rope/nixos
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Replace Docker containers with native NixOS modules for nginx, Authelia, and go2rtc

Browse source 
- Native nginx with ACME wildcard cert (*.nordhammer.it) via Cloudflare DNS-01
- Native Authelia SSO with forward auth protecting homepage + camera
- Native go2rtc camera streaming (no more Docker)
- Auto-migration script for Authelia secrets and user database from Docker
- Homepage hrefs updated to use HTTPS domain names
- Fail2ban updated for native nginx log paths + new Authelia jail

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
ediblerope 2026-04-07 15:47:56 +01:00
parent cb8ecc1409
commit eadbc92126
6 changed files with 261 additions and 86 deletions
Download patch file Download diff file Expand all files Collapse all files

103
services/authelia.nix Normal file
View file

@ -0,0 +1,103 @@
# services/authelia.nix — Native Authelia SSO with auto-migration from Docker
{ config, lib, pkgs, ... }:
let
# Migrates secrets + user DB from the old Docker Authelia setup
setupScript = pkgs.writeShellScript "authelia-setup" ''
set -euo pipefail
YQ="${pkgs.yq-go}/bin/yq"
DOCKER_CONFIG="/home/fred/docker/authelia/configuration.yml"
SECRETS_DIR="/var/secrets/authelia"
STATE_DIR="/var/lib/authelia-main"
mkdir -p "$SECRETS_DIR"
# Migrate secrets from Docker config if they haven't been extracted yet
if [ -f "$DOCKER_CONFIG" ]; then
if [ ! -f "$SECRETS_DIR/jwt_secret" ]; then
$YQ '.identity_validation.reset_password.jwt_secret' "$DOCKER_CONFIG" \
| tr -d '"' > "$SECRETS_DIR/jwt_secret"
echo "Migrated jwt_secret"
fi
if [ ! -f "$SECRETS_DIR/session_secret" ]; then
$YQ '.session.secret' "$DOCKER_CONFIG" \
| tr -d '"' > "$SECRETS_DIR/session_secret"
echo "Migrated session_secret"
fi
if [ ! -f "$SECRETS_DIR/storage_encryption_key" ]; then
$YQ '.storage.encryption_key' "$DOCKER_CONFIG" \
| tr -d '"' > "$SECRETS_DIR/storage_encryption_key"
echo "Migrated storage_encryption_key"
fi
fi
chmod 644 "$SECRETS_DIR"/*
# Migrate users database
if [ ! -f "$STATE_DIR/users_database.yml" ] && \
[ -f "/home/fred/docker/authelia/users_database.yml" ]; then
cp /home/fred/docker/authelia/users_database.yml "$STATE_DIR/"
chown authelia-main:authelia-main "$STATE_DIR/users_database.yml"
echo "Migrated users_database.yml"
fi
echo "Authelia setup complete."
'';
in
{
config = lib.mkIf (config.networking.hostName == "FredOS-Mediaserver") {
services.authelia.instances.main = {
enable = true;
secrets = {
jwtSecretFile = "/var/secrets/authelia/jwt_secret";
storageEncryptionKeyFile = "/var/secrets/authelia/storage_encryption_key";
sessionSecretFile = "/var/secrets/authelia/session_secret";
};
settings = {
theme = "dark";
server.address = "tcp://127.0.0.1:9091/";
log = {
level = "info";
format = "text";
};
authentication_backend.file.path = "/var/lib/authelia-main/users_database.yml";
access_control = {
default_policy = "deny";
rules = [
{ domain = "camera.nordhammer.it"; policy = "one_factor"; }
{ domain = "homepage.nordhammer.it"; policy = "one_factor"; }
];
};
session = {
cookies = [{
domain = "nordhammer.it";
authelia_url = "https://auth.nordhammer.it";
}];
expiration = "1h";
inactivity = "5m";
};
storage.local.path = "/var/lib/authelia-main/db.sqlite3";
notifier.filesystem.filename = "/var/lib/authelia-main/notification.txt";
};
};
# Auto-migrate Docker Authelia data on first deploy
systemd.services.authelia-setup = {
description = "Migrate Authelia secrets and user database from Docker";
before = [ "authelia-main.service" ];
requiredBy = [ "authelia-main.service" ];
serviceConfig = {
Type = "oneshot";
RemainAfterExit = true;
ExecStart = setupScript;
};
};
};
}