hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

switch authelia to new secrets contract

Browse source
This commit is contained in:
ibizaman 2024-10-13 23:23:08 +02:00 committed by Pierre Penninckx
parent fa87855ee5
commit b85705ab74
4 changed files with 116 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
modules/blocks/authelia.nix
View file

@ -1,7 +1,8 @@
{ config, pkgs, lib, ... }: { config, options, pkgs, lib, ... }:
let let
cfg = config.shb.authelia; cfg = config.shb.authelia;
opt = options.shb.authelia;
contracts = pkgs.callPackage ../contracts {}; contracts = pkgs.callPackage ../contracts {};
shblib = pkgs.callPackage ../../lib {}; shblib = pkgs.callPackage ../../lib {};
@ -67,33 +68,45 @@ in
description = "Secrets needed by Authelia"; description = "Secrets needed by Authelia";
type = lib.types.submodule { type = lib.types.submodule {
options = { options = {
jwtSecretFile = lib.mkOption { jwtSecret = contracts.secret.mkOption {
type = lib.types.path; description = "JWT secret.";
description = "File containing the JWT secret."; mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
ldapAdminPasswordFile = lib.mkOption { ldapAdminPassword = contracts.secret.mkOption {
type = lib.types.path; description = "LDAP admin user password.";
description = "File containing the LDAP admin user password."; mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
sessionSecretFile = lib.mkOption { sessionSecret = contracts.secret.mkOption {
type = lib.types.path; description = "Session secret.";
description = "File containing the session secret."; mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
storageEncryptionKeyFile = lib.mkOption { storageEncryptionKey = contracts.secret.mkOption {
type = lib.types.path; description = "Storage encryption key.";
description = "File containing the storage encryption key."; mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
identityProvidersOIDCHMACSecretFile = lib.mkOption { identityProvidersOIDCHMACSecret = contracts.secret.mkOption {
type = lib.types.path; description = "Identity provider OIDC HMAC secret.";
description = "File containing the identity provider OIDC HMAC secret."; mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
identityProvidersOIDCIssuerPrivateKeyFile = lib.mkOption { identityProvidersOIDCIssuerPrivateKey = contracts.secret.mkOption {
type = lib.types.path;
description = '' description = ''
File containing the identity provider OIDC issuer private key. Identity provider OIDC issuer private key.
Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048` Generate one with `nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048`
''; '';
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${opt.subdomain}.${opt.domain}" ];
}; };
}; };
}; };
@ -207,9 +220,11 @@ in
type = lib.types.str; type = lib.types.str;
description = "Username to connect to the SMTP host."; description = "Username to connect to the SMTP host.";
}; };
passwordFile = lib.mkOption { password = contracts.secret.mkOption {
type = lib.types.str;
description = "File containing the password to connect to the SMTP host."; description = "File containing the password to connect to the SMTP host.";
mode = "0400";
owner = cfg.autheliaUser;
restartUnits = [ "authelia-${fqdn}" ];
}; };
}; };
})) }))
@ -282,19 +297,20 @@ in
user = cfg.autheliaUser; user = cfg.autheliaUser;
secrets = { secrets = {
inherit (cfg.secrets) jwtSecretFile storageEncryptionKeyFile; jwtSecretFile = cfg.secrets.jwtSecret.result.path;
storageEncryptionKeyFile = cfg.secrets.storageEncryptionKey.result.path;
}; };
# See https://www.authelia.com/configuration/methods/secrets/ # See https://www.authelia.com/configuration/methods/secrets/
environmentVariables = { environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPasswordFile; AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = toString cfg.secrets.ldapAdminPassword.result.path;
AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecretFile; AUTHELIA_SESSION_SECRET_FILE = toString cfg.secrets.sessionSecret.result.path;
# Not needed since we use peer auth. # Not needed since we use peer auth.
# AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/run/secrets/authelia/postgres_password"; # AUTHELIA_STORAGE_POSTGRES_PASSWORD_FILE = "/run/secrets/authelia/postgres_password";
AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKeyFile; AUTHELIA_STORAGE_ENCRYPTION_KEY_FILE = toString cfg.secrets.storageEncryptionKey.result.path;
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecretFile; AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET_FILE = toString cfg.secrets.identityProvidersOIDCHMACSecret.result.path;
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKeyFile; AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY_FILE = toString cfg.secrets.identityProvidersOIDCIssuerPrivateKey.result.path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.passwordFile); AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = lib.mkIf (!(builtins.isString cfg.smtp)) (toString cfg.smtp.password.result.path);
}; };
settings = { settings = {
server.address = "tcp://127.0.0.1:9091"; server.address = "tcp://127.0.0.1:9091";

