home/kubernetes-deployments
2
0
Fork 0
Code Issues 4 Pull requests Projects Releases Packages Wiki Activity Actions

MVP Authelia deployment

Browse source
This commit is contained in:
Pim Kunis 2025-02-04 17:24:51 +01:00
parent 742f293a71
commit 29ad11e6f2
9 changed files with 155 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
deployments.nix
View file

@ -123,4 +123,9 @@
module.ntfy.enable = true; module.ntfy.enable = true;
namespace = "ntfy"; namespace = "ntfy";
}; };
authelia = {
module.authelia.enable = true;
namespace = "authelia";
};
} }

6
flake.lock generated
View file

@ -666,11 +666,11 @@
"poetry2nix": "poetry2nix" "poetry2nix": "poetry2nix"
}, },
"locked": { "locked": {
"lastModified": 1736990287, "lastModified": 1738631908,
"narHash": "sha256-f5DfFkMglyrCozBW/dU6WeZfHOueUm8Q1rv4r5yDOeE=", "narHash": "sha256-ndQgb/SAeOcgbsG7b+7qhrVn+XSTjs/Vk5m7eEb/HZY=",
"owner": "farcaller", "owner": "farcaller",
"repo": "nixhelm", "repo": "nixhelm",
"rev": "09b4f8373f142206456f9c15a3b638e3ce4feeb0", "rev": "e105a8264cc981d47a0f6fbfcdcc87681487aa0c",
"type": "github" "type": "github"
}, },
"original": { "original": {

116
modules/authelia.nix Normal file
View file

@ -0,0 +1,116 @@
{
nixhelm,
system,
config,
lib,
...
}: {
options.authelia.enable = lib.mkEnableOption "authelia";
config = lib.mkIf config.authelia.enable {
kubernetes = {
helm.releases.authelia = {
chart = nixhelm.chartsDerivations.${system}.authelia.authelia;
includeCRDs = true;
namespace = "authelia";
values = {
pod = {
kind = "Deployment";
replicas = 1;
};
configMap = {
authentication_backend = {
password_reset.disable = true;
ldap.enabled = false;
file = {
enabled = true;
# TODO: use better path
path = "/tmp/users.yml";
search.email = true;
password.algorithm = "argon2";
};
};
access_control = {
default_policy = "one_factor";
};
storage = {
# TODO: dummy secret, replace with real one
encryption_key.path = "0921087eca242aa4c0f7b27ea60c028824278d7fd937c820bad99acd30417fa2fd8979db857c05aa122b0160b807c13966420608b686a30dcc4226edfe90f2e8";
local = {
enabled = true;
path = "/tmp/storage"; # TODO
};
};
session = {
# TODO: dummy secret, replace with real one
encryption_key.path = "5944384e70449aecbe6e8f314ca7f5cc4e684e84909d40a94f2c3950a06a9eed32489b2be96b6b2cd45e3a1eb37f940a5aac00c718e92e6316ac64bd94235288";
cookies = [
{
domain = "kun.is";
subdomain = "auth";
}
];
};
notifier = {
filesystem = {
enabled = true;
# TODO: switch to SMTP
filename = "/tmp/notifications.txt";
};
};
};
};
};
resources = {
# TODO: replace with secret and encrypt it
configMaps.users.data.users = lib.generators.toYAML {} {
users = {
pim = {
disabled = false;
displayname = "Pim Kunis";
password = "$argon2id$v=19$m=65536,t=3,p=4$Jd7fqxpvxt5CAG4ve1U9ag$U+dGYgYY6kOsDfkbpKqREp3Hhl6lNf9UOAOuX2ACsAI";
groups = ["admins"];
};
};
};
deployments.authelia.spec.template.spec = {
volumes.users.configMap.name = "users";
containers.authelia.volumeMounts = [
{
name = "users";
mountPath = "/tmp/users.yml";
subPath = "users";
}
];
};
};
};
lab = {
ingresses.authelia = {
host = "auth.kun.is";
service = {
name = "authelia";
portName = "http";
};
};
longhorn.persistentVolumeClaim.data = {
volumeName = "authelia";
storage = "100Mi";
};
};
};
}

2
modules/bootstrap-default.nix
View file

@ -62,6 +62,7 @@
minecraft = {}; minecraft = {};
tailscale = {}; tailscale = {};
ntfy = {}; ntfy = {};
authelia = {};
}; };
nodes = nodes =
@ -137,6 +138,7 @@
minecraft.storage = "1Gi"; minecraft.storage = "1Gi";
ntfy.storage = "300Mi"; ntfy.storage = "300Mi";
deluge.storage = "500Mi"; deluge.storage = "500Mi";
authelia.storage = "100Mi";
}; };
tailscaleIngresses.tailscale-longhorn = { tailscaleIngresses.tailscale-longhorn = {

2
modules/cyberchef.nix
View file

@ -31,6 +31,8 @@
targetPort = "web"; targetPort = "web";
}; };
}; };
ingresses.cyberchef.metadata.annotations."traefik.ingress.kubernetes.io/router.middlewares" = "kube-system-forwardauth-authelia@kubernetescrd";
}; };
lab.ingresses.cyberchef = { lab.ingresses.cyberchef = {

1
modules/default.nix
View file

@ -29,5 +29,6 @@
./tailscale.nix ./tailscale.nix
./ntfy.nix ./ntfy.nix
./minecraft.nix ./minecraft.nix
./authelia.nix
]; ];
} }

7
modules/dummy-types.nix
View file

@ -38,5 +38,12 @@
version = "v1beta1"; version = "v1beta1";
kind = "RecurringJob"; kind = "RecurringJob";
}; };
middlewares = {
attrName = "middlewares";
group = "traefik.io";
version = "v1alpha1";
kind = "Middleware";
};
}; };
} }

4
modules/ingress.nix
View file

@ -47,7 +47,7 @@ in {
rules = [ rules = [
{ {
host = ingress.host; inherit (ingress) host;
http.paths = [ http.paths = [
{ {
@ -55,7 +55,7 @@ in {
pathType = "Prefix"; pathType = "Prefix";
backend.service = { backend.service = {
name = ingress.service.name; inherit (ingress.service) name;
port.name = ingress.service.portName; port.name = ingress.service.portName;
}; };
} }

17
modules/traefik.nix
View file

@ -61,6 +61,23 @@
}; };
}; };
}; };
middlewares.forwardauth-authelia = {
metadata.labels = {
"app.kubernetes.io/instance" = "authelia";
"app.kubernetes.io/name" = "authelia";
};
spec.forwardAuth = {
address = "http://authelia.authelia.svc.cluster.local/api/authz/forward-auth";
authResponseHeaders = [
"Remote-User"
"Remote-Groups"
"Remote-Email"
"Remote-Name"
];
};
};
}; };
lab = { lab = {