From 12cb13952a2b5b43c2436b175b9073db49144d5f Mon Sep 17 00:00:00 2001 From: Fabian Montero Date: Sat, 24 Aug 2024 03:51:56 -0600 Subject: [PATCH] add secrets generation --- sys/srv/authelia.nix | 42 ++++++++++++++++++++++++++++++++++++------ 1 file changed, 36 insertions(+), 6 deletions(-) diff --git a/sys/srv/authelia.nix b/sys/srv/authelia.nix index 914ff47..a4e5455 100644 --- a/sys/srv/authelia.nix +++ b/sys/srv/authelia.nix @@ -4,7 +4,36 @@ ... }: with lib; { - systemd.services.authelia.serviceConfig.LoadCredential = ["storageEncryptionKeyFile.txt:/var/trust/authelia/storageEncryptionKeyFile.csv" "jwtSecretFile.txt:/var/trust/authelia/jwtSecretFile.csv"]; + #TODO: no poner authelia-main en todo lado, usar config (o let o no sé) + systemd.services.authelia-main = { + preStart = '' + mkdir -p /var/trust/authelia-main/ + chown authelia-main:authelia-main /var/trust/authelia-main/ + chmod 700 /var/trust/authelia-main/ + + [ -f /var/trust/authelia-main/jwt-secret ] || { + "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/jwt-secret + chown authelia-main:authelia-main /var/trust/authelia-main/jwt-secret + chmod 600 /var/trust/authelia-main/jwt-secret + } + [ -f /var/trust/authelia-main/storage-encryption-file ] || { + "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/storage-encryption-file + chown authelia-main:authelia-main /var/trust/authelia-main/storage-encryption-file + chmod 600 /var/trust/authelia-main/storage-encryption-file + } + [ -f /var/trust/authelia-main/session-secret-file ] || { + "${pkgs.openssl}/bin/openssl" rand -base64 32 > /var/trust/authelia-main/session-secret-file + chown authelia-main:authelia-main /var/trust/authelia-main/session-secret-file + chmod 600 /var/trust/authelia-main/session-secret-file + } + ''; + + serviceConfig.LoadCredential = [ + "jwt-secret:/var/trust/authelia-main/jwt-secret" + "storage-encryption-file:/var/trust/authelia-main/storage-encryption-file" + "session-secret-file:/var/trust/authelia-main/session-secret-file" + ]; + }; services = { nginx = { @@ -19,8 +48,9 @@ with lib; { # config based on https://github.com/authelia/authelia/blob/master/config.template.yml settings = { secrets = { - jwtSecretFile = "TODO:"; - storageEncryptionKeyFile = "TODO:"; + jwtSecretFile = "/var/trust/authelia-main/jwt-secret"; + storageEncryptionKeyFile = "/var/trust/authelia-main/storage-encryption-file"; + sessionSecretFile = "/var/trust/authelia-main/session-secret-file"; }; theme = "dark"; @@ -49,7 +79,7 @@ with lib; { duo_api.disable = true; # identity_validation default values assumed: https://github.com/authelia/authelia/blob/master/config.template.yml#L266 authentication_backend.file = { - path = "/var/trust/authelia/users_database.yml"; #TODO: + path = "/var/trust/authelia-main/users_database.yml"; #TODO: password.algorithm = "argon2"; password_policy.zxcvbn = { enable = true; @@ -92,11 +122,11 @@ with lib; { ban_time = "5 minutes"; }; - storage.local.path = "/var/trust/authelia/db.sqlite3"; #TODO: + storage.local.path = "/var/trust/authelia-main/db.sqlite3"; #TODO: # TODO: #notifier.smtp = { - # + # #}; # TODO: voy por acá: https://github.com/authelia/authelia/blob/master/config.template.yml#L714