feat(services): Properly configure and enable authelia

secrets/OVHCloud.yaml

@@ -1,3 +1,8 @@
+authelia:
+    JWT_SECRET: ENC[AES256_GCM,data:a1LyPNaojDm8JtcCahkYx8TGGjbh2Appz1s5ruZzQs4VOMgtdV7MWl3RMpk=,iv:7y+ZhNYMS8t6Y3YqBJjnESBCK5BPM6Y+BbXMDSUQcc0=,tag:ksoR48cTA2eIg+JEvCXFWw==,type:str]
+    SESSION_SECRET: ENC[AES256_GCM,data:kr8+BsQhJQRmfhvzlOGBItqiRtHi2BcD9adhsL1N8FURe8sCPoOiNnwT0IM=,iv:97UPC5Woerm+ftrOMJ0HBM8jhF5ea+2H3QZU3a6i+fY=,tag:63N+r/BoBDaWYcEXUtIksw==,type:str]
+    STORAGE_PASSWORD: ENC[AES256_GCM,data:o+7Bszd/hPOaMMF/NOHVxMTY92hUZrFYu+4gkYkMkAubYiEfsX6kus4oToA=,iv:Q2sl8ZKblupyMO7GY/VCklQWTlHRtSsuVHRC60uwPfc=,tag:QxbpVJXq3HtEzHeFLoVOEw==,type:str]
+    STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:gGIayEmpkF+uLpsn69DgWcZPzeIV9xgAFBFgEMEKvSCoGx5id1bq/EFM81o=,iv:6SjBuo+/WosohTEWX8QwPqHd2f80ljx+m3WSjiChusU=,tag:pk2mNtGTOpFNcyVO8fFFuQ==,type:str]
 caddy:
     ovh_endpoint: ENC[AES256_GCM,data:dTdfKCWE,iv:NnmdUyM9F8ujEIfEEl9WXGLY3zRpIy9BDeqs1frK+R0=,tag:1AblJqi2hKISXBqNdWybqQ==,type:str]
     ovh_application_key: ENC[AES256_GCM,data:48HzVrSa35qUSkLO7sbUwg==,iv:QfTRXsfTlgeoJdRJIph39EBbLynRNxH4DkFuuC06IuE=,tag:m8lJPHEEpK24MKUou0MTpw==,type:str]
@@ -34,8 +39,8 @@ sops:
             MFpMemF4MGg1bmVUeWV5N25LTUtyczQKss0x4zT1kyeRu+qenhrdbcPlU/p+yjVN
             y3j4eGpnwgc2rxSL9vkrrkzx/atUqUkgGU/YstszUrP6XKbJ+9ydpQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-10-02T07:32:18Z"
+    lastmodified: "2024-10-18T08:30:16Z"
-    mac: ENC[AES256_GCM,data:0fwZxJO2LKpwV4+IYbBSyrqcQt4RrqlF/2OM8vP+3B/AI3Ny6LSP851IXdwzIMtMLiGBnvl787sXmZWPcUaizq3XmQR7t9lX/q4WkgVIDZ5JQtmHc4TSYDIxECBAQ5P4V6CNsUw3gjC5X4OSLtSfil/pAXbcMFKdlVLgP4S6wMU=,iv:UlJPlLFx2y/YJQWEDCY4NyqkZuQjNH8yCeELzoa3IoU=,tag:JI1tTnMSnQiWXVZmqb+ykA==,type:str]
+    mac: ENC[AES256_GCM,data:c4Ngpz/GK+20/SvGVVzS1n6ChLCRHIdyHfvfapy5dkMMeWbxVbVgSz6G+q0CW38deQiGMbWO3V+w/dhyI6Re3A688X+RQBnsUSqsLpXZeamxUbtqzWaS/bedBfg1T5sQLwXYpeqWoCgpd4bHfT3DfApYW02ScU7gkFQiMRlpsXA=,iv:s+ah+0zA0jBv0aDJbB2C3Y38ifD7XFNEjjFS1hCplsE=,tag:mc8DgCyVP+4y+8nqitmE1w==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.0

services/authelia/configuration.yml

@@ -5,14 +5,68 @@ access_control:
   rules:
     - domain: '*.gasdev.fr'
       policy: one_factor
+
 server:
+  address: 'tcp://:9091/'
   endpoints:
     authz:
       forward-auth:
         implementation: 'ForwardAuth'
+
 session:
   cookies:
     - domain: 'gasdev.fr'
       authelia_url: 'https://auth.gasdev.fr'
-      default_redirection_url: 'https://www.example.com'
+      default_redirection_url: 'https://auth.gasdev.fr/authenticated'
+
+authentication_backend:
+  password_reset:
+    disable: false
+
+  file:
+    path: '/data/users_database.yml'
+    password:
+      algorithm: 'argon2'
+
+password_policy:
+  standard:
+    enabled: true
+    min_length: 10
+    max_length: 128
+    require_uppercase: true
+    require_lowercase: true
+    require_number: true
+    require_special: true
+
+storage:
+  local:
+    path: /data/db.sqlite3
+
+notifier:
+  filesystem:
+    filename: '/data/notification.txt'
+
+log:
+  level: 'info'
+  format: 'json'
+
+totp:
+  issuer: 'gasdev.fr'
+  ## https://www.authelia.com/c/totp#algorithm
+  algorithm: 'SHA1'
+
+  ## https://www.authelia.com/c/totp#digits
+  digits: 6
+  period: 30
+  ## See: https://www.authelia.com/c/totp#input-validation to read
+  skew: 1
+
+webauthn:
+  disable: true
+
+duo_api:
+  disable: true
+  
+ntp:
+  address: 'udp://time.cloudflare.com:123'
 

services/authelia/default.nix

@@ -16,10 +16,11 @@
       environment = {
         AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE = "/secrets/JWT_SECRET";
         AUTHELIA_SESSION_SECRET_FILE = "/secrets/SESSION_SECRET";
-        AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
+        # AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/secrets/STORAGE_PASSWORD";
         AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = "/secrets/STORAGE_ENCRYPTION_KEY";
       };
       volumes = [
+        "authelia-data:/data"
         "/run/secrets/authelia:/secrets"
         "/etc/authelia/configuration.yml:/config/configuration.yml"
       ];

services/default.nix

@@ -1,5 +1,6 @@
 {
   imports = [
+    ./authelia
     ./garage
     ./shadowsocks
     ./uptime-kuma