": "github"
       }
     }
   },

flake.nix

@@ -6,9 +6,10 @@
     nixpkgs.url = "github:NixOS/nixpkgs/nixos-24.11";
     home-manager.url = "github:nix-community/home-manager/release-24.11";
     home-manager.inputs.nixpkgs.follows = "nixpkgs";
+    sops-nix.url = "github:mic92/sops-nix";
   };
 
-  outputs = { self, nixpkgs, home-manager, disko,...}:
+  outputs = inputs@{ self, nixpkgs,...}:
     let
       system = "x86_64-linux";
       pkgs = nixpkgs.legacyPackages.${system};
@@ -24,15 +25,16 @@
         };
         tien = nixpkgs.lib.nixosSystem {
           system = "x86_64-linux";
+          specialArgs = { inherit inputs; };
           modules = [
-            disko.nixosModules.disko
+            inputs.disko.nixosModules.disko
             ./vps-configuration.nix
             ./vps-hardware-configuration.nix
           ];
         };
       };
       homeConfigurations = {
-        "rothe@lift" = home-manager.lib.homeManagerConfiguration {
+        "rothe@lift" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix
@@ -42,7 +44,7 @@
             mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
           };
         };
-        "rothe@johannes-powermachine" = home-manager.lib.homeManagerConfiguration {
+        "rothe@johannes-powermachine" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix
@@ -51,7 +53,7 @@
             mail = nixpkgs.lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
           };
         };
-        "rothe@pdemu1cml000301" = home-manager.lib.homeManagerConfiguration {
+        "rothe@pdemu1cml000301" = inputs.home-manager.lib.homeManagerConfiguration {
           inherit pkgs;
           modules = [ 
             ./home/rothe.nix

nixos/tien/secrets.yaml

@@ -0,0 +1,30 @@
+foo: ENC[AES256_GCM,data:HqMg,iv:LdYZPucCO7rOgOFtuzSwSoOsW/GvPoysLfZa2w+E03E=,tag:DpE52f6iWiQ691bwJNFBZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1xy66lg9eh572ge0y7zzh34f78s8l9hnkxhg3r4gn98ph95mz25tszgerul
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqdkRUVWpSbjVvRUpiUTNj
+            RDQ5aDNKNGZCd0ZGWkczQWRVUWRraTk3bHlvCjQ2ZGtvM3dJQnl0Wjc2ZmJYNGJV
+            QnhuMG1UVEZDUXdMK2M0L3c5Um4rQ28KLS0tIGtQcGVkQktmUkwwbSsrdC8rVnZE
+            T3VhOFF5NGlER2FCQlUrWFN0RHNSeW8KTFwMDtofyqFrnIFs9qy1gHiw8eVX7pcm
+            2k6yLOeyP2NaksDl74OSrmUECxZKMRPspgn1ZlznibDQKyCVXVVKZg==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age12j6x69evhvh6ljngq4lgesnezf7hwafc33z7nj9urnsl5xzlhp5sf6szck
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFOGhZQnBld1lEeGNZVkpi
+            TzFKaFJyVVNqKzNQQkN0M3ZWRUlkY1g3SzE4CmlnVVlMbWRTVHd4KzV3ZHNuR21S
+            bmdJZDJ4YzVDZ3JTcDVucmhpd2xJNFUKLS0tIGRzcUt6cjl3UGpldVBTeG01V1dX
+            eWx2UWdkUXdrSkxPT1NXS2xHengreWsKR31+5SpYGOJyd/SFmzrThBWOVt1GU1hr
+            qTQqyc2/XbMQCc/SrYCa/FhRLboKUFkAO2XbMoH5zEwmkFtuCEoNvg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-20T21:34:05Z"
+    mac: ENC[AES256_GCM,data:xx007JasOAWh2Os1DKkDQ3QMGmxN3oBpmL/t8/UWleYHVR3CTjYOTiSEguurFFIOqW7sK3ZAxnKbIr3mwDXs2VA1LO6L2UvBA0NaFgP6Qws+YvjF+dzRrxl+fXOMJz5wxOJROYo3VVI4zH7xnI22ENGc7VLDholwbx5EZDbUL7Y=,iv:KZxPU6RbLY2wZIX/hsO8OLweAxGe30LOSHWa9MI1ydA=,tag:oewmLJbInGoX7ZwpljRAkA==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.8.1

vps-configuration.nix

@@ -1,9 +1,13 @@
-{  config, modulesPath, lib, pkgs, ... }:
+{  config, inputs, modulesPath, lib, pkgs, ... }:
+let
+  hostname = "tien";
+in
 {
   imports = [
     (modulesPath + "/installer/scan/not-detected.nix")
     (modulesPath + "/profiles/qemu-guest.nix")
     ./vps-disk-config.nix
+    inputs.sops-nix.nixosModules.sops
   ];
   boot.loader.grub = {
     # no need to set devices, disko will add all devices that have a EF02 partition to the list already
@@ -12,11 +16,22 @@
     efiInstallAsRemovable = true;
   };
 
