waffentrager: init

2026-06-24 17:36:41 +00:00 · 2026-06-24 00:06:21 +02:00
parent 29adb6e6b0
commit fb653eb0f4
30 changed files with 1325 additions and 11 deletions
@@ -0,0 +1,80 @@
+{ config, pkgs, lib, mkk, ... }:
+{
+  options.waffentragerService.auth.authelia.enable = mkk.lib.mkBoolOpt false "Enable authelia";
+  config =
+    let
+      cfg = config.waffentragerService.auth.authelia;
+      port = 9091;
+    in
+    lib.mkIf cfg.enable {
+      sops.secrets."authelia-storagekey" = { owner = "authelia"; };
+      sops.secrets."authelia-database" = { owner = "authelia"; };
+      sops.secrets."ldap-master" = { owner = "authelia"; };
+      users.users.authelia = {
+        group = "lldap";
+        isSystemUser = true;
+      };
+      services.authelia.instances.main = {
+        enable = true;
+        user = "authelia";
+        environmentVariables = {
+          AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."ldap-master".path;
+          AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = config.sops.secrets."authelia-database".path;
+        };
+        secrets = {
+          jwtSecretFile = config.sops.secrets.jwt.path;
+          storageEncryptionKeyFile = config.sops.secrets."authelia-storagekey".path;
+        };
+        settings = {
+          access_control = {
+            default_policy = "one_factor";
+          };
+          authentication_backend = {
+            ldap.url = "ldap://127.0.0.1:3890";
+            ldap.implementation = "custom";
+            ldap.base_dn = config.services.lldap.settings.ldap_base_dn;
+            ldap.user = "CN=master,ou=people,DC=podkos,DC=pl";
+            ldap.additional_users_dn = "OU=people";
+            ldap.users_filter = "(&({username_attribute}={input})(objectClass=person))";
+            ldap.additional_groups_dn = "OU=groups";
+            ldap.groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
+          };
+          storage = {
+            postgres.host = "/var/run/postgresql";
+            postgres.port = "5432";
+            postgres.database = "authelia";
+            postgres.username = "authelia";
+
+          };
+          notifier = {
+            disable_startup_check = false;
+            filesystem.filename = "/tmp/test_notification.txt";
+          };
+          session = {
+            name = "materus-session";
+            domain = "materus.pl";
+          };
+
+          default_redirection_url = "https://materus.pl";
+          server.port = port;
+        };
+      };
+      services.nginx.virtualHosts."gatekeeper.materus.pl" = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/materus.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/materus.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/materus.pl/fullchain.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:${builtins.toString port}";
+          extraConfig = ''
+            proxy_set_header    Host                $host;
+            proxy_set_header    X-Real-IP           $remote_addr;
+            proxy_set_header    X-Forwarded-Ssl     on;
+            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto   $scheme;
+          '';
+        };
+      };
+    };
+}
@@ -0,0 +1,13 @@
+{ config, lib, pkgs, ... }:
+{
+  imports =
+    [
+      ./lldap.nix
+      ./authelia.nix
+    ];
+  config = 
+    {
+      waffentragerService.auth.lldap.enable = true;
+      waffentragerService.auth.authelia.enable = true;
+    };
+}
@@ -0,0 +1,87 @@
+{
+  config,
+  pkgs,
+  lib,
+  mkk,
+  ...
+}:
+{
+  options.waffentragerService.auth.lldap.enable = mkk.lib.mkBoolOpt false "Enable lldap";
+  config =
+    let
+      cfg = config.waffentragerService.auth.lldap;
+    in
+    lib.mkIf cfg.enable {
+      waffentragerService.elements.enable = true;
+      waffentragerService.nginx.enable = true;
+      services.nginx.virtualHosts."mamba.podkos.pl" = {
+        forceSSL = true;
+        http3 = true;
+        sslTrustedCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/chain.pem";
+        sslCertificateKey = "/var/lib/mnt_acme/mamba.podkos.pl/key.pem";
+        sslCertificate = "/var/lib/mnt_acme/mamba.podkos.pl/fullchain.pem";
+        locations."/" = {
+          proxyPass = "http://127.0.0.1:17170";
+          extraConfig = ''
+            proxy_set_header    Host                $host;
+            proxy_set_header    X-Real-IP           $remote_addr;
+            proxy_set_header    X-Forwarded-Ssl     on;
+            proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
+            proxy_set_header    X-Forwarded-Proto   $scheme;
+
+
+            allow ${mkk.wireguard.ip-masks.main};
+            allow 192.168.100.0/24;
+            deny all;
+          '';
+        };
+      };
+
+      systemd.services.lldap = {
+        requires = [ "elements-mount.service" ];
+        after = [ "elements-mount.service" ];
+        serviceConfig = {
+          DynamicUser = lib.mkForce false;
+          WorkingDirectory = lib.mkForce config.waffentragerService.elements.lldapDir;
+        };
+      };
+      users.groups.lldap = { };
+      users.users.lldap = {
+        group = "lldap";
+        isSystemUser = true;
+      };
+      sops.secrets.jwt = {
+        owner = "lldap";
+        group = "lldap";
+        mode = "0440";
+      };
+      sops.secrets."lldap-database" = {
+        owner = "lldap";
+        group = "lldap";
+      };
+      services.lldap.enable = true;
+      services.lldap.environmentFile = config.sops.templates."lldap.env".path;
+      sops.templates."lldap.env" = {
+        content = ''
+          LLDAP_JWT_SECRET_FILE="${config.sops.secrets.jwt.path}"
+          LLDAP_DATABASE_URL="postgres://lldap:${
+            config.sops.placeholder."lldap-database"
+          }@%2Fvar%2Frun%2Fpostgresql/lldap"
+        '';
+        owner = "lldap";
+        group = "lldap";
+      };
+      services.lldap.silenceForceUserPassResetWarning = true;
+      services.lldap.settings = {
+        ldap_base_dn = "dc=podkos,dc=pl";
+
+        ldap_host = "127.0.0.1";
+        http_url = "https://mamba.podkos.pl";
+        ldap_user_dn = "master";
+        ldap_user_email = "materus@podkos.pl";
+        ldap_port = 3890;
+        key_seed = mkk.waffentrager.lldap.seed;
+        ldap_user_pass_file = config.sops.secrets.LLDAP_LDAP_USER_PASS_FILE.path;
+      };
+    };
+}