switch authelia to new secrets contract
This commit is contained in:
parent
fa87855ee5
commit
b85705ab74
4 changed files with 116 additions and 49 deletions
|
@ -1,7 +1,8 @@
|
||||||
{ config, pkgs, lib, ... }:
|
{ config, options, pkgs, lib, ... }:
|
||||||
|
|
||||||
let
|
let
|
||||||
cfg = config.shb.authelia;
|
cfg = config.shb.authelia;
|
||||||
|
opt = options.shb.authelia;
|
||||||
|
|
||||||
contracts = pkgs.callPackage ../contracts {};
|
contracts = pkgs.callPackage ../contracts {};
|
||||||
shblib = pkgs.callPackage ../../lib {};
|
shblib = pkgs.callPackage ../../lib {};
|
||||||
|
@ -67,33 +68,45 @@ in
|
||||||
description = "Secrets needed by Authelia";
|
description = "Secrets needed by Authelia";
|
||||||
type = lib.types.submodule {
|
type = lib.types.submodule {
|
||||||
options = {
|
options = {
|
||||||
jwtSecretFile = lib.mkOption {
|
jwtSecret = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
description = "JWT secret.";
|
||||||
description = "File containing the JWT secret.";
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
ldapAdminPasswordFile = lib.mkOption {
|
ldapAdminPassword = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
description = "LDAP admin user password.";
|
||||||
description = "File containing the LDAP admin user password.";
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
sessionSecretFile = lib.mkOption {
|
sessionSecret = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
description = "Session secret.";
|
||||||
description = "File containing the session secret.";
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
storageEncryptionKeyFile = lib.mkOption {
|
storageEncryptionKey = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
description = "Storage encryption key.";
|
||||||
description = "File containing the storage encryption key.";
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
identityProvidersOIDCHMACSecretFile = lib.mkOption {
|
identityProvidersOIDCHMACSecret = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
description = "Identity provider OIDC HMAC secret.";
|
||||||
description = "File containing the identity provider OIDC HMAC secret.";
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
identityProvidersOIDCIssuerPrivateKeyFile = lib.mkOption {
|
identityProvidersOIDCIssuerPrivateKey = contracts.secret.mkOption {
|
||||||
type = lib.types.path;
|
|
||||||
description = ''
|
description = ''
|
||||||
File containing the identity provider OIDC issuer private key.
|
Identity provider OIDC issuer private key.
|
||||||
|
|
||||||
Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
|
Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
|
||||||
'';
|
'';
|
||||||
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
@ -207,9 +220,11 @@ in
|
||||||
type = lib.types.str;
|
type = lib.types.str;
|
||||||
description = "Username to connect to the SMTP host.";
|
description = "Username to connect to the SMTP host.";
|
||||||
};
|
};
|
||||||
passwordFile = lib.mkOption {
|
password = contracts.secret.mkOption {
|
||||||
type = lib.types.str;
|
|
||||||
description = "File containing the password to connect to the SMTP host.";
|
description = "File containing the password to connect to the SMTP host.";
|
||||||
|
mode = "0400";
|
||||||
|
owner = cfg.autheliaUser;
|
||||||
|
restartUnits = [ "authelia-${fqdn}" ];
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}))
|
}))
|
||||||
|
@ -282,19 +297,20 @@ in
|
||||||
user = cfg.autheliaUser;
|
user = cfg.autheliaUser;
|
||||||
|
|
||||||
secrets = {
|
secrets = {
|
||||||
inherit (cfg.secrets) jwtSecretFile storageEncryptionKeyFile;
|
jwtSecretFile = cfg.secrets.jwtSecret.result.path;
|
||||||
|
storageEncryptionKeyFile = cfg.secrets.storageEncryptionKey.result.path;
|
||||||
};
|
};
|
||||||
# See https://www.authelia.com/configuration/methods/secrets/
|
# See https://www.authelia.com/configuration/methods/secrets/
|
||||||
environmentVariables = {
|
environmentVariables = {
|
||||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPasswordFile;
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPassword.result.path;
|
||||||
AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecretFile;
|
AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecret.result.path;
