Cloonar/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: authelia, more authorization policies to allow users to different software

Browse source
This commit is contained in:
Dominik Polakovics Polakovics 2026-03-03 21:54:09 +01:00
parent b6cd213560
commit f1b4e2d9bb
1 changed files with 29 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

48
hosts/web-arm/modules/authelia.nix
View file

@ -110,6 +110,7 @@ in {
}
{
domain = ["*.cloonar.com"];
subject = ["group:Administrators" "group:Mitarbeiter"];
policy = "two_factor";
}
];
@ -172,28 +173,37 @@ in {
oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc
# authorization_policies = {
# support = {
# default_policy = "deny";
# rules = [
# {
# policy = "two_factor";
# subject = "group:support"; # Deny access to users of services group
# }
# {
# policy = "two_factor";
# subject = "group:admin"; # Deny access to users of services group
# }
# ];
# };
# };
authorization_policies = {
"admin-only" = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:Administrators";
}
];
};
internal = {
default_policy = "deny";
rules = [
{
policy = "one_factor";
subject = "group:Administrators";
}
{
policy = "one_factor";
subject = "group:Mitarbeiter";
}
];
};
};
clients = [
{
id = "gitea";
description = "Gitea";
secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
public = false;
authorization_policy = "one_factor";
authorization_policy = "admin-only";
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
consent_mode = "implicit";
scopes = [
@ -208,7 +218,7 @@ in {
description = "Nextcloud";
secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
public = false;
authorization_policy = "one_factor";
authorization_policy = "internal";
redirect_uris = [
"https://nextcloud.cloonar.com/apps/oidc_login/oidc"
];
@ -226,7 +236,7 @@ in {
description = "Grafana";
secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
public = false;
authorization_policy = "one_factor";
authorization_policy = "admin-only";
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
consent_mode = "implicit";
scopes = [
@ -242,7 +252,7 @@ in {
description = "FreeScout Support platform";
secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
public = false;
authorization_policy = "one_factor";
authorization_policy = "admin-only";
redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
consent_mode = "implicit";
token_endpoint_auth_method = "client_secret_post";