19
modules/blocks/hardcodedsecret.nix
View file

@ -4,7 +4,7 @@ let
opt = options.shb.hardcodedsecret; opt = options.shb.hardcodedsecret;
inherit (lib) mapAttrs' mkOption nameValuePair; inherit (lib) mapAttrs' mkOption nameValuePair;
inherit (lib.types) attrsOf listOf path str submodule; inherit (lib.types) attrsOf listOf path nullOr str submodule;
inherit (pkgs) writeText; inherit (pkgs) writeText;
in in
{ {
@ -56,12 +56,21 @@ in
}; };
content = mkOption { content = mkOption {
type = str; type = nullOr str;
description = '' description = ''
Content of the secret. Content of the secret.
This will be stored in the nix store and should only be used for testing or maybe in dev. This will be stored in the nix store and should only be used for testing or maybe in dev.
''; '';
default = null;
};
source = mkOption {
type = nullOr str;
description = ''
Source of the content of the secret.
'';
default = null;
}; };
}; };
})); }));
@ -70,14 +79,16 @@ in
config = { config = {
system.activationScripts = mapAttrs' (n: cfg': system.activationScripts = mapAttrs' (n: cfg':
let let
content' = writeText "hardcodedsecret_${n}_content" cfg'.content; source = if cfg'.source != null
then cfg'.source
else writeText "hardcodedsecret_${n}_content" cfg'.content;
in in
nameValuePair "hardcodedsecret_${n}" '' nameValuePair "hardcodedsecret_${n}" ''
mkdir -p "$(dirname "${cfg'.path}")" mkdir -p "$(dirname "${cfg'.path}")"
touch "${cfg'.path}" touch "${cfg'.path}"
chmod ${cfg'.mode} "${cfg'.path}" chmod ${cfg'.mode} "${cfg'.path}"
chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}" chown ${cfg'.owner}:${cfg'.group} "${cfg'.path}"
cp ${content'} "${cfg'.path}" cp ${source} "${cfg'.path}"
'' ''
) cfg; ) cfg;
}; };

