diff --git a/hosts/fw/modules/web/matrix.nix b/hosts/fw/modules/web/matrix.nix index 39507dc..ecd94be 100644 --- a/hosts/fw/modules/web/matrix.nix +++ b/hosts/fw/modules/web/matrix.nix @@ -149,17 +149,15 @@ in { client_secret: "$CLIENT_SECRET" token_endpoint_auth_method: client_secret_post scope: "openid email profile" - fetch_userinfo: true claims_imports: - skip_confirmation: true localpart: - action: require - template: "{{ user.email | replace('@cloonar.com', ''') | replace('@', '_') }}" - displayname: action: force + template: "{{ user.email | split('@') | first }}" + displayname: + action: suggest template: "{{ user.name }}" email: - action: require + action: force template: "{{ user.email }}" set_email_verification: always diff --git a/hosts/web-arm/modules/authelia.nix b/hosts/web-arm/modules/authelia.nix index 45a33b7..2edffa7 100644 --- a/hosts/web-arm/modules/authelia.nix +++ b/hosts/web-arm/modules/authelia.nix @@ -110,7 +110,6 @@ in { } { domain = ["*.cloonar.com"]; - subject = ["group:Administrators" "group:Mitarbeiter"]; policy = "two_factor"; } ]; @@ -173,37 +172,28 @@ in { oidc = { ## The other portions of the mandatory OpenID Connect 1.0 configuration go here. ## See: https://www.authelia.com/c/oidc - authorization_policies = { - "admin-only" = { - default_policy = "deny"; - rules = [ - { - policy = "one_factor"; - subject = "group:Administrators"; - } - ]; - }; - internal = { - default_policy = "deny"; - rules = [ - { - policy = "one_factor"; - subject = "group:Administrators"; - } - { - policy = "one_factor"; - subject = "group:Mitarbeiter"; - } - ]; - }; - }; + # authorization_policies = { + # support = { + # default_policy = "deny"; + # rules = [ + # { + # policy = "two_factor"; + # subject = "group:support"; # Deny access to users of services group + # } + # { + # policy = "two_factor"; + # subject = "group:admin"; # Deny access to users of services group + # } + # ]; + # }; + # }; clients = [ { id = "gitea"; description = "Gitea"; secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A"; public = false; - authorization_policy = "admin-only"; + authorization_policy = "one_factor"; redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ]; consent_mode = "implicit"; scopes = [ @@ -218,7 +208,7 @@ in { description = "Nextcloud"; secret = "$pbkdf2-sha512$310000$jPzRYxmYCCDC/Go