lorenzo/servers
1
0
Fork 0
Code Pull requests Packages Activity

Connect Authelia to LDAP with LLDAP

Browse source
This commit is contained in:
Lorenzo Good 2025-12-31 22:54:03 -06:00
parent 7f14aaaa3d
commit 13c43273a5
Signed by: lorenzo
GPG key ID: 7FCD64BD81180ED0
6 changed files with 59 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

39
common/services/authelia.nix
View file

@ -27,6 +27,31 @@ in {
type = types.path;
};
# https://www.authelia.com/integration/ldap/lldap/
ldap = {
addr = mkOption {
type = types.str;
description = "LDAP URL";
};
passwordFile = mkOption {
type = types.nullOr types.path;
default = null;
description = "Path to LDAP service account password file";
};
baseDN = mkOption {
type = types.str;
example = "DC=example,DC=com";
};
user = mkOption {
type = types.str;
example = "UID=authelia,OU=people,DC=example,DC=com";
};
};
jwtSecretFile = mkOption {
type = types.nullOr types.path;
default = null;
@ -105,7 +130,7 @@ in {
config = mkIf cfg.enable {
services.authelia.instances.main = {
inherit (cfg) settingsFiles environmentVariables;
inherit (cfg) settingsFiles;
enable = true;
@ -140,8 +165,12 @@ in {
authentication_backend = {
password_change.disable = true;
password_reset.disable = true;
file = {
path = cfg.userDbFile;
ldap = {
implementation = "lldap";
address = cfg.ldap.addr;
base_dn = cfg.ldap.baseDN;
user = cfg.ldap.user;
};
};
@ -156,6 +185,10 @@ in {
};
};
environmentVariables = cfg.environmentVariables // {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = cfg.ldap.passwordFile;
};
secrets = {
inherit
(cfg)

9
common/services/lldap.nix
View file

@ -23,6 +23,12 @@ in {
'';
};
ldap_port = mkOption {
type = lib.types.port;
default = 3890;
description = "LDAP Port";
};
environmentFile = mkOption {
type = types.nullOr types.path;
default = null;
@ -56,6 +62,7 @@ in {
# Base setup.
http_port = cfg.port;
http_url = cfg.url;
ldap_port = cfg.ldap_port;
ldap_base_dn = cfg.base_dn;
jwt_secret_file = cfg.jwtSecretFile;
@ -71,5 +78,7 @@ in {
group = "lldap";
};
users.groups.lldap = {};
systemd.services.lldap.serviceConfig.DynamicUser = lib.mkForce false;
};
}

9
machines/lebesgue/config/configuration.nix
View file

@ -31,12 +31,19 @@
# oidcHmacSecretFile = config.sops.secrets.authelia-oidc-hmac.path;
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption.path;
ldap = {
addr = "ldap://localhost:${toString config.foehammer.services.lldap.ldap_port}";
baseDN = config.foehammer.services.lldap.base_dn;
user = "UID=authelia,OU=people,${config.foehammer.services.lldap.base_dn}";
passwordFile = config.sops.secrets.authelia-lldap-password.path;
};
};
services.lldap = {
enable = true;
url = "https://lldap.foehammer.me";
base_dn = "dc=foehammer,dc=me";
base_dn = "DC=foehammer,DC=me";
adminUserPasswordFile = config.sops.secrets.lldap-admin-password.path;
};

1
machines/lebesgue/config/secrets.nix
View file

@ -25,6 +25,7 @@
authelia-oidc-hmac = autheliaSecret;
authelia-session-secret = autheliaSecret;
authelia-storage-encryption = autheliaSecret;
authelia-lldap-password = autheliaSecret;
authelia-users = {
owner = "authelia-main";
sopsFile = ../secrets/authelia/users.yaml;

2
machines/lebesgue/config/state.nix
View file

@ -14,7 +14,7 @@
"/var/lib/caddy/.local/share/caddy"
"/var/lib/vaultwarden"
{ directory = "/var/lib/private/lldap"; user = "lldap"; group = "lldap"; mode = "0700"; }
{ directory = "/var/lib/lldap"; user = "lldap"; group = "lldap"; mode = "0700"; }
];
files = [