37
test/blocks/authelia.nix
View file

@ -13,6 +13,7 @@ in
(pkgs'.path + "/nixos/modules/profiles/headless.nix") (pkgs'.path + "/nixos/modules/profiles/headless.nix")
(pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix") (pkgs'.path + "/nixos/modules/profiles/qemu-guest.nix")
../../modules/blocks/authelia.nix ../../modules/blocks/authelia.nix
../../modules/blocks/hardcodedsecret.nix
../../modules/blocks/ldap.nix ../../modules/blocks/ldap.nix
../../modules/blocks/postgresql.nix ../../modules/blocks/postgresql.nix
]; ];
@ -44,14 +45,12 @@ in
ldapPort = config.shb.ldap.ldapPort; ldapPort = config.shb.ldap.ldapPort;
dcdomain = config.shb.ldap.dcdomain; dcdomain = config.shb.ldap.dcdomain;
secrets = { secrets = {
jwtSecretFile = pkgs.writeText "jwtSecretFile" "jwtSecretFile"; jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
ldapAdminPasswordFile = pkgs.writeText "ldapAdminPasswordFile" ldapAdminPassword; ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
sessionSecretFile = pkgs.writeText "sessionSecretFile" "sessionSecretFile"; sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKeyFile" "storageEncryptionKeyFile"; storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecretFile" "identityProvidersOIDCHMACSecretFile"; identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
# This needs to be of the correct shape and at least 2048 bits. Generated with: identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
# nix run nixpkgs#openssl -- genrsa -out keypair.pem 2048
identityProvidersOIDCIssuerPrivateKeyFile = pkgs.writeText "identityProvidersOIDCIssuerPrivateKeyFile" (builtins.readFile ./keypair.pem);
}; };
oidcClients = [ oidcClients = [
@ -73,6 +72,28 @@ in
} }
]; ];
}; };
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
content = "jwtSecret";
};
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
content = ldapAdminPassword;
};
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
content = "sessionSecret";
};
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
content = "storageEncryptionKey";
};
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
content = "identityProvidersOIDCHMACSecret";
};
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
source = (pkgs.runCommand "gen-private-key" {} ''
mkdir $out
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
'') + "/private.pem";
};
}; };
testScript = { nodes, ... }: '' testScript = { nodes, ... }: ''

37
test/common.nix
View file

@ -185,17 +185,36 @@ in
dcdomain = config.shb.ldap.dcdomain; dcdomain = config.shb.ldap.dcdomain;
secrets = { secrets = {
jwtSecretFile = pkgs.writeText "jwtSecret" "jwtSecret"; jwtSecret.result.path = config.shb.hardcodedsecret.autheliaJwtSecret.path;
ldapAdminPasswordFile = pkgs.writeText "ldapUserPassword" "ldapUserPassword"; ldapAdminPassword.result.path = config.shb.hardcodedsecret.ldapAdminPassword.path;
sessionSecretFile = pkgs.writeText "sessionSecret" "sessionSecret"; sessionSecret.result.path = config.shb.hardcodedsecret.sessionSecret.path;
storageEncryptionKeyFile = pkgs.writeText "storageEncryptionKey" "storageEncryptionKey"; storageEncryptionKey.result.path = config.shb.hardcodedsecret.storageEncryptionKey.path;
identityProvidersOIDCHMACSecretFile = pkgs.writeText "identityProvidersOIDCHMACSecret" "identityProvidersOIDCHMACSecret"; identityProvidersOIDCHMACSecret.result.path = config.shb.hardcodedsecret.identityProvidersOIDCHMACSecret.path;
identityProvidersOIDCIssuerPrivateKeyFile = (pkgs.runCommand "gen-private-key" {} '' identityProvidersOIDCIssuerPrivateKey.result.path = config.shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey.path;
mkdir $out
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
'') + "/private.pem";
}; };
}; };
shb.hardcodedsecret.autheliaJwtSecret = config.shb.authelia.secrets.jwtSecret.request // {
content = "jwtSecret";
};
shb.hardcodedsecret.ldapAdminPassword = config.shb.authelia.secrets.ldapAdminPassword.request // {
content = "ldapUserPassword";
};
shb.hardcodedsecret.sessionSecret = config.shb.authelia.secrets.sessionSecret.request // {
content = "sessionSecret";
};
shb.hardcodedsecret.storageEncryptionKey = config.shb.authelia.secrets.storageEncryptionKey.request // {
content = "storageEncryptionKey";
};
shb.hardcodedsecret.identityProvidersOIDCHMACSecret = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request // {
content = "identityProvidersOIDCHMACSecret";
};
shb.hardcodedsecret.identityProvidersOIDCIssuerPrivateKey = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request // {
source = (pkgs.runCommand "gen-private-key" {} ''
mkdir $out
${pkgs.openssl}/bin/openssl genrsa -out $out/private.pem 4096
'') + "/private.pem";
};
}; };
} }