swap to lldap user backend

Author: kclejeune

.gitignore

@@ -4,3 +4,4 @@
 .git/
 .devenv/
 .pre-commit-config.yaml
+.playwright-mcp/

modules/nixos/gateway.nix

@@ -9,6 +9,9 @@ let
   autheliaLogFile = "${autheliaStateDir}/authelia.log";
   domain = "kclj.io";
   autheliaPort = 9091;
+  lldapPort = 3890;
+  lldapHttpPort = 17170;
+  baseDN = "dc=kclj,dc=io";
   lokiPort = 3100;
   grafanaPort = 3000;
   prometheusPort = 9090;
@@ -81,7 +84,7 @@ in
       "authelia/storage_encryption_key" = {
         owner = autheliaUser;
       };
-      "authelia/users" = {
+      "authelia/ldap_password" = {
         owner = autheliaUser;
       };
       "authelia/oidc_hmac_secret" = {
@@ -96,6 +99,10 @@ in
       "authelia/smtp_username" = {
         owner = autheliaUser;
       };
+      "lldap/jwt_secret" = { };
+      "lldap/ldap_user_pass" = {
+        mode = "0444";
+      };
       "cloudflared/tunnel-credentials" = { };
       "cloudflare/api-token" = { };
       "grafana/secret_key" = {
@@ -116,7 +123,12 @@ in
       log.keep_stdout = true;
       default_2fa_method = "webauthn";
 
-      authentication_backend.file.path = config.sops.secrets."authelia/users".path;
+      authentication_backend.ldap = {
+        implementation = "lldap";
+        address = "ldap://127.0.0.1:${toString lldapPort}";
+        base_dn = baseDN;
+        user = "uid=authelia,ou=people,${baseDN}";
+      };
 
       access_control = {
         default_policy = "deny";
@@ -194,6 +206,8 @@ in
     };
     environmentVariables = {
       AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = config.sops.secrets."authelia/smtp_password".path;
+      AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
+        config.sops.secrets."authelia/ldap_password".path;
     };
 
     secrets = {
@@ -214,8 +228,14 @@ in
     '';
   };
   systemd.services."authelia-${autheliaInstance}" = {
-    after = [ "redis-authelia.service" ];
-    requires = [ "redis-authelia.service" ];
+    after = [
+      "redis-authelia.service"
+      "lldap.service"
+    ];
+    wants = [
+      "redis-authelia.service"
+      "lldap.service"
+    ];
     serviceConfig.EnvironmentFile = [
       config.sops.templates."authelia-smtp.env".path
     ];
@@ -259,7 +279,7 @@ in
     };
 
     virtualHosts."auth.${domain}" = {
-      addSSL = true;
+      forceSSL = true;
       enableACME = true;
       http3 = true;
       quic = true;
@@ -331,6 +351,27 @@ in
     };
   };
 
+  # LLDAP - lightweight LDAP server for user management
+  services.lldap = {
+    enable = true;
+    settings = {
+      ldap_host = "127.0.0.1";
+      ldap_port = lldapPort;
+      http_host = "127.0.0.1";
+      http_port = lldapHttpPort;
+      http_url = "https://lldap.${domain}";
+      ldap_base_dn = baseDN;
+      ldap_user_email = "admin@${domain}";
+      force_ldap_user_pass_reset = "always";
+    };
+    environment.LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/ldap_user_pass".path;
+    environmentFile = config.sops.templates."lldap.env".path;
+  };
+
+  sops.templates."lldap.env".content = ''
+    LLDAP_JWT_SECRET=${config.sops.placeholder."lldap/jwt_secret"}
+  '';
+
   # Redis for Authelia session storage
   services.redis.servers.authelia = {
     enable = true;
@@ -571,8 +612,11 @@ in
     };
   };
 
