current

Author: IogaMaster

hosts/equinox/config.nix

@@ -23,38 +23,22 @@ in {
     };
     services = {
       vaultwarden.enable = true;
-      vault.enable = true;
+      vault = {
+        enable = true;
+        consulServerAddress = "192.168.25.131";
+      };
     };
     apps.tools.git.enable = true;
   };
 
-  # services.jellyfin = {
-  #   enable = true;
-  #   openFirewall = true; # Not strictly needed if Caddy is on the same machine
-  # };
-  #
-  # networking.firewall.allowedTCPPorts = [
-  #   8096 # Jellyfin
-  #   8301 # Consul Gossip
-  #   8300 # Consul RPC
-  # ];
-  #
-  # services.consul = {
-  #   enable = true;
-  #   extraConfig = {
-  #     server = false;
-  #     retry_join = [ "192.168.25.131" ];
-  #     bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
-  #     services = [{
-  #       name = "jellyfin";
-  #       port = 8096;
-  #       tags = [ "media" "public" ];
-  #       check = {
-  #         http = "http://127.0.0.1:8096/health";
-  #         interval = "10s";
-  #         timeout = "1s";
-  #       };
-  #     }];
-  #   };
-  # };
+  services.jellyfin = {
+    enable = true;
+    openFirewall = true; # Not strictly needed if Caddy is on the same machine
+  };
+
+  networking.firewall.allowedTCPPorts = [
+    8096 # Jellyfin
+    8301 # Consul Gossip
+    8300 # Consul RPC
+  ];
 }

modules/services/authelia.nix

@@ -9,21 +9,24 @@ lib.mkModule args "ioga.services.authelia" {
       user = "authelia-${cfg.instanceName}";
       group = "authelia-${cfg.instanceName}";
     };
+
     services.authelia.instances.${cfg.instanceName} = {
       enable = true;
+
       secrets = {
         jwtSecretFile = "${secrets.authelia}/jwtSecretFile";
         sessionSecretFile = "${secrets.authelia}/sessionSecretFile";
         storageEncryptionKeyFile =
           "${secrets.authelia}/storageEncryptionKeyFile";
+        oidcHmacSecretFile = "${secrets.authelia}/oidcHmac";
+        oidcIssuerPrivateKeyFile = "${secrets.authelia}/oidcKey";
       };
 
       settings = {
         theme = "dark";
         server.address = "tcp://0.0.0.0:9091";
 
-        authentication_backend.file.path =
-          "/var/lib/authelia-${cfg.instanceName}/users.yml";
+        authentication_backend.file.path = "${secrets.authelia}/users.yml";
         storage.local.path = "/var/lib/authelia-${cfg.instanceName}/db.sqlite3";
         notifier.filesystem.filename =
           "/var/lib/authelia-${cfg.instanceName}/emails.txt";
@@ -42,6 +45,23 @@ lib.mkModule args "ioga.services.authelia" {
           ];
         };
 
+        identity_providers.oidc = {
+          clients = [{
+            client_id = "vault";
+            client_name = "HashiCorp Vault";
+            public = false;
+            client_secret =
+              ''{{ secret "${secrets.authelia}/clientSecretHash" }}'';
+            authorization_policy = "two_factor";
+            redirect_uris = [
+              "https://vault.ioga.dev"
+              "http://localhost:8250/oidc/callback"
+            ];
+            scopes = [ "openid" "profile" "email" "groups" ];
+            userinfo_signed_response_alg = "none";
+          }];
+        };
+
         session.cookies = [{
           inherit (cfg) domain;
           authelia_url = "https://auth.${cfg.domain}";
@@ -52,23 +72,10 @@ lib.mkModule args "ioga.services.authelia" {
 
