From 29ad11e6f2cd41e338659c1cbee0b8d955d65b58 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Tue, 4 Feb 2025 17:24:51 +0100 Subject: [PATCH] MVP Authelia deployment --- deployments.nix | 5 ++ flake.lock | 6 +- modules/authelia.nix | 116 ++++++++++++++++++++++++++++++++++ modules/bootstrap-default.nix | 2 + modules/cyberchef.nix | 2 + modules/default.nix | 1 + modules/dummy-types.nix | 7 ++ modules/ingress.nix | 4 +- modules/traefik.nix | 17 +++++ 9 files changed, 155 insertions(+), 5 deletions(-) create mode 100644 modules/authelia.nix diff --git a/deployments.nix b/deployments.nix index eb0433d..a2bce23 100644 --- a/deployments.nix +++ b/deployments.nix @@ -123,4 +123,9 @@ module.ntfy.enable = true; namespace = "ntfy"; }; + + authelia = { + module.authelia.enable = true; + namespace = "authelia"; + }; } diff --git a/flake.lock b/flake.lock index d50241e..fb4e805 100644 --- a/flake.lock +++ b/flake.lock @@ -666,11 +666,11 @@ "poetry2nix": "poetry2nix" }, "locked": { - "lastModified": 1736990287, - "narHash": "sha256-f5DfFkMglyrCozBW/dU6WeZfHOueUm8Q1rv4r5yDOeE=", + "lastModified": 1738631908, + "narHash": "sha256-ndQgb/SAeOcgbsG7b+7qhrVn+XSTjs/Vk5m7eEb/HZY=", "owner": "farcaller", "repo": "nixhelm", - "rev": "09b4f8373f142206456f9c15a3b638e3ce4feeb0", + "rev": "e105a8264cc981d47a0f6fbfcdcc87681487aa0c", "type": "github" }, "original": { diff --git a/modules/authelia.nix b/modules/authelia.nix new file mode 100644 index 0000000..ec2d0ef --- /dev/null +++ b/modules/authelia.nix @@ -0,0 +1,116 @@ +{ + nixhelm, + system, + config, + lib, + ... +}: { + options.authelia.enable = lib.mkEnableOption "authelia"; + + config = lib.mkIf config.authelia.enable { + kubernetes = { + helm.releases.authelia = { + chart = nixhelm.chartsDerivations.${system}.authelia.authelia; + includeCRDs = true; + namespace = "authelia"; + + values = { + pod = { + kind = "Deployment"; + replicas = 1; + }; + + configMap = { + authentication_backend = { + password_reset.disable = true; + ldap.enabled = false; + + file = { + enabled = true; + # TODO: use better path + path = "/tmp/users.yml"; + search.email = true; + password.algorithm = "argon2"; + }; + }; + + access_control = { + default_policy = "one_factor"; + }; + + storage = { + # TODO: dummy secret, replace with real one + encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8"; + + local = { + enabled = true; + path = "/tmp/storage"; # TODO + }; + }; + + session = { + # TODO: dummy secret, replace with real one + encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288"; + + cookies = [ + { + domain = "kun.is"; + subdomain = "auth"; + } + ]; + }; + + notifier = { + filesystem = { + enabled = true; + # TODO: switch to SMTP + filename = "/tmp/notifications.txt"; + }; + }; + }; + }; + }; + + resources = { + # TODO: replace with secret and encrypt it + configMaps.users.data.users = lib.generators.toYAML {} { + users = { + pim = { + disabled = false; + displayname = "Pim Kunis"; + password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI"; + groups = ["admins"]; + }; + }; + }; + + deployments.authelia.spec.template.spec = { + volumes.users.configMap.name = "users"; + containers.authelia.volumeMounts = [ + { + name = "users"; + mountPath = "/tmp/users.yml"; + subPath = "users"; + } + ]; + }; + }; + }; + + lab = { + ingresses.authelia = { + host = "auth.kun.is"; + + service = { + name = "authelia"; + portName = "http"; + }; + }; + + longhorn.persistentVolumeClaim.data = { + volumeName = "authelia"; + storage = "100Mi"; + }; + }; + }; +} diff --git a/modules/bootstrap-default.nix b/modules/bootstrap-default.nix index e578fa6..bc2676c 100644 --- a/modules/bootstrap-default.nix +++ b/modules/bootstrap-default.nix @@ -62,6 +62,7 @@ minecraft = {}; tailscale = {}; ntfy = {}; + authelia = {}; }; nodes = @@ -137,6 +138,7 @@ minecraft.storage = "1Gi"; ntfy.storage = "300Mi"; deluge.storage = "500Mi"; + authelia.storage = "100Mi"; }; tailscaleIngresses.tailscale-longhorn = { diff --git a/modules/cyberchef.nix b/modules/cyberchef.nix index d2dabbc..3a5529a 100644 --- a/modules/cyberchef.nix +++ b/modules/cyberchef.nix @@ -31,6 +31,8 @@ targetPort = "web"; }; }; + + ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd"; }; lab.ingresses.cyberchef = { diff --git a/modules/default.nix b/modules/default.nix index c976c14..0958257 100644 --- a/modules/default.nix +++ b/modules/default.nix @@ -29,5 +29,6 @@ ./tailscale.nix ./ntfy.nix ./minecraft.nix + ./authelia.nix ]; } diff --git a/modules/dummy-types.nix b/modules/dummy-types.nix index 0a6a7f7..394e3a6 100644 --- a/modules/dummy-types.nix +++ b/modules/dummy-types.nix @@ -38,5 +38,12 @@ version = "v1beta1"; kind = "RecurringJob"; }; + + middlewares = { + attrName = "middlewares"; + group = "traefik.io"; + version = "v1alpha1"; + kind = "Middleware"; + }; }; } diff --git a/modules/ingress.nix b/modules/ingress.nix index 9dbcb86..d6a27aa 100644 --- a/modules/ingress.nix +++ b/modules/ingress.nix @@ -47,7 +47,7 @@ in { rules = [ { - host = ingress.host; + inherit (ingress) host; http.paths = [ { @@ -55,7 +55,7 @@ in { pathType = "Prefix"; backend.service = { - name = ingress.service.name; + inherit (ingress.service) name; port.name = ingress.service.portName; }; } diff --git a/modules/traefik.nix b/modules/traefik.nix index b59253d..e4e1c09 100644 --- a/modules/traefik.nix +++ b/modules/traefik.nix @@ -61,6 +61,23 @@ }; }; }; + + middlewares.forwardauth-authelia = { + metadata.labels = { + "app.kubernetes.io/instance" = "authelia"; + "app.kubernetes.io/name" = "authelia"; + }; + + spec.forwardAuth = { + address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth"; + authResponseHeaders = [ + "Remote-User" + "Remote-Groups" + "Remote-Email" + "Remote-Name" + ]; + }; + }; }; lab = {