Recreate and encrypt Authelia secrets

modules/attic.nix

@@ -1,5 +1,4 @@
 {
-  self,
   utils,
   lib,
   config,

modules/authelia.nix

@@ -20,27 +20,41 @@
             replicas = 1;
           };
 
+          secret.additionalSecrets.authelia.items = [
+            {
+              key = "storage";
+              path = "storage";
+            }
+            {
+              key = "session";
+              path = "session";
+            }
+            {
+              key = "users";
+              path = "users";
+            }
+          ];
+
           configMap = {
+            access_control.default_policy = "one_factor";
+
             authentication_backend = {
               password_reset.disable = true;
               ldap.enabled = false;
 
               file = {
                 enabled = true;
-                # TODO: use better path
-                path = "/tmp/users.yml";
+                path = "/secrets/authelia/users";
                 search.email = true;
                 password.algorithm = "argon2";
               };
             };
 
-            access_control = {
-              default_policy = "one_factor";
-            };
-
             storage = {
-              # TODO: dummy secret, replace with real one
-              encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8";
+              encryption_key = {
+                secret_name = "authelia";
+                path = "storage";
+              };
 
               local = {
                 enabled = true;
@@ -49,8 +63,10 @@
             };
 
             session = {
-              # TODO: dummy secret, replace with real one
-              encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288";
+              encryption_key = {
+                secret_name = "authelia";
+                path = "session";
+              };
 
               cookies = [
                 {
@@ -60,8 +76,7 @@
               ];
             };
 
-            notifier = {
-              filesystem = {
+            notifier.filesystem = {
               enabled = true;
               # TODO: switch to SMTP
               filename = "/tmp/notifications.txt";
@@ -69,31 +84,11 @@
           };
         };
       };
-      };
 
-      resources = {
-        # TODO: replace with secret and encrypt it
-        configMaps.users.data.users = lib.generators.toYAML {} {
-          users = {
-            pim = {
-              disabled = false;
-              displayname = "Pim Kunis";
-              password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";
-              groups = ["admins"];
-            };
-          };
-        };
-
-        deployments.authelia.spec.template.spec = {
-          volumes.users.configMap.name = "users";
-          containers.authelia.volumeMounts = [
-            {
-              name = "users";
-              mountPath = "/tmp/users.yml";
-              subPath = "users";
-            }
-          ];
-        };
+      resources.secrets.authelia.stringData = {
+        storage = "ref+sops://secrets.yml#/authelia/encryption_keys/storage";
+        session = "ref+sops://secrets.yml#/authelia/encryption_keys/session";
+        users = "ref+sops://secrets.yml#/authelia/users";
       };
     };
 

secrets.yml

@@ -29,6 +29,11 @@ immich:
 tailscale:
     clientID: ENC[AES256_GCM,data:O8tTyy55xP85JkbJNR5daB4=,iv:SMj83Sxh7BvPRG3l5TnnpmclO5N2treUQCCJuMy8cO8=,tag:UUSN3bsZvb09cyYN65RQDg==,type:str]
     clientSecret: ENC[AES256_GCM,data:c8E/a7McI+wGN9TFJ/yzTSkrhUlISmrNJdjDDMqAQrZ8s5wFEZ+4+h+dtwcjF9Ykj198glgny7cP3HubHVDw,iv:ifaP4NmLRQbYQtJQaMMCMaehosapZ2R3im9ew5h6f9E=,tag:XF+xB94nua8RZlkGxFDFFQ==,type:str]
+authelia:
+    encryption_keys:
+        storage: ENC[AES256_GCM,data:RbD5StdFItHooBt/ESeAqnBRWV8USKedplz9cnZTA5K9k2EIE99yDdwkL+UNpRjN5oTImqQtWo3ESuBiq439ftSMeMyWT++qkV3ImbPOEYInLPdwHTxb28CC5zbY3FGH+GdB5q9V3zK+Pofslw6BMCsoL++tV8EWjX2isCfkWSk=,iv:e83TCcMW2qEc+R2E8209dhRUJvLZw2MPu4IWMSQVMy8=,tag:opewKZtNr4VT5Gj9l9B71Q==,type:str]
+        session: ENC[AES256_GCM,data:N50TuHkiOvjxbhTzwy7cjYSyMM9txYCas8x+zEhC2vshWi4pD0dHNDVz90jS0waDYAKLxTMYUT9v9zpkXoQ+X2VWa+tzDU3IWixclHktew/ufWN7nXCRBCW/ZEw8Tm4bB61GTalXfpra3q8Z88bMhGcEfaCiHwfnMbhVn5jjQtM=,iv:QPTVCPzuLAZI06rRPCLYiyW/hd3P/r/nxocI4u3qRtk=,tag:1oqJoQedqGsln48jQphENw==,type:str]
+    users: ENC[AES256_GCM,data:Bstr2ZYDwUdcw0AXG/UxRcabEOk2k/cix+L73IHQugmSNG2wGSNbDhZdvPxLbyZcxlpa7MU9o63YIjk+f+5zl7NZsARSw1NSUtrXzk62mz/lvQzGW+gZXIG78Q5vLOp652xFRwt0L/5x3wEoP64T6E3AMn23sfntf/OA04CMCbeleTkR+MzeLD+k1A2qHb7zZV7k44IMHToBOkZ15ICfZ27wN7NWOoQ+cqlJeKQWSG34I0DWW+iKjnT4H5YIcSWlLSEhA7c2pzxzkPmxwgnLCIyCXF1WesIUqxor3klpYGkW9A==,iv:3bJOTCAW2QWmNQgX3duXLQGki1FoaJ1aZvDXvX0T2Z0=,tag:kbiDE0M7KQRuyV9PiIg0Vw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -53,8 +58,8 @@ sops:
             azR0UkJyL0RwUVk4ZzdkSWptcDlWVjAK5FU9B5TBSnV3azO4eCv13T6i3dGGuI68
             UgBrVEb1/Fv+4XTjeSEhpiOaH8sNWYoNa3Aa7uTZYlHDRWga2GC7zw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-01T13:22:41Z"
-    mac: ENC[AES256_GCM,data:6UqmxHJC4KWsiQttXFEEG1opPcrGntYj9nlD8m0iBqjc9g/SHxEogpaiYEnriGNXGw0HhRWjrd+JX29Ht4xVeiYqthYX+4rVuIuv+SI7p08hJeIBbIYrfonAJsebbSsynuy9YgyUkNZhoqjZTtuzFU/c4Dh5453RVnuQmu4PZNs=,iv:yA//mqJ0Ft63eRME8A1HBiZ/B0gcVYlS4MaP0LykooU=,tag:0NxU0lVi67N34eDhsT82kQ==,type:str]
+    lastmodified: "2025-02-05T16:59:14Z"
+    mac: ENC[AES256_GCM,data:hfH7il2xkxaz+Uzv4V4BaLv3RnS4nmAic2G4RVJmB7jc9mEBthcPdf0OPo6pXZ14YqVgfzsR3zNdqnaPwPIks07BZ27zo7pKvpdiJACGi6RXIpJwzgd3bwrVm5P11gBmPZbMv+vkoTVNl3EENOOKsfqoDNI3/Pwj6fXSWIJ5m1o=,iv:d3K/3gOLpo8bd6JfpiYhC/KHU/SsgQ9vSgc5lYvkdhk=,tag:PAB+jDOnP1z9IiR5gHdImA==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
-    version: 3.9.1
+    version: 3.9.2