     systemd.services."authelia-${cfg.instanceName}" = {
       serviceConfig.StateDirectory = "authelia-${cfg.instanceName}";
-      preStart = # bash
-        ''
-          USER_DB="/var/lib/authelia-${cfg.instanceName}/users.yml"
-          PASS=$(cat ${secrets.authelia}/adminPassword)
-          HASHED_PASSWORD=$(${pkgs.authelia}/bin/authelia crypto hash generate argon2 --password "$PASS" | ${pkgs.gawk}/bin/awk '/Digest:/ {print $2}')
-          if [ ! -s "$USER_DB" ]; then
-            echo "${''
-            users:
-              admin:
-                displayname: "Admin"
-                password: "$HASHED_PASSWORD"
-                email: "admin@${cfg.domain}"
-                groups: [admins]''}" > "$USER_DB"
-            chmod 600 "$USER_DB"
-            chown authelia-${cfg.instanceName}:authelia-${cfg.instanceName} "$USER_DB"
-          fi
-        '';
+
+      # 4. Enable the 'template' filter via environment variable
+      # This allows Authelia to process the {{ secret }} syntax in the config file.
+      environment.X_AUTHELIA_CONFIG_FILTERS = "template";
     };
   };
 }

modules/services/reverse_proxy.nix

@@ -30,25 +30,29 @@ lib.mkModule args "ioga.services.reverse_proxy" {
               forward_auth 0.0.0.0:9091 {
                 uri /api/authz/forward-auth
                 copy_headers Remote-User Remote-Groups Remote-Name Remote-Email
-                # Important for session cookie logic
-                header_up X-Forwarded-Proto {scheme}
-                header_up X-Forwarded-Host {host}
+                header_up X-Forwarded-Proto https # cloudflare tunnel gives http
+                header_up Host {host}
               }
             }
-
+            (consul_router) {
+                reverse_proxy {
+                    dynamic srv {
+                        name "{labels.2}.service.consul"
+                            resolvers 127.0.0.1:8600
+                    }
+                    transport http {
+                        resolvers 127.0.0.1:8600
+                    }
+                    header_up Host {host}
+                }
+            }
             http://auth.${cfg.domain} {
               reverse_proxy 0.0.0.0:9091
             }
 
             http://*.${cfg.domain} {
               import authelia_auth
-
-              reverse_proxy {
-                dynamic srv {
-                  name "{labels.2}.service.consul"
-                  resolvers 127.0.0.1:8600
-                }
-              }
+              import consul_router
             }
           '';
       };

modules/services/vault.nix

@@ -1,11 +1,14 @@
 { lib, pkgs, secrets, ... }@args:
 lib.mkModule args "ioga.services.vault" {
+  options = with lib; { consulServerAddress = mkOpt' types.str ""; };
   config = { cfg }: {
-    environment.systemPackages = with pkgs; [ vault-bin ];
-
-    environment.persist.directories = [ "/run/secrets/vault" ];
     systemd.services.vault.serviceConfig.EnvironmentFile =
       "/run/secrets/vault/environment"; # only way to get the secret into the service
+    environment = {
+      systemPackages = with pkgs; [ vault-bin ];
+      persist.directories = [ "/run/secrets/vault" ];
+      variables = { VAULT_ADDR = "https://vault.ioga.dev"; };
+    };
 
     services.vault = {
       enable = true;
@@ -24,6 +27,28 @@ lib.mkModule args "ioga.services.vault" {
           ui = true
         '';
     };
+    systemd.services.vault.environment = {
+      VAULT_ADDR = "https://vault.ioga.dev";
+    };
+
+    services.consul = {
+      enable = true;
+      extraConfig = {
+        server = false;
+        retry_join = [ cfg.consulServerAddress ];
+        bind_addr = ''{{ GetPrivateInterfaces | attr "address" }}'';
+        services = [{
+          name = "vault";
+          port = 8200;
+          tags = [ "public" ];
+          check = {
+            http = "http://127.0.0.1:8200/v1/sys/health";
+            interval = "10s";
+            timeout = "1s";
+          };
+        }];
+      };
+    };
 
     networking.firewall.allowedTCPPorts = [ 8200 ];
   };