+  # lldap web UI: not exposed via nginx — access via SSH tunnel (ssh -L 17170:127.0.0.1:17170)
+  # or add to cloudflared tunnel with Cloudflare Access protection before exposing publicly.
+
   services.nginx.virtualHosts."grafana.${domain}" = {
-    addSSL = true;
+    forceSSL = true;
     enableACME = true;
     http3 = true;
     quic = true;

secrets/gateway.yaml

@@ -4,7 +4,7 @@ authelia:
   storage_encryption_key: ENC[AES256_GCM,data:OI9nOTuMkdjMeAlN/CVQIyYPwzCzqXk3UDVW5UCH2YBjxLm45UINR5o0fShSGKuNnL2iUWfijuUBlL2bGO0OXw==,iv:g7A0xtBZnOc7GixPWIU4FXY8aPVK9xT22iFti0ha9ts=,tag:xAFDN2ddQ05MUAKbPdqJYg==,type:str]
   smtp_username: ENC[AES256_GCM,data:mlPOJ3ktS7bhKLznMPXO4xdxog==,iv:Af5Uhsb0/VRv9Y6dnBeE+NImdgQBryGhL1xtMMeXWW0=,tag:U7av7e2IpfOKADBun0hEGQ==,type:str]
   smtp_password: ENC[AES256_GCM,data:f2TtCHsQQQDeK+il/e7IdQ==,iv:w54Mt2QMOR68XyEmNpcVtaQAYJ2y8SPYP/8HNx691bQ=,tag:tuha8PogvCv/LW/wz604OA==,type:str]
-  users: ENC[AES256_GCM,data:0VoWsdUwiXKfLMH/QWK1a1NKSVMAk4KSz6rxvq3EbmTb/Z0biXSEBslVYT2BYQTAG7uMmNYw/MT9ExO4a/8us00HkIZcGE7G+Ks2odNzBiq0Sm375hc2fXRApYE+G/Edq/I1OvsaWkmvA3VLt3PcJIVFJZX9VnGQbUxWqzDMvEZCXERJ9Lpqr8hYL+L/Bamtja/290BlIGUu7tls5lo5G+mJIL5b48VrtlX4p0pFxqGdFU3+xYdCzgscoH1M/fwzy6nXHwLqkoABtMEnZoZALBX4uZNI99Hl,iv:pGQTnGoONZIji+3jUgKjuq2Oh3Q5nxEzbkzApjDqDo8=,tag:wvGeTir54P6EEKp1qB+9Vw==,type:str]
+  ldap_password: ENC[AES256_GCM,data:xh6Aq9Okeyj7dhgEoMI3l2fED6lx5t6HgPYpBMunhPW083T8,iv:YCAGYsE6fIp6oSiLow2XW5NHLFdAwMHygXNlgahx+FA=,tag:KMzt2bMbMmp2AAeqhORHqw==,type:str]
   oidc_hmac_secret: ENC[AES256_GCM,data:n6uGC6KXo4qpznziXGKWFvwIntHWGbs93+C8ynIIuL8S/rPP6dDW93+mxaJ6baq2FZXv6UnaNKlM4mppuvUsdw==,iv:jPZACmXO0zPOB/kOLx2g37NOEI9WHfw777dlK4oy9R0=,tag:0HPJ2xduweam/g2M24/XKg==,type:str]
