Cloonar/nixos
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Compare commits

base: Cloonar:42a8753018cffec940104080d8b5ab8e3eaa128d
Branches Tags
Cloonar:master
...
compare: Cloonar:f1b4e2d9bb9916d5c0aef8bcf25816ea6a123942
Branches Tags
Cloonar:master

2 commits
42a8753018 ... f1b4e2d9bb

Author SHA1 Message Date
Dominik Polakovics
f1b4e2d9bb feat: authelia, more authorization policies to allow users to different software 2026-03-03 21:54:09 +01:00
Dominik Polakovics
b6cd213560 feat: matrix better handling for oidc users 2026-03-03 21:53:53 +01:00
2 changed files with 35 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

10
hosts/fw/modules/web/matrix.nix
View file

@ -149,15 +149,17 @@ in {
client_secret: "$CLIENT_SECRET" client_secret: "$CLIENT_SECRET"
token_endpoint_auth_method: client_secret_post token_endpoint_auth_method: client_secret_post
scope: "openid email profile" scope: "openid email profile"
fetch_userinfo: true
claims_imports: claims_imports:
skip_confirmation: true
localpart: localpart:
action: force action: require
template: "{{ user.email | split('@') | first }}" template: "{{ user.email | replace('@cloonar.com', ''') | replace('@', '_') }}"
displayname: displayname:
action: suggest action: force
template: "{{ user.name }}" template: "{{ user.name }}"
email: email:
action: force action: require
template: "{{ user.email }}" template: "{{ user.email }}"
set_email_verification: always set_email_verification: always

48
hosts/web-arm/modules/authelia.nix
View file

@ -110,6 +110,7 @@ in {
} }
{ {
domain = ["*.cloonar.com"]; domain = ["*.cloonar.com"];
subject = ["group:Administrators" "group:Mitarbeiter"];
policy = "two_factor"; policy = "two_factor";
} }
]; ];
@ -172,28 +173,37 @@ in {
oidc = { oidc = {
## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
## See: https://www.authelia.com/c/oidc ## See: https://www.authelia.com/c/oidc
# authorization_policies = { authorization_policies = {
# support = { "admin-only" = {
# default_policy = "deny"; default_policy = "deny";
# rules = [ rules = [
# { {
# policy = "two_factor"; policy = "one_factor";
# subject = "group:support"; # Deny access to users of services group subject = "group:Administrators";
# } }
# { ];
# policy = "two_factor"; };
# subject = "group:admin"; # Deny access to users of services group internal = {
# } default_policy = "deny";
# ]; rules = [
# }; {
# }; policy = "one_factor";
subject = "group:Administrators";
}
{
policy = "one_factor";
subject = "group:Mitarbeiter";
}
];
};
};
clients = [ clients = [
{ {
id = "gitea"; id = "gitea";
description = "Gitea"; description = "Gitea";
secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "admin-only";
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
consent_mode = "implicit"; consent_mode = "implicit";
scopes = [ scopes = [
@ -208,7 +218,7 @@ in {
description = "Nextcloud"; description = "Nextcloud";
secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw"; secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "internal";
redirect_uris = [ redirect_uris = [
"https://nextcloud.cloonar.com/apps/oidc_login/oidc" "https://nextcloud.cloonar.com/apps/oidc_login/oidc"
]; ];
@ -226,7 +236,7 @@ in {
description = "Grafana"; description = "Grafana";
secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "admin-only";
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
consent_mode = "implicit"; consent_mode = "implicit";
scopes = [ scopes = [
@ -242,7 +252,7 @@ in {
description = "FreeScout Support platform"; description = "FreeScout Support platform";
secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A"; secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A";
public = false; public = false;
authorization_policy = "one_factor"; authorization_policy = "admin-only";
redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ]; redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ];
consent_mode = "implicit"; consent_mode = "implicit";
token_endpoint_auth_method = "client_secret_post"; token_endpoint_auth_method = "client_secret_post";