Recreate and encrypt Authelia secrets

modules/attic.nix

@@ -1,5 +1,4 @@
 {
-  self,
   utils,
   lib,
   config,

modules/authelia.nix

@@ -20,27 +20,41 @@
             replicas = 1;
           };
 
+          secret.additionalSecrets.authelia.items = [
+            {
+              key = "storage";
+              path = "storage";
+            }
+            {
+              key = "session";
+              path = "session";
+            }
+            {
+              key = "users";
+              path = "users";
+            }
+          ];
+
           configMap = {
+            access_control.default_policy = "one_factor";
+
             authentication_backend = {
               password_reset.disable = true;
               ldap.enabled = false;
 
               file = {
                 enabled = true;
-                # TODO: use better path
-                path = "/tmp/users.yml";
+                path = "/secrets/authelia/users";
                 search.email = true;
                 password.algorithm = "argon2";
               };
             };
 
-            access_control = {
-              default_policy = "one_factor";
-            };
-
             storage = {
-              # TODO: dummy secret, replace with real one
-              encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8";
+              encryption_key = {
+                secret_name = "authelia";
+                path = "storage";
+              };
 
               local = {
                 enabled = true;
@@ -49,8 +63,10 @@
             };
 
             session = {
-              # TODO: dummy secret, replace with real one
-              encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288";
+              encryption_key = {
+                secret_name = "authelia";
+                path = "session";
+              };
 
               cookies = [
                 {
@@ -60,40 +76,19 @@
               ];
             };
 
-            notifier = {
-              filesystem = {
-                enabled = true;
-                # TODO: switch to SMTP
-                filename = "/tmp/notifications.txt";
-              };
+            notifier.filesystem = {
+              enabled = true;
+              # TODO: switch to SMTP
+              filename = "/tmp/notifications.txt";
             };
           };
         };
       };
 
-      resources = {
-        # TODO: replace with secret and encrypt it
-        configMaps.users.data.users = lib.generators.toYAML {} {
-          users = {
-            pim = {
-              disabled = false;
-              displayname = "Pim Kunis";
-              password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";
-              groups = ["admins"];
-            };
-          };
-        };
-
-        deployments.authelia.spec.template.spec = {
-          volumes.users.configMap.name = "users";
-          containers.authelia.volumeMounts = [
-            {
-              name = "users";
-              mountPath = "/tmp/users.yml";
-              subPath = "users";
-            }
-          ];
-        };
+      resources.secrets.authelia.stringData = {
+        storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
+        session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
+        users = "ref+sops://secrets.yml#/authelia/users";
       };
     };