   oidc_jwks_key: ENC[AES256_GCM,data:g3UICFtfP/pyNRCMSb0rke7/7euZ3FHoGW9FRQslipOW0XlpGXE8ZdJq9hcnMSu8RyEwHOAgxH01Ea5HcJrqn6vTbSqrzJJTcoSZC1Oeiv/FX5f8rCUiOhRF9bTj8rRVqW3oFoyAE9olPoztxv3VLA4+M5bjM366981FmJl5CGRaDmS7rREX8q8+VPvfDTgsKYNPcxZNnSV474Y8vL/tgirhSvS4iiSw9VJ5eoGP5xzuNMGpBm/cXmvvUJrhqdYX6JRzPBWjIhSmBpAnk4wbBFHpHPIp9JIGH135w+XoAhV8vyShiu8uQnVMKYq/c0Yj8QcVRiucCEGHhkReo3fwSSINRnmC1SHQb3OknztKnu03ZnurcCacSBvfFuH2CSpmNzw3rEALHQTt2gpb+zc7TwR/UdixWGzBQPJAyjo+c+Xrt8xjV+Ii9dcQoOgUnNIH+TY1XEfekSTXHWR42ckbqhkg3Qa9Y2BtEVtD8mbukddse2X3zgRbxcNZx3xU4zQArKRl6grvLe4+jAtRA9GvTIpKMNoFBxRu2NdxENJjQVLqhgJx+pvrhNsttPvOy4/SXvfMdwLzzloqC9wOzcCeBKmHCuQButBH1pTkz+vb2aFn3ccGUWHDrav1jzn/7oqmBQhyPwJhJLrDOV5dVXp8DMUC82cI/Ts7FNABHLJjhdgwvWa9IB6vC/cXwJxQHXVCq20RoauNL0pENaxlZ/lhspBuB4GC37l+5S4ryBD5a9eaVdcf3xJ/0jzaoIBf0jHFjociIfduchTUE/QH96Zr8gLFH4l27gvnZAgNZbYMXU0yNmqnqg7cw+yWVpu2bqgjvk21McVvFe4+djG5uwuCloVQuNs28bDF+rOdauVIP3faVscVxxm8ZhJKIdhKK/cIORUrag7k53XSZIGeDKo9AWJaSf9l7cwxu2NLgw2tpKu1cHJabgvy51KxNCIHyrI2vk10Q106zyXrccPV/GRdhtLmD2vjhRSkjUBcHL5hAL9SKrk6hPjKi/USUZxnJpRd58097wjh2/+rq420uRL8zCBfmeqSiRpTmAueNb7zL8MT5k35eGvxlNVb9Dy3gkvvgS7H2lZNzFJ9oNlZ1pJQuZ5dpjeKdr+93ilKg+xEyXqlIMiWnuQHTiIQwWZG1Hzay51ywLTt26+EfACXTFq5yWfcQZpzQQULQkmjFrL9o3/ncs3vwh7jH4/nGLqg2rdps63mEKthS9gcutyI2nVBaXqKy/j/qJIm4CiY+oGAlDmB48/Y6eUAw5dQQ4ymvzdvamzCR6qu60RbaPolvWVWAAMeM1E9uDy9GgQ+dpiMpoaJyTLhEZL2DrOD91ZAhsgni7jsEIqZ+dDJjpNy1BLxMKViZj8SR71WgpMzgoTNWGqfeLwLPneLaBqv43soGwTenAfle6WJB+k6CyyUUcnzDwITQa7aejMFVGI00PV3Fa5m15vRcAT3z8mtLvz/ctTjmujjZ98R9KatIfc6c2aXxQT/xtjx4g9H3LJJlQT8+vR56GWEGf4bRkxTARZ2uhmOFK7XVSJeoyz4LxXev7TOfPa0+WtRGvMYYGgsKV9FQA1qgeEZ/UHY6z8F5zCmLaBROPVw0qq9dv2Ll6GqaRw2GQgEzSZLwFcoTa9LLDBSJopC3CK4q9GAbBFJfl8M+gX9T8awbj+4sEM4RQjjWDgsnY503brDCB1uYj/rrHpOrTQDvzd7IjHwca8Bzzbq+mDqVeNlcd1LdCk2GekxK1RwD2PXfCzVozWHwvJMnsXceybjmMQM+ARzkPZ3Rsxd59FT5C6L3SEiq7LrqjHlOmS4Ue0A8Vyk805Y3pj/l+H9PK5mS/YZay5fdEWYiSy+99ADLWBKcaFOApCKG7NdkwM0TW6WfH/CH3QkgFWWMaMvuqxPxBx2IrxLmfWi0awNcjIUETk5qlMbI47+Etw/4RcKU2gtQjqWstga479nkWm/g1WDSdtAB7Jh3BFL4zhYI7YoZdvoIS664YYu0wi+D/NChqRLCRLUceZ2rJFjFVFvJrZ9IsFdchbYqWpn4KsJVxc0SyVEshVVLADcs5WxfAyiqgdie/5k7eMRleBgtYqZOMMPkHOAojhZ3hxLhT0DSJlr2Kcnkd91HKhopLhLlMiv6xFgqOihiEwg3ml0wn9KMejH1yv3gxbQCcVUtiaW8B1gF6QFFffnEOAzutYOguK9mzxuy8YOPanvXi5v1X0D2lLuZAcD8yii0Eh5lE2aAx7ybMLchfOb7dgDIjwvQfI6HS32CHCIQtH42AzqozUVEuXPzIrr+qJGnV1cmkswrFvcPArA2Dk3iN71xmrfONWee6SFg11yE5FsBnDbcVVKnFlwnESK483Lz47JFVm4TjAdCDcHjotA2fmSG/jS4RfLcMfIcN7VJG7HnQyTfzgSdusy0XnGATSUnfvhvv1q/HxGoBgfMqOqz95+gMhRmZy9k9NtMK3uwjdZqhVmGpb3hUM3BUNNXybvBLj+/NZqdn/NaedYO5YymxMnj7+iVdE9ijpBs8tgTTeXnA/vfwJuezbRf+WIN15HcNuPVGEV4w8tcmVPCGE8Du0WYXCaTQzjW0hjenCnRxbJns1wMHlEvYnW4mkByikGb+0qaWHjzXUVcH8puYb9c/M/RMYPgrYJUlRnASYtCGwPAxgwyMW1EGgdUagSZTo6pq27d2Oif9d53KItO0keZGrsRjk6kcX5/fr3l6434iJS9ENtnciaYeS2Rgbnw8BGBf3wDJZGntxzWKAVzBXjYnNxNG6CzsrLN+L79cTw1Zk1/Nq4cmOVONmPUVQCGjTc2kojXNrJufBxXz6sHWEDfCUh5Gm7FH+NPvfGnKla3TRt4FEocxVjs+uMXj0N04peiDK+9bY7HclKJ0v2eP/PJzaLz9vyya8ZgBaECDRHQgJjofnqM+Ht3yTnrL1XQYaYPqOdFgQyR5uQ1YdwL0AukVTtnZtdG+vFGj6OU3BlCNslWwZZAVoxe7JcHqudmx8bG3R8g0mg1IOwZCNVxqfI7MnYaj9yMaN1Cy77ZnsKFfdWBZvGW5+kC/195p/i/zhg35BnGuRFPAjfiVjOefR8erEp5iVExAUtvOSASUWq+fonnLtP260dcmI9guu832GbgmTd39IVas82R1yhCy4tUyUny6Xl+Ws/vadGn6qibAmdIxO5OgfzXnq3OQKcnZzoPrXKQTGdxOK4Kk8bV8n0byMzCPscUmAeLZadMYV/ftORlVK+CSUllMeUzt9hpwZhdi3KEvko76aBKWi3XzMH5LV6xQSoLM1EyOxjTJcEPLcgWva54VzOfxjfZRBBkcV1xY6BUqT0fICJLGNSjP89gzdM4iyMmm+LDWIOX8InB5sP+pV4XxBIJJU+URLtqWD4H3aL871EX3zSgTOQC3wMyGeQQJIznYLHjx9fXzXay+aym3Y7DoQdotG8VHJvaqhuXYG3MRyo4xLGWiWs/mTlzE+dmkY9qEzOKSZdj1p4RatNs1CCLI048v/cOEYyqanlfutnaSjsoXFhUWQTH8Ryo9RpNmebiyfiVOWJWHvZhQW+kf7K1qJ+rZg0tcNAeRssnQSxz8vICpNv1kS7bvTqfa5V+EguVlIfzmFCSWiInrqnL4dUh5xego+Fp0w7/fxOZSK4eIbtVhRwe+H+v2LaTOOWkd16ZLLTwklMWVuEiTjRi3CCvg0jrYQMlqslBlFI5KyuwjqmJP40ONd9WEi+0QckKlQ1D4I2Y/BQUz9TdQ5QlZXxbEUUifF/GhpxcFIxsxY1446ikEs4Qn8mDBcqOO0+/KVGzJ80/bMdrbOT5ZGfvnDZqU/xzzkT1cysuiAMMP5+wsLXcWVsViQYsBlm4s6Qnt31mJIareoGpbdk4obTo4PBRYL7rGdxHNP63VBd9A4IMHlSbicvUS068EWWtVP4hN9J8JMndQai6E8OKnou+Bf6M4opKUNAMkXHsh+q5/sKld68XT9ZZum0KOpnH1w9Qdz2nS8LvMQDqneGDQxxaL8TQQCooKr+A3qI6vAvXldz7De097q5Nd1MGk0yF4jX2b7Qun+P+Q2wmI/MBuod2DzMemrsSoPkdv1/FwNclHOyoyMvM18Ge9oTMYWOIbAFbg0YmjZSLZeW9FSpizBI3v6if3j03TGkQGFxGXrT6PK12j3fjINbpLOOhvuyc3d1E/TKtnyChB37oGSLiok//zOD/1pDKYocTWvxcppwcjZpgO6ZFdYNqunfI20ZU+DkTvaSvEGN5nyjf4qjN2FlfOF1zL4bs9TsaJgb2PiYX/Ofb/JE+rFDBWT5zuZcfCAWc0WkIy3ifFZUXRKKe21hPAxky1ebAHHzXAelocIQ7QbAdsz9F4Zh1zrgK0eang==,iv:1jh8cm5BzkGN23G60Io+pUVHlsOnO85ZlNJP1yZQMzg=,tag:hYFVUhxgs5c5uskovKV88Q==,type:str]