+  sops = {
+    defaultSopsFile = ./nixos/tien/secrets.yaml;
+    age.sshKeyPaths = [ "/etc/ssh/ssh_host_ed25519_key" ];
+    secrets = {
+      foo = {};
+    };
+  };
+
+
   environment.systemPackages = with pkgs; [
+    authelia
     curl
+    vim
   ];
 
-  networking.hostName = "tien";
+  networking.hostName = hostname;
   # do not use DHCP, as dashserv provisions IPs using cloud-init (see service below)
   networking.useDHCP = pkgs.lib.mkForce false;
   networking.firewall = {
@@ -25,6 +40,118 @@
     trustedInterfaces = [ "tailscale0" ];
   };
 
+  services.authelia.instances.main = {
+    enable = true;
+    secrets = {
+      jwtSecretFile = "${pkgs.writeText "jwtSecretFile" "supersecretkeyissupersecret"}";
+      storageEncryptionKeyFile = "${pkgs.writeText "storageEncryptionKeyFile" "supersecretkeyissupersecret"}";
+      sessionSecretFile = "${pkgs.writeText "sessionSecretFile" "supersecretkeyissupersecret"}";
+    };
+    settings = {
+      theme = "auto";
+      default_redirection_url = "https://auth.johannes-rothe.de";
+
+      server = {
+        host = "127.0.0.1";
+        port = 9091;
+      };
+
+      log = {
+        level = "debug";
+        format = "text";
+      };
+
+      authentication_backend = {
+        #file = {
+        #  path = "/var/lib/authelia-main/users_database.yml";
+        #};
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://localhost:3890";
+          timeout = "5s";
+          start_tls = false;
+          base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
+          additional_users_dn = "ou=people";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+          # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+          user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
+          # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+          password = "REPLACE_ME";
+        };
+      };
+
+      access_control = {
+        default_policy = "one_factor";
+        rules = [
+          #{
+          #  domain = ["auth.example.com"];
+          #  policy = "bypass";
+          #}
+          #{
+          #  domain = ["*.example.com"];
+          #  policy = "one_factor";
+          #}
+        ];
+      };
+
+      session = {
+        name = "authelia_session";
+        expiration = "12h";
+        inactivity = "45m";
+        remember_me_duration = "1M";
+        domain = "example.com";
+        redis.host = "/run/redis-authelia-main/redis.sock";
+      };
+
+      regulation = {
+        max_retries = 3;
+        find_time = "5m";
+        ban_time = "15m";
+      };
+
+      storage = {
+        local = {
+          path = "/var/lib/authelia-main/db.sqlite3";
+        };
+      };
+
+      notifier = {
+        disable_startup_check = false;
+        filesystem = {
+          filename = "/var/lib/authelia-main/notification.txt";
+        };
+      };
+    };
+  };
+
+  services.redis.servers.authelia-main = {
+    enable = true;
+    user = "authelia-main";
+    port = 0;
+    unixSocket = "/run/redis-authelia-main/redis.sock";
+    unixSocketPerm = 600;
+  };
+
+  services.headscale = {
+      enable = true;
+      address = "0.0.0.0";
+      port = 8080;
+      settings = {
+        dns_config.base_domain= "johannes-rothe.de";
+        server_url = "https://headscale.johannes-rothe.de";
+      };
+  };
+
+
   services.caddy = {
     enable = true;
     email = lib.strings.concatStrings ["mail" "@" "johannes-rothe.de"];
@@ -35,6 +162,12 @@
       "www.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:11112
       '';
+      #"accounts.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:9095
+      #'';
+      #"auth.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:9091
+      #'';
       "cloud.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:5002
       '';
@@ -44,6 +177,9 @@
       "git.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:3001
       '';
+      #"headscale.johannes-rothe.de".extraConfig = ''
+      #  reverse_proxy localhost:8080
+      #'';
       "radicale.johannes-rothe.de".extraConfig = ''
         reverse_proxy base:5232
       '';
@@ -54,7 +190,17 @@
     enable = true;
     network.enable = true;
     settings = {
-      hostname = "tien";
+      hostname = hostname;
+    };
+  };
+
+  services.lldap = {
+    enable = true;
+    settings = {
+      http_host = "127.0.0.1";
+      http_port = 9095;
+      http_url = "https://accounts.johannes-rothe.de";
+      ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
     };
   };