torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

auth01: decommission host and remove authelia/lldap services
Some checks failed
Run nix flake check / flake-check (pull_request) Successful in 2m5s
Details
Run nix flake check / flake-check (push) Failing after 18m1s
Details

Browse Source 
Remove auth01 host configuration and associated services in preparation
for new auth stack with different provisioning system.

Removed:
- hosts/auth01/ - host configuration
- services/authelia/ - authelia service module
- services/lldap/ - lldap service module
- secrets/auth01/ - sops secrets
- Reverse proxy entries for auth and lldap
- Monitoring alert rules for authelia and lldap
- SOPS configuration for auth01

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-05 23:35:45 +01:00
parent 3dc4422ba0
commit 59e1962d75
11 changed files with 55 additions and 363 deletions
Download Patch File Download Diff File Expand all files Collapse all files

98
services/authelia/default.nix
View File

@@ -1,98 +0,0 @@
{ config, ... }:
{
homelab.monitoring.scrapeTargets = [{
job_name = "authelia";
port = 9959;
}];
sops.secrets.authelia_ldap_password = {
format = "yaml";
sopsFile = ../../secrets/auth01/secrets.yaml;
key = "authelia_ldap_password";
restartUnits = [ "authelia-auth.service" ];
owner = "authelia-auth";
group = "authelia-auth";
};
sops.secrets.authelia_jwt_secret = {
format = "yaml";
sopsFile = ../../secrets/auth01/secrets.yaml;
key = "authelia_jwt_secret";
restartUnits = [ "authelia-auth.service" ];
owner = "authelia-auth";
group = "authelia-auth";
};
sops.secrets.authelia_storage_encryption_key_file = {
format = "yaml";
key = "authelia_storage_encryption_key_file";
sopsFile = ../../secrets/auth01/secrets.yaml;
restartUnits = [ "authelia-auth.service" ];
owner = "authelia-auth";
group = "authelia-auth";
};
sops.secrets.authelia_session_secret = {
format = "yaml";
key = "authelia_session_secret";
sopsFile = ../../secrets/auth01/secrets.yaml;
restartUnits = [ "authelia-auth.service" ];
owner = "authelia-auth";
group = "authelia-auth";
};
services.authelia.instances."auth" = {
enable = true;
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
config.sops.secrets.authelia_ldap_password.path;
AUTHELIA_SESSION_SECRET_FILE = config.sops.secrets.authelia_session_secret.path;
};
secrets = {
jwtSecretFile = config.sops.secrets.authelia_jwt_secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia_storage_encryption_key_file.path;
};
settings = {
telemetry = {
metrics = {
enabled = true;
address = "tcp://0.0.0.0:9959";
};
};
access_control = {
default_policy = "two_factor";
};
session = {
# secret = "{{- fileContent \"${config.sops.secrets.authelia_session_secret.path}\" }}";
cookies = [
{
domain = "home.2rjus.net";
authelia_url = "https://auth.home.2rjus.net";
default_redirection_url = "https://dashboard.home.2rjus.net";
name = "authelia_session";
same_site = "lax";
inactivity = "1h";
expiration = "24h";
remember_me = "30d";
}
];
};
notifier = {
filesystem.filename = "/var/lib/authelia-auth/notification.txt";
};
storage = {
local.path = "/var/lib/authelia-auth/db.sqlite3";
};
authentication_backend = {
password_reset = {
disable = false;
};
ldap = {
address = "ldap://127.0.0.1:3890";
implementation = "lldap";
timeout = "5s";
base_dn = "dc=home,dc=2rjus,dc=net";
user = "uid=authelia_ldap_user,ou=people,dc=home,dc=2rjus,dc=net";
# password = "{{- fileContent \"${config.sops.secrets.authelia_ldap_password.path}\" -}}";
};
};
};
};
}

16
services/http-proxy/proxy.nix
View File

@@ -86,22 +86,6 @@
}
reverse_proxy http://jelly01.home.2rjus.net:8096
}
lldap.home.2rjus.net {
log {
output file /var/log/caddy/auth.log {
mode 644
}
}
reverse_proxy http://auth01.home.2rjus.net:17170
}
auth.home.2rjus.net {
log {
output file /var/log/caddy/auth.log {
mode 644
}
}
reverse_proxy http://auth01.home.2rjus.net:9091
}
pyroscope.home.2rjus.net {
log {
output file /var/log/caddy/pyroscope.log {

38
services/lldap/default.nix
View File

@@ -1,38 +0,0 @@
{ config, ... }:
{
sops.secrets.lldap_user_pass = {
format = "yaml";
key = "lldap_user_pass";
sopsFile = ../../secrets/auth01/secrets.yaml;
restartUnits = [ "lldap.service" ];
group = "acme";
mode = "0440";
};
services.lldap = {
enable = true;
settings = {
ldap_base_dn = "dc=home,dc=2rjus,dc=net";
ldap_user_email = "admin@home.2rjus.net";
ldap_user_dn = "admin";
ldap_user_pass_file = config.sops.secrets.lldap_user_pass.path;
ldaps_options = {
enabled = true;
port = 6360;
cert_file = "/var/lib/acme/auth01.home.2rjus.net/cert.pem";
key_file = "/var/lib/acme/auth01.home.2rjus.net/key.pem";
};
};
};
systemd.services.lldap = {
serviceConfig = {
SupplementaryGroups = [ "acme" ];
};
};
security.acme.certs."auth01.home.2rjus.net" = {
listenHTTP = ":80";
reloadServices = [ "lldap" ];
extraDomainNames = [ "ldap.home.2rjus.net" ];
enableDebugLogs = true;
};
}

18
services/monitoring/rules.yml
View File

@@ -414,24 +414,6 @@ groups:
annotations:
summary: "PostgreSQL connection pool near exhaustion on {{ $labels.instance }}"
description: "PostgreSQL is using over 80% of max_connections on {{ $labels.instance }}."
- name: auth_rules
rules:
- alert: authelia_down
expr: node_systemd_unit_state{instance="auth01.home.2rjus.net:9100", name="authelia-auth.service", state="active"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "Authelia not running on {{ $labels.instance }}"
description: "Authelia has been down on {{ $labels.instance }} more than 5 minutes."
- alert: lldap_down
expr: node_systemd_unit_state{instance="auth01.home.2rjus.net:9100", name="lldap.service", state="active"} == 0
for: 5m
labels:
severity: critical
annotations:
summary: "LLDAP not running on {{ $labels.instance }}"
description: "LLDAP has been down on {{ $labels.instance }} more than 5 minutes."
- name: jellyfin_rules
rules:
- alert: jellyfin_down