home/kubernetes-deployments
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

Recreate and encrypt Authelia secrets

Browse source
This commit is contained in:
Pim Kunis 2025-02-05 18:06:30 +01:00
parent 29ad11e6f2
commit 20a72b00a6
3 changed files with 42 additions and 43 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
modules/attic.nix
View file

@ -1,5 +1,4 @@
{ {
self,
utils, utils,
lib, lib,
config, config,

73
modules/authelia.nix
View file

@ -20,27 +20,41 @@
replicas = 1; replicas = 1;
}; };
secret.additionalSecrets.authelia.items = [
{
key = "storage";
path = "storage";
}
{
key = "session";
path = "session";
}
{
key = "users";
path = "users";
}
];
configMap = { configMap = {
access_control.default_policy = "one_factor";
authentication_backend = { authentication_backend = {
password_reset.disable = true; password_reset.disable = true;
ldap.enabled = false; ldap.enabled = false;
file = { file = {
enabled = true; enabled = true;
# TODO: use better path path = "/secrets/authelia/users";
path = "/tmp/users.yml";
search.email = true; search.email = true;
password.algorithm = "argon2"; password.algorithm = "argon2";
}; };
}; };
access_control = {
default_policy = "one_factor";
};
storage = { storage = {
# TODO: dummy secret, replace with real one encryption_key = {
encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; secret_name = "authelia";
path = "storage";
};
local = { local = {
enabled = true; enabled = true;
@ -49,8 +63,10 @@
}; };
session = { session = {
# TODO: dummy secret, replace with real one encryption_key = {
encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; secret_name = "authelia";
path = "session";
};
cookies = [ cookies = [
{ {
@ -60,40 +76,19 @@
]; ];
}; };
notifier = { notifier.filesystem = {
filesystem = { enabled = true;
enabled = true; # TODO: switch to SMTP
# TODO: switch to SMTP filename = "/tmp/notifications.txt";
filename = "/tmp/notifications.txt";
};
}; };
}; };
}; };
}; };
resources = { resources.secrets.authelia.stringData = {
# TODO: replace with secret and encrypt it storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
configMaps.users.data.users = lib.generators.toYAML {} { session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
users = { users = "ref+sops://secrets.yml#/authelia/users";
pim = {
disabled = false;
displayname = "Pim Kunis";
password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";
groups = ["admins"];
};
};
};
deployments.authelia.spec.template.spec = {
volumes.users.configMap.name = "users";
containers.authelia.volumeMounts = [
{
name = "users";
mountPath = "/tmp/users.yml";
subPath = "users";
}
];
};
}; };
}; };

11
secrets.yml
View file

@ -29,6 +29,11 @@ immich:
tailscale: tailscale:
clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str] clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str]
clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str] clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str]
authelia:
encryption_keys:
storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str]
session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str]
users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
@ -53,8 +58,8 @@ sops:
azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68 azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw== UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-12-01T13:22:41Z" lastmodified: "2025-02-05T16:59:14Z"
mac: ENC[AES256_GCM,data:6UqmxHJC4KWsiQttXFEEG1opPcrGntYj9nlD8m0iBqjc9g/SHxEogpaiYEnriGNXGw0HhRWjrd+JX29Ht4xVeiYqthYX+4rVuIuv+SI7p08hJeIBbIYrfonAJsebbSsynuy9YgyUkNZhoqjZTtuzFU/c4Dh5453RVnuQmu4PZNs=,iv:yA//mqJ0Ft63eRME8A1HBiZ/B0gcVYlS4MaP0LykooU=,tag:0NxU0lVi67N34eDhsT82kQ==,type:str] mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str]
pgp: [] pgp: []
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.9.1 version: 3.9.2