 cloudflared:
@@ -14,6 +14,9 @@ cloudflare:
   access_oidc_client_secret: ENC[AES256_GCM,data:03N4A1LsWpchER4RnlmqVzkTah4PWZDcVAorWB1LjdO8wlPMF6KXJT2at/Cv4FtpZSC3o+Idr+hZr5Qy5R0CyQ==,iv:WFk3ix+tRbpP3JoMBnm8W4u7vKhFqWcOpa1S8Z2hRbQ=,tag:nVaVJPE1wquEyM+Gwx+Oxg==,type:str]
 grafana:
   secret_key: ENC[AES256_GCM,data:Rfn1PtwMuFscmmYHmZKvIITbeZHBAyzqaUqubpjuJ0iGecE+zjv5Rwup6t7SG2IpuIxp8snl8dHKc5ltBfRpnA==,iv:2+N0ieoe0lz3iZk/BDsgfdoXzgYb5Y/6vuA5SoE0wic=,tag:oc8KEJGnyRiN/FIbAXjNDw==,type:str]
+lldap:
+  jwt_secret: ENC[AES256_GCM,data:w3A+/+KWiG7Vhb02QinE3BJ8yxjso/v6acd/m1twpoJvSg1piO1cijfC7kU=,iv:N8PYdZwcGqCWLtOeoXJRUY8s76UeOFaCEcvfG2i9M/s=,tag:+XkqihvlnlRaSt/PWGD6Uw==,type:str]
+  ldap_user_pass: ENC[AES256_GCM,data:1hYwdka+YAFk0YZrBsZQYbt2a7Qr40S/32HgCgTJnqdUkvd8,iv:UeMIQq65tmvVHHiJh0zGmPestonlc59Qj3lWyKZMpHY=,tag:Su3aFCvSeWjS87Vozteqdg==,type:str]
 sops:
   age:
     - recipient: age16vnps5ues20fykepcjwr5zyvf5p7pzd3skdr4kh4hf9nxl38vfxq6vanlm
@@ -34,7 +37,7 @@ sops:
         bWJjR01KWms1bzVrNWRQV0wwWDI3eGsKln8t3265re+C9MLMMvKF74d9sYeOTqJi
         My953QyRM4VA5SjPX+LF8DAJLhhMuPeYAgQQ7rNQqizUJ+63nGGakA==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2026-04-02T17:14:44Z"
-  mac: ENC[AES256_GCM,data:olAZ+Teyem2e2IWhsxCtZQbmigdgN+vbn5ywW2pK4odwBsOTdR2vuEotnQJtBDTgWGjJg2EpdWkmyrDhhmgBQkBFO7m2EFFGRuw8ZDTxSuOFG0HyCq4fuPZ6hoicogRSAvjJBuCwV6bu603ghDax2qDdpMff0PO8mqA6KqR8IfA=,iv:oqQp/MjrAECzNH07q/DXmAqi9o+78xtrVH/N29N1sCM=,tag:WPTd9LgGt7vLcNrN+D9Rcg==,type:str]
+  lastmodified: "2026-04-04T21:55:08Z"
+  mac: ENC[AES256_GCM,data:eUycbOisztigQ3C0/Cxn9Dk2yCkLYAxL3HrcSas72LgMRzvufPVc3bOmlXS3ZOoRXdLRLcBqfqY3R2F8AVaoIJix3Z0yAleQ2LBX6OPojpOvfCHLmnmWHRX+uE8NQc8xdJv0CbFnUvAdrbHp1W9PlbHEnq2brgLgb2FFL5RFGYs=,iv:YV31WvnQlOwIKYzR4XxQpfEbocJOug0eKPvhj6a599M=,tag:dK5uCsyze+1b1HT2rLjKkA==,type:str]
   unencrypted_suffix: _unencrypted
   version: 3.12.2