7
machines/lebesgue/secrets/authelia/secrets.yaml
View file

@ -2,6 +2,7 @@ authelia-jwtsecret: ENC[AES256_GCM,data:Vn9K88LdQ6wDgah3SGWOeQM9cjb3iSXUhuIKngpf
authelia-session-secret: ENC[AES256_GCM,data:itOZeg3V11RJqsuSQ/GQzO1+bjnPqrvzGa26NCnRwN+I/OTLZV4HhWW7Lqw=,iv:wb9kIkK2OYZo4pAxSVHk4+L53j07/a8SFsItvGlzxk8=,tag:fzrPRhGmy3HZ9zwtWG/5Tw==,type:str]
authelia-storage-encryption: ENC[AES256_GCM,data:ZOY2p7qM0gaTGnvopppH76uZ/5Gi5ussK9PxS62HJYNY6lqDT39IKTfS6Y4=,iv:Kba9RHQT8wiRjpJLdM0Ww6HRbENAXqmVSiDITe4Bql8=,tag:FPcHEfQlMwbHkeF7vhjiqg==,type:str]
authelia-oidc-hmac: ENC[AES256_GCM,data:raPEk+m3zg8pz8U3KYHmcxMUIkExPvxtKThngdhiolBt0jA+YGyxd1lOfBU=,iv:3j+bJnoc7rCUou691LCzyEoUL7Ve8jSaIpkoVvBthVM=,tag:rWIX9eEI8+h2+jozqYT4Gw==,type:str]
authelia-lldap-password: ENC[AES256_GCM,data:TnKK3UJusBxYq5tkMEpneqh68kerdvZnc02ZGsARv41K1ya6Mgho1iOSgla2LD26zoWlBbFECQFmH4TQGvdK2i2HCAoY7nhjSDw28jvkR9lZio0wM0tSoQ==,iv:F1U10/VjTRxnhbbNP87CujxprK8RF6ehHWwbUrac9JU=,tag:AwX5O5ciQVowiOHQceLssw==,type:str]
authelia-oidc-privkey: ENC[AES256_GCM,data:7vIxoENRK4XwUW3vjVzd2e71rXiAv7R9QYovG6DZuDZwvo3YyNrGX1VlFNdcfqgvafF9GYfKlj0vGlKioVnNJF6QYxdHcBTsrLvKpK0RO/gGc4hdgR6tSxMqv3izPIR0demwJRPlT3nJT9v+kk76bNf5wHnv/DzfPW9a7g66XRrsKEgrxpnrzao6u3xyJYFz7ndyzYvhHMzxm9ITVbAvZIR39ze8foBlghQakgUDDV5yU3nJ4WmGq519t6d0FJeehi3RsEFS6mjPcCfylWnOug012P5DOIrxNZLpmCdoypu+4W0OIF4xf0wSglAKRK/jzz1QD1ytJCip5cFhRYrnAW5EaDFwpBQoG+a6Uar2uLmOk9qyyb8mpsRcRN4o5F/zF6fo8MkAxI0c9c3odOtWIXJ3zSU8TIw5UZvk5+jEMq4UZik9y3JyfWqaFlmVgCHEP67ORVN0R4uELWZe6chssZbfNdK/XmNX5xjSvOk5URtCmGNW+ehuB3JQ/idvNHDsG5Obi/VdULI6jtvjlsMmPh/VTdfND/4nDdokGXg/F7U0byIEEIun4bT55UWWfldVKS95zSC65jFRXUGWSe7kijnM1HpfXBFxzpX9h3w+Zkqu8+lCNfkZPM5d/YQ0so/VJFj0/JX4OBW4rb0kcR5RzX/0eIYCMiQ+0cvb1hBJgtGtWbDWboiCuMmjsDyqWW9biHLyRCii5gozuquY/tPMz7mCq1V1iMMcCn/oTsLFsWMGlj2ds6n/e+/f3HAzsm8Mk0ctHJrbgM2TifQ4uF8zAKfxjhpv7oeid7qQtEEGG+ewSfYEPvlw4H2rtyn1uemst3B2QOcMy9P03wtQwPlp3mikr/zAm9t5222XtXsoeqSvL5xtiUOjwy69wjQAEP4eoFpifIi12gPff8+AefI2c6u/pShTj8hPEMyR6yEsKPNuLjIyJY5T3erX64vBiaSySkm/TNXcsRQetQiJKO1/Ud457kadZxa98mNS9DH/jyxNLjtyO9JBzCKNKZsgS+FVv3nz1Z3o7lAl8ZtHtXJV78swdIEc2xuuOfi3tCwd1FlDfQiu1EMZNGnHypoZU4Ff698/jAHtZt7j5lBKvEYFmIk5cvlTuPD1peXY8YQ3K4ZW4dYKb1dBzlwkvOjnmApyzA9aInT7hmdcwyVC8GOijxqkEbMWe8tjOoXEpy4o5VNOBJEB4HIOkWbDUHUdOKnE/84F99wtOq/b9qU0/GDhSOeMvTG276UxVSUDG6TxkS897QS2hUBJqfu/3ZJVybkPoekG7dS0rV2g6IhVx/NBY4U9LbH9JIRj4m9thrvMPiewyKLPAswUECvmbAot87onhIm1sC+AaUGEbrsnqudMpKKdnRpTS0bg59cAnb2C5WRpmb8NT28KnsNPgqLRE6S909CbPoA64HkovsDt7igPx3hLaN7elv+L87wIbkM6SbtrluRiWbPFyJ5GgpSoNwupEB+wSQMYEZ5MGEhq06NWVYK3L4HOCN04OHZhn9Th/a6B4rUN6tkRqsETI/NZemBuUgu9vimruAG9QiN/XsnDUjPGbRrEIWv7hcrHNdg0bxItaku7VRb+ne6aA+dbhyXZGVYiiVKX7282QJl/s2LHNvFv1ckh1nf+wIbArQdKrzowU8doDrRmMf1rQ7kHc78XxAaFWBSOc+lEVT+Z+hHiDJuKtRo6I3D6aWNpYRO9B0O2WjzYH37H4H15XzSadl1EdJi0zxqN7ABKpwxrao44izgBru949JKSzHYetTNxiyoH0oVuS/89bjY4aGb6qSI6TGEZVDjzIdF2ydSjMp2RncdU5ZU7JCcMA1w6g5qozr+6gn2XE+fOLSzggWBy11slWKEODsps9t5Xxt0pD5j+aXV+EoJxDjejPyRSDd1iyPRBlAdvVXt6kdgel6+qpRTS+Sc1R5p6QKpucUbIvPWdndEh5ZG+n7w762l0lkxqCpObm/q2Mzlke1SELpjl5PP5V1X/Rn5rJcmO5zI0/8eV3qqKsHmVchh4QNNLYDokQHHblaSIvwhZWYjvEYJizYz0U4ryKQN6SXMCSh9++tKaZGbK2KOzB24qE3As40GE+xqyeAaozisQHtVmIgXIdXdFRFhdVZ8Evteo0VnTfm39BDxxqcdast8lOnYhpCF0mcq/gex7n7MVfKEroI66nly8xy6zmgur7nrTOvAcXtbkRhMR94iCROHgPoDRB8Wb6XVig43M0iVu8ahtPGmF7PLCuVth3SQCArpz9teRiF/dV2r2cXsDSAF6,iv:sm6m1pgilv2rM/7IK3ARoDLjoAr6MjIFL6R9hgYAQjY=,tag:ngQjStO7oSAcXbLOTrK9sg==,type:str]
sops:
age:
@ -14,8 +15,8 @@ sops:
cmJMTWdHTlVPUU52dXYrelM4aDlKbE0KaKvTldyLmJPTLq3p8136ZV0692KaANSp
8tH0wFq8HUaAvB+oRgAPZxd6BmnAU6wlkpFw9mka8nY4U37yna6yOg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-06-04T21:04:51Z"
mac: ENC[AES256_GCM,data:HvL9IPa7pZ9X6hEPrknzjvS9u3l28iChfnfCcY+KNX/WyvlhoLBU0jR148ATyy1e/gbyFNYY00Qa1MbwM9j+kun8awZQ6WdxCrIU7XE5dnH6RnsEtvfErSERnCE4byIBeCCADjdYRb7RQsVaD+UKSj9hERCwvFEaLCy4lbod2Gk=,iv:sWCOMB7ibpKveZIUyhj4MteQgYfOgESGADpXJiwHQL4=,tag:Npn1zIVRgBs50EN3g8MgcQ==,type:str]
lastmodified: "2026-01-01T04:19:17Z"
mac: ENC[AES256_GCM,data:b5F0OCi+VgWxn877MV2nR5UxIIe236m6lupAa/YKd5c7LOx7BL6+RFp2rPsdQRaJn/C+ST+iOy1t/EE+IGPe1ubvtJn7FSMJmHNhsepycmtOd6oAJ1Tnxtm5dKn6VRih28IY/KHuflKpbOiwAfk3E01nIg2dEZfzBaLomrLG8cc=,iv:vwZUYc8UNZ9c9dDucWECvGOp8iZIcICSq94BUxSph7Q=,tag:N82z0blhSCBYPr8WOSpGtg==,type:str]
pgp:
- created_at: "2025-06-04T21:04:24Z"
enc: |-
@ -29,4 +30,4 @@ sops:
-----END PGP MESSAGE-----
fp: A972C2063F4F2554
unencrypted_suffix: _unencrypted
version: 3.10.2
version: 3.11.0