kubernetes-deployments/modules/authelia.nix

{
  nixhelm,
  system,
  config,
  lib,
  ...
}: {
  options.authelia.enable = lib.mkEnableOption "authelia";

  config = lib.mkIf config.authelia.enable {
    kubernetes = {
      helm.releases.authelia = {
        chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
        includeCRDs = true;
        namespace = "authelia";

        values = {
          pod = {
            kind = "Deployment";
            replicas = 1;
          };

          configMap = {
            authentication_backend = {
              password_reset.disable = true;
              ldap.enabled = false;

              file = {
                enabled = true;
                # TODO: use better path
                path = "/tmp/users.yml";
                search.email = true;
                password.algorithm = "argon2";
              };
            };

            access_control = {
              default_policy = "one_factor";
            };

            storage = {
              # TODO: dummy secret, replace with real one
              encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8";

              local = {
                enabled = true;
                path = "/tmp/storage"; # TODO
              };
            };

            session = {
              # TODO: dummy secret, replace with real one
              encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288";

              cookies = [
                {
                  domain = "kun.is";
                  subdomain = "auth";
                }
              ];
            };

            notifier = {
              filesystem = {
                enabled = true;
                # TODO: switch to SMTP
                filename = "/tmp/notifications.txt";
              };
            };
          };
        };
      };

      resources = {
        # TODO: replace with secret and encrypt it
        configMaps.users.data.users = lib.generators.toYAML {} {
          users = {
            pim = {
              disabled = false;
              displayname = "Pim Kunis";
              password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";
              groups = ["admins"];
            };
          };
        };

        deployments.authelia.spec.template.spec = {
          volumes.users.configMap.name = "users";
          containers.authelia.volumeMounts = [
            {
              name = "users";
              mountPath = "/tmp/users.yml";
              subPath = "users";
            }
          ];
        };
      };
    };

    lab = {
      ingresses.authelia = {
        host = "auth.kun.is";

        service = {
          name = "authelia";
          portName = "http";
        };
      };

      longhorn.persistentVolumeClaim.data = {
        volumeName = "authelia";
        storage = "100Mi";
      };
    };
  };
}
MVP Authelia deployment 2025-02-04 17:24:51 +01:00			`{`
			`nixhelm,`
			`system,`
			`config,`
			`lib,`
			`...`
			`}: {`
			`options.authelia.enable = lib.mkEnableOption "authelia";`

			`config = lib.mkIf config.authelia.enable {`
			`kubernetes = {`
			`helm.releases.authelia = {`
			`chart = nixhelm.chartsDerivations.${system}.authelia.authelia;`
			`includeCRDs = true;`
			`namespace = "authelia";`

			`values = {`
			`pod = {`
			`kind = "Deployment";`
			`replicas = 1;`
			`};`

			`configMap = {`
			`authentication_backend = {`
			`password_reset.disable = true;`
			`ldap.enabled = false;`

			`file = {`
			`enabled = true;`
			`# TODO: use better path`
			`path = "/tmp/users.yml";`
			`search.email = true;`
			`password.algorithm = "argon2";`
			`};`
			`};`

			`access_control = {`
			`default_policy = "one_factor";`
			`};`

			`storage = {`
			`# TODO: dummy secret, replace with real one`
			`encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8";`

			`local = {`
			`enabled = true;`
			`path = "/tmp/storage"; # TODO`
			`};`
			`};`

			`session = {`
			`# TODO: dummy secret, replace with real one`
			`encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288";`

			`cookies = [`
			`{`
			`domain = "kun.is";`
			`subdomain = "auth";`
			`}`
			`];`
			`};`

			`notifier = {`
			`filesystem = {`
			`enabled = true;`
			`# TODO: switch to SMTP`
			`filename = "/tmp/notifications.txt";`
			`};`
			`};`
			`};`
			`};`
			`};`

			`resources = {`
			`# TODO: replace with secret and encrypt it`
			`configMaps.users.data.users = lib.generators.toYAML {} {`
			`users = {`
			`pim = {`
			`disabled = false;`
			`displayname = "Pim Kunis";`
			`password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";`
			`groups = ["admins"];`
			`};`
			`};`
			`};`

			`deployments.authelia.spec.template.spec = {`
			`volumes.users.configMap.name = "users";`
			`containers.authelia.volumeMounts = [`
			`{`
			`name = "users";`
			`mountPath = "/tmp/users.yml";`
			`subPath = "users";`
			`}`
			`];`
			`};`
			`};`
			`};`

			`lab = {`
			`ingresses.authelia = {`
			`host = "auth.kun.is";`

			`service = {`
			`name = "authelia";`
			`portName = "http";`
			`};`
			`};`

			`longhorn.persistentVolumeClaim.data = {`
			`volumeName = "authelia";`
			`storage = "100Mi";`
			`};`
			`};`
			`};`
			`}`