many changes

2024-09-03 14:47:06 +02:00
parent fb32b88798
commit 92099bd1e9
44 changed files with 900 additions and 658 deletions
--- a/hosts/web-arm/modules/authelia/default.nix
+++ b/hosts/web-arm/modules/authelia/default.nix
@@ -3,31 +3,24 @@
 {
  sops.secrets.authelia-jwt-secret = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-backend-ldap-password = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-storage-encryption-key = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-session-secret = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };
  sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
    owner = "authelia-main";
-    sopsFile = ./secrets.yaml;
  };

  services.authelia.instances.main = {
@@ -150,9 +143,6 @@
  
      notifier = {
        disable_startup_check = false;
-        # filesystem = {
-        #   filename = "/var/lib/authelia-main/notification.txt";
-        # };
        smtp = {
          host = "mail.cloonar.com";
          port = 25;
@@ -164,6 +154,21 @@
        oidc = {
          ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
          ## See: https://www.authelia.com/c/oidc
+          # authorization_policies = {
+          #   support = {
+          #     default_policy = "deny";
+          #     rules = [
+          #       {
+          #         policy = "two_factor";
+          #         subject = "group:support"; # Deny access to users of services group
+          #       }
+          #       {
+          #         policy = "two_factor";
+          #         subject = "group:admin"; # Deny access to users of services group
+          #       }
+          #     ];
+          #   };
+          # };
          clients = [
            {
              id = "gitea";
@@ -183,12 +188,11 @@
            {
              id = "nextcloud";
              description = "Nextcloud";
-              secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw";
+              secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
              public = false;
              authorization_policy = "one_factor";
              redirect_uris = [ 
                "https://nextcloud.cloonar.com/apps/oidc_login/oidc"
-                "https://cloud.cloonar.com/apps/user_oidc/code"
              ];
              pre_configured_consent_duration = "1y";
              scopes = [
@@ -215,6 +219,22 @@
              ];
              userinfo_signing_algorithm = "none";
            }
+            {
+              id = "freescout";
+              description = "FreeScout Support platform";
+              secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
+              public = false;
+              authorization_policy = "one_factor";
+              redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
+              pre_configured_consent_duration = "1y";
+              scopes = [
+                "openid"
+                "profile"
+                "email"
+                "groups"
+              ];
+              userinfo_signing_algorithm = "none";
+            }
          ];
        };
      };