|
||||||
# Not needed since we use peer auth.
|
# Not needed since we use peer auth.
|
||||||
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/run/secrets/authelia/postgres_password";
|
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/run/secrets/authelia/postgres_password";
|
||||||
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKeyFile;
|
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKey.result.path;
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecretFile;
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecret.result.path;
|
||||||
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKeyFile;
|
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKey.result.path;
|
||||||
|
|
||||||
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile);
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.password.result.path);
|
||||||
};
|
};
|
||||||
settings = {
|
settings = {
|
||||||
server.address = "tcp://127.0.0.1:9091";
|
server.address = "tcp://127.0.0.1:9091";
|
||||||
|
|
|
@ -4,7 +4,7 @@ let
|
||||||
opt = options.shb.hardcodedsecret;
|
opt = options.shb.hardcodedsecret;
|
||||||
|
|
||||||
inherit (lib) mapAttrs' mkOption nameValuePair;
|
inherit (lib) mapAttrs' mkOption nameValuePair;
|
||||||
inherit (lib.types) attrsOf listOf path str submodule;
|
inherit (lib.types) attrsOf listOf path nullOr str submodule;
|
||||||
inherit (pkgs) writeText;
|
inherit (pkgs) writeText;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
|
@ -56,12 +56,21 @@ in
|
||||||
};
|
};
|
||||||
|
|
||||||
content = mkOption {
|
content = mkOption {
|
||||||
type = str;
|
type = nullOr str;
|
||||||
description = ''
|
description = ''
|
||||||
Content of the secret.
|
Content of the secret.
|
||||||
|
|
||||||
This will be stored in the nix store and should only be used for testing or maybe in dev.
|
This will be stored in the nix store and should only be used for testing or maybe in dev.
|
||||||
'';
|
'';
|
||||||
|
default = null;
|
||||||
|
};
|
||||||
|
|
||||||
|
source = mkOption {
|
||||||
|
type = nullOr str;
|
||||||
|
description = ''
|
||||||
|
Source of the content of the secret.
|
||||||
|
'';
|
||||||
|
default = null;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
}));
|
}));
|
||||||
|
@ -70,14 +79,16 @@ in
|
||||||
config = {
|
config = {
|
||||||
system.activationScripts = mapAttrs' (n: cfg':
|
system.activationScripts = mapAttrs' (n: cfg':
|
||||||
let
|
let
|
||||||
content' = writeText "hardcodedsecret_${n}_content" cfg'.content;
|
source = if cfg'.source != null
|
||||||
|
then cfg'.source
|
||||||
|
else writeText "hardcodedsecret_${n}_content" cfg'.content;
|
||||||
in
|
in
|
||||||
nameValuePair "hardcodedsecret_${n}" ''
|
nameValuePair "hardcodedsecret_${n}" ''
|
||||||
mkdir -p "$(dirname "${cfg'.path}")"
|
mkdir -p "$(dirname "${cfg'.path}")"
|
||||||
touch "${cfg'.path}"
|
touch "${cfg'.path}"
|
||||||
chmod ${cfg'.mode} "${cfg'.path}"
|
chmod ${cfg'.mode} "${cfg'.path}"
|
||||||
chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}"
|
chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}"
|
||||||
cp ${content'} "${cfg'.path}"
|
cp ${source} "${cfg'.path}"
|
||||||
''
|
''
|
||||||
) cfg;
|
) cfg;
|
||||||
};
|
};
|
||||||
|
|
|
@ -13,6 +13,7 @@ in
|
||||||
(pkgs'.path + "/nixos/modules/profiles/headless.nix")
|
(pkgs'.path + "/nixos/modules/profiles/headless.nix")
|
||||||
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
|
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
|
||||||
../../modules/blocks/authelia.nix
|
../../modules/blocks/authelia.nix
|
||||||
|
../../modules/blocks/hardcodedsecret.nix
|
||||||
../../modules/blocks/ldap.nix
|
../../modules/blocks/ldap.nix
|
||||||
../../modules/blocks/postgresql.nix
|
../../modules/blocks/postgresql.nix
|
||||||
];
|
];
|
||||||
|
@ -44,14 +45,12 @@ in
|
||||||
ldapPort = config.shb.ldap.ldapPort;
|
ldapPort = config.shb.ldap.ldapPort;
|
||||||
dcdomain = config.shb.ldap.dcdomain;
|
dcdomain = config.shb.ldap.dcdomain;
|
||||||
secrets = {
|
secrets = {
|
||||||
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile";
|
jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
|
||||||
ldapAdminPasswordFile = pkgs.writeText "ldapAdminPasswordFile" ldapAdminPassword;
|
ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
|
||||||
sessionSecretFile = pkgs.writeText "sessionSecretFile" "sessionSecretFile";
|
sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
|
||||||
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKeyFile" "storageEncryptionKeyFile";
|
storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
|
||||||
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecretFile" "identityProvidersOIDCHMACSecretFile";
|
identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
|
||||||
# This needs to be of the correct shape and at least 2048 bits. Generated with:
|
identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
|
||||||
# nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048
|
|
||||||
identityProvidersOIDCIssuerPrivateKeyFile = pkgs.writeText "identityProvidersOIDCIssuerPrivateKeyFile" (builtins.readFile ./keypair.pem);
|
|
||||||
};
|
};
|
||||||
|
|
||||||
oidcClients = [
|
oidcClients = [
|
||||||
|
@ -73,6 +72,28 @@ in
|
||||||
}
|
}
|
||||||
];
|
];
|
||||||
};
|
};
|
||||||
|
|
||||||
|
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
|
||||||
|
content = "jwtSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
|
||||||
|
content = ldapAdminPassword;
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
|
||||||
|
content = "sessionSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
|
||||||
|
content = "storageEncryptionKey";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
|
||||||
|
content = "identityProvidersOIDCHMACSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
|
||||||
|
source = (pkgs.runCommand "gen-private-key" {} ''
|
||||||
|
mkdir $out
|
||||||
|
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
||||||
|
'') + "/private.pem";
|
||||||
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
testScript = { nodes, ... }: ''
|
testScript = { nodes, ... }: ''
|
||||||
|
|
|
@ -185,17 +185,36 @@ in
|
||||||
dcdomain = config.shb.ldap.dcdomain;
|
dcdomain = config.shb.ldap.dcdomain;
|
||||||
|
|
||||||
secrets = {
|
secrets = {
|
||||||
jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret";
|
jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
|
||||||
ldapAdminPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword";
|
ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
|
||||||
sessionSecretFile = pkgs.writeText "sessionSecret" "sessionSecret";
|
sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
|
||||||
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKey" "storageEncryptionKey";
|
storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
|
||||||
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecret" "identityProvidersOIDCHMACSecret";
|
identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
|
||||||
identityProvidersOIDCIssuerPrivateKeyFile = (pkgs.runCommand "gen-private-key" {} ''
|
identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
|
||||||
|
content = "jwtSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
|
||||||
|
content = "ldapUserPassword";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
|
||||||
|
content = "sessionSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
|
||||||
|
content = "storageEncryptionKey";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
|
||||||
|
content = "identityProvidersOIDCHMACSecret";
|
||||||
|
};
|
||||||
|
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
|
||||||
|
source = (pkgs.runCommand "gen-private-key" {} ''
|
||||||
mkdir $out
|
mkdir $out
|
||||||
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
|
||||||
'') + "/private.pem";
|
'') + "/private.pem";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue