feat: authelia add ocis client and fix header

hosts/web-arm/modules/authelia.nix

@@ -173,6 +173,23 @@ in {
         oidc = {
           ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
           ## See: https://www.authelia.com/c/oidc
+          lifespans = {
+            custom = {
+              ocis = {
+                access_token = "2 days";
+                refresh_token = "3 days";
+              };
+            };
+          };
+          cors = {
+            endpoints = [
+              "authorization"
+              "token"
+              "revocation"
+              "introspection"
+              "userinfo"
+            ];
+          };
           authorization_policies = {
             "admin-only" = {
               default_policy = "deny";
@@ -284,6 +301,78 @@ in {
               ];
               userinfo_signing_algorithm = "none";
             }
+            # oCIS (ownCloud Infinite Scale) - web client (public, PKCE)
+            {
+              id = "ocis";
+              description = "ownCloud Infinite Scale";
+              lifespan = "ocis";
+              public = true;
+              authorization_policy = "internal";
+              require_pkce = true;
+              pkce_challenge_method = "S256";
+              redirect_uris = [
+                "https://files.cloonar.com/"
+                "https://files.cloonar.com/oidc-callback.html"
+                "https://files.cloonar.com/oidc-silent-redirect.html"
+                "https://files.cloonar.com/apps/openidconnect/redirect"
+              ];
+              scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
+              response_types = [ "code" ];
+              grant_types = [ "authorization_code" "refresh_token" ];
+              access_token_signed_response_alg = "none";
+              userinfo_signing_algorithm = "none";
+              token_endpoint_auth_method = "none";
+            }
+            # oCIS Desktop - static credentials hardcoded in the oCIS desktop app
+            {
+              id = "xdXOt13JKxym1B1QcEncf2XDkLAexMBFwiT9j6EfhhHFJhs2KM9jbjTmf8JBXE69";
+              description = "ownCloud Infinite Scale (Desktop)";
+              secret = "$pbkdf2-sha512$310000$NR4tztBecptj1ZiITK/Ktw$GkFNBfq1B3T1lDTKMci1aO8iulQFNlEtfydLwTrNTKIfrQFjM7EiOBaHGOBC7ohPaNfYCRAYYzcP2fDQf5XRGQ";
+              public = false;
+              authorization_policy = "internal";
+              require_pkce = true;
+              pkce_challenge_method = "S256";
+              redirect_uris = [ "http://127.0.0.1" "http://localhost" ];
+              scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
+              response_types = [ "code" ];
+              grant_types = [ "authorization_code" "refresh_token" ];
+              access_token_signed_response_alg = "none";
+              userinfo_signing_algorithm = "none";
+              token_endpoint_auth_method = "client_secret_basic";
+            }
+            # oCIS Android - static credentials hardcoded in the oCIS Android app
+            {
+              id = "e4rAsNUSIUs0lF4nbv9FmCeUkTlV9GdgTLDH1b5uie7syb90SzEVrbN7HIpmWJeD";
+              description = "ownCloud Infinite Scale (Android)";
+              secret = "$pbkdf2-sha512$310000$NjEumkph77Gql.CH0Oq3zg$I9ubOZ3VRCXPbHpW1U4bQmvLgP5DdiFeGgple2nIjtUJsFgkdiV/hcCt1h6adr1uvJSJAtHDRnMhYf3Zp2BpcQ";
+              public = false;
+              authorization_policy = "internal";
+              require_pkce = true;
+              pkce_challenge_method = "S256";
+              redirect_uris = [ "oc://android.owncloud.com" ];
+              scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
+              response_types = [ "code" ];
+              grant_types = [ "authorization_code" "refresh_token" ];
+              access_token_signed_response_alg = "none";
+              userinfo_signing_algorithm = "none";
+              token_endpoint_auth_method = "client_secret_basic";
+            }
+            # oCIS iOS - static credentials hardcoded in the oCIS iOS app
+            {
+              id = "mxd5OQDk6es5LzOzRvidJNfXLUZS2oN3oUFeXPP8LpPrhx3UroJFduGEYIBOxkY1";
+              description = "ownCloud Infinite Scale (iOS)";
+              secret = "$pbkdf2-sha512$310000$.nIk0IUua7n8VAUoR85yyA$6UhT/gi7spH/0PRqTa6clz7QMRSmP/FZ0BDIumJupM4V2Ai6MgGKdzlEaNTc2IDqpGL3NxF626g4zAHFRgD7Zg";
+              public = false;
+              authorization_policy = "internal";
+              require_pkce = true;
+              pkce_challenge_method = "S256";
+              redirect_uris = [ "oc://ios.owncloud.com" "oc.ios://ios.owncloud.com" ];
+              scopes = [ "openid" "offline_access" "groups" "profile" "email" ];
+              grant_types = [ "authorization_code" "refresh_token" ];
+              access_token_signed_response_alg = "none";
+              userinfo_signing_algorithm = "none";
+              token_endpoint_auth_method = "client_secret_basic";
+            }
           ];
         };
       };
@@ -323,16 +412,13 @@ in {
         proxy_connect_timeout 360;
 
         # Basic Proxy Config
-        proxy_set_header Host $host;
+        # Host, X-Real-IP, X-Forwarded-For, X-Forwarded-Proto, X-Forwarded-Host
+        # and Connection are already set by recommendedProxySettings; redefining
+        # them here caused duplicate headers and fasthttp "too many Host headers" 400s.
         proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $scheme;
-        proxy_set_header X-Forwarded-Host $http_host;
         proxy_set_header X-Forwarded-Uri $request_uri;
         proxy_set_header X-Forwarded-Ssl on;
         proxy_redirect  http://  $scheme://;
-        proxy_set_header Connection "";
         proxy_cache_bypass $cookie_session;
         proxy_no_cache $cookie_session;
         proxy_buffers 64 256k;