From 20a72b00a6144887a97220eceed9d9dedc8ede31 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Wed, 5 Feb 2025 18:06:30 +0100 Subject: [PATCH] Recreate and encrypt Authelia secrets --- modules/attic.nix | 1 - modules/authelia.nix | 73 +++++++++++++++++++++----------------------- secrets.yml | 11 +++++-- 3 files changed, 42 insertions(+), 43 deletions(-) diff --git a/modules/attic.nix b/modules/attic.nix index 2742b7b..3c6a77b 100644 --- a/modules/attic.nix +++ b/modules/attic.nix @@ -1,5 +1,4 @@ { - self, utils, lib, config, diff --git a/modules/authelia.nix b/modules/authelia.nix index ec2d0ef..b961dc8 100644 --- a/modules/authelia.nix +++ b/modules/authelia.nix @@ -20,27 +20,41 @@ replicas = 1; }; + secret.additionalSecrets.authelia.items = [ + { + key = "storage"; + path = "storage"; + } + { + key = "session"; + path = "session"; + } + { + key = "users"; + path = "users"; + } + ]; + configMap = { + access_control.default_policy = "one_factor"; + authentication_backend = { password_reset.disable = true; ldap.enabled = false; file = { enabled = true; - # TODO: use better path - path = "/tmp/users.yml"; + path = "/secrets/authelia/users"; search.email = true; password.algorithm = "argon2"; }; }; - access_control = { - default_policy = "one_factor"; - }; - storage = { - # TODO: dummy secret, replace with real one - encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; + encryption_key = { + secret_name = "authelia"; + path = "storage"; + }; local = { enabled = true; @@ -49,8 +63,10 @@ }; session = { - # TODO: dummy secret, replace with real one - encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; + encryption_key = { + secret_name = "authelia"; + path = "session"; + }; cookies = [ { @@ -60,40 +76,19 @@ ]; }; - notifier = { - filesystem = { - enabled = true; - # TODO: switch to SMTP - filename = "/tmp/notifications.txt"; - }; + notifier.filesystem = { + enabled = true; + # TODO: switch to SMTP + filename = "/tmp/notifications.txt"; }; }; }; }; - resources = { - # TODO: replace with secret and encrypt it - configMaps.users.data.users = lib.generators.toYAML {} { - users = { - pim = { - disabled = false; - displayname = "Pim Kunis"; - password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI"; - groups = ["admins"]; - }; - }; - }; - - deployments.authelia.spec.template.spec = { - volumes.users.configMap.name = "users"; - containers.authelia.volumeMounts = [ - { - name = "users"; - mountPath = "/tmp/users.yml"; - subPath = "users"; - } - ]; - }; + resources.secrets.authelia.stringData = { + storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage"; + session = "ref+sops://secrets.yml#/authelia/encryption_keys/session"; + users = "ref+sops://secrets.yml#/authelia/users"; }; }; diff --git a/secrets.yml b/secrets.yml index 170dd31..843cc1e 100644 --- a/secrets.yml +++ b/secrets.yml @@ -29,6 +29,11 @@ immich: tailscale: clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str] clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str] +authelia: + encryption_keys: + storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str] + session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str] + users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str] sops: kms: [] gcp_kms: [] @@ -53,8 +58,8 @@ sops: azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-01T13:22:41Z" - mac: ENC[AES256_GCM,data:6UqmxHJC4KWsiQttXFEEG1opPcrGntYj9nlD8m0iBqjc9g/SHxEogpaiYEnriGNXGw0HhRWjrd+JX29Ht4xVeiYqthYX+4rVuIuv+SI7p08hJeIBbIYrfonAJsebbSsynuy9YgyUkNZhoqjZTtuzFU/c4Dh5453RVnuQmu4PZNs=,iv:yA//mqJ0Ft63eRME8A1HBiZ/B0gcVYlS4MaP0LykooU=,tag:0NxU0lVi67N34eDhsT82kQ==,type:str] + lastmodified: "2025-02-05T16:59:14Z" + mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.1 + version: 3.9.2