feat: authelia, more authorization policies to allow users to different software

2026-03-03 21:54:09 +01:00 · 2026-03-03 21:54:09 +01:00 · f1b4e2d9bb
commit f1b4e2d9bb
parent b6cd213560
1 changed files with 29 additions and 19 deletions
--- a/hosts/web-arm/modules/authelia.nix
+++ b/hosts/web-arm/modules/authelia.nix
@ -110,6 +110,7 @@ in {
          }
          {
            domain = ["*.cloonar.com"];
+            subject = ["group:Administrators" "group:Mitarbeiter"];
            policy = "two_factor";
          }
        ];
@ -172,28 +173,37 @@ in {
        oidc = {
          ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
          ## See: https://www.authelia.com/c/oidc
-          # authorization_policies = {
-          #   support = {
-          #     default_policy = "deny";
-          #     rules = [
-          #       {
-          #         policy = "two_factor";
-          #         subject = "group:support"; # Deny access to users of services group
-          #       }
-          #       {
-          #         policy = "two_factor";
-          #         subject = "group:admin"; # Deny access to users of services group
-          #       }
-          #     ];
-          #   };
-          # };
+          authorization_policies = {
+            "admin-only" = {
+              default_policy = "deny";
+              rules = [
+                {
+                  policy = "one_factor";
+                  subject = "group:Administrators";
+                }
+              ];
+            };
+            internal = {
+              default_policy = "deny";
+              rules = [
+                {
+                  policy = "one_factor";
+                  subject = "group:Administrators";
+                }
+                {
+                  policy = "one_factor";
+                  subject = "group:Mitarbeiter";
+                }
+              ];
+            };
+          };
          clients = [
            {
              id = "gitea";
              description = "Gitea";
              secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
              public = false;
-              authorization_policy = "one_factor";
+              authorization_policy = "admin-only";
              redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
              consent_mode = "implicit";
              scopes = [
@ -208,7 +218,7 @@ in {
              description = "Nextcloud";
              secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
              public = false;
-              authorization_policy = "one_factor";
+              authorization_policy = "internal";
              redirect_uris = [ 
                "https://nextcloud.cloonar.com/apps/oidc_login/oidc"
              ];
@ -226,7 +236,7 @@ in {
              description = "Grafana";
              secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
              public = false;
-              authorization_policy = "one_factor";
+              authorization_policy = "admin-only";
              redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
              consent_mode = "implicit";
              scopes = [
@ -242,7 +252,7 @@ in {
              description = "FreeScout Support platform";
              secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
              public = false;
-              authorization_policy = "one_factor";
+              authorization_policy = "admin-only";
              redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
              consent_mode = "implicit";
              token_endpoint_auth_method = "client_secret_post";