Cloonar/nixos
2
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

feat: change authelia

Browse Source
This commit is contained in:
Dominik Polakovics Polakovics
2025-10-14 19:54:45 +02:00
parent f516f46b06
commit 465daec0ab
2 changed files with 0 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

302
hosts/web-arm/modules/authelia.nix Normal file
View File

@@ -0,0 +1,302 @@
{ config, pkgs, ... }:
let
unstable = import (fetchTarball "https://github.com/NixOS/nixpkgs/archive/nixos-unstable.tar.gz") {
config = config.nixpkgs.config;
system = pkgs.system;
};
in {
sops.secrets.authelia-jwt-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-backend-ldap-password = {
owner = "authelia-main";
};
sops.secrets.authelia-storage-encryption-key = {
owner = "authelia-main";
};
sops.secrets.authelia-session-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
owner = "authelia-main";
};
sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
owner = "authelia-main";
};
services.authelia.instances.main = {
package = unstable.authelia;
enable = true;
secrets = {
jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
};
environmentVariables = {
"AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
"AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
};
settings = {
theme = "dark";
default_redirection_url = "https://cloonar.com";
# log = {
# level = "debug";
# format = "text";
# };
authentication_backend = {
ldap = {
url = "ldaps://ldap.cloonar.com";
base_dn = "DC=cloonar,DC=com";
additional_users_dn = "OU=users";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
username_attribute = "mail";
mail_attribute = "mail";
display_name_attribute = "cn";
additional_groups_dn = "OU=groups";
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
group_name_attribute = "cn";
permit_referrals = false;
permit_unauthenticated_bind = false;
user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
};
};
webauthn = {
disable = false;
display_name = "Authelia";
attestation_conveyance_preference = "indirect";
user_verification = "preferred";
timeout = "60s";
};
totp = {
disable = false;
issuer = "auth.cloonar.com";
algorithm = "sha1";
digits = 6;
period = 30;
skew = 1;
secret_size = 32;
};
access_control = {
default_policy = "deny";
rules = [
{
domain = ["auth.cloonar.com"];
policy = "bypass";
}
{
domain = ["*.cloonar.com"];
policy = "two_factor";
}
];
};
session = {
name = "authelia_session";
expiration = "12h";
inactivity = "45m";
remember_me_duration = "1M";
domain = "cloonar.com";
# todo: enable with 4.38
# cookies = [
# {
# domain = "cloonar.com";
# }
# {
# domain = "cloonar.dev";
# }
# {
# domain = "gbv-aktuell.at";
# same_site = "strict";
# }
# ];
};
regulation = {
max_retries = 3;
find_time = "5m";
ban_time = "15m";
};
storage = {
# mysql = {
# host = "/run/mysqld/mysqld.sock'";
# port = 3306;
# database = "authelia_main";
# username = "authelia_main";
# password = "socket_auth";
# timeout = "5s";
# };
local = {
path = "/var/lib/authelia-main/db.sqlite3";
};
};
notifier = {
disable_startup_check = false;
smtp = {
host = "mail.cloonar.com";
port = 25;
username = "authelia@cloonar.com";
sender = "Authelia <authelia@cloonar.com>";
};
};
identity_providers = {
oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
# authorization_policies = {
# support = {
# default_policy = "deny";
# rules = [
# {
# policy = "two_factor";
# subject = "group:support"; # Deny access to users of services group
# }
# {
# policy = "two_factor";
# subject = "group:admin"; # Deny access to users of services group
# }
# ];
# };
# };
clients = [
{
id = "gitea";
description = "Gitea";
secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
consent_mode = "implicit";
scopes = [
"openid"
"profile"
"email"
];
userinfo_signing_algorithm = "none";
}
{
id = "nextcloud";
description = "Nextcloud";
secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
public = false;
authorization_policy = "one_factor";
redirect_uris = [
"https://nextcloud.cloonar.com/apps/oidc_login/oidc"
];
consent_mode = "implicit";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
{
id = "grafana";
description = "Grafana";
secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
consent_mode = "implicit";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
{
id = "freescout";
description = "FreeScout Support platform";
secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
public = false;
authorization_policy = "one_factor";
redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
consent_mode = "implicit";
token_endpoint_auth_method = "client_secret_post";
scopes = [
"openid"
"profile"
"email"
"groups"
];
userinfo_signing_algorithm = "none";
}
];
};
};
};
};
services.nginx.virtualHosts."auth.cloonar.com" = {
enableACME = true;
forceSSL = true;
acmeRoot = null;
locations."/api/verify" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
allow 127.0.0.1;
allow 49.12.244.139;
allow 77.119.230.30;
deny all;
'';
};
locations."/" = {
proxyPass = "http://127.0.0.1:9091";
proxyWebsockets = true;
extraConfig = ''
client_body_buffer_size 128k;
#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 360;
proxy_send_timeout 360;
proxy_connect_timeout 360;
# Basic Proxy Config
proxy_set_header Host $host;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Host $http_host;
proxy_set_header X-Forwarded-Uri $request_uri;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 64 256k;
# If behind reverse proxy, forwards the correct IP
set_real_ip_from 10.0.0.0/8;
set_real_ip_from 172.0.0.0/8;
set_real_ip_from 192.168.0.0/16;
set_real_ip_from fc00::/7;
real_ip_header X-Forwarded-For;
real_ip_recursive on;
'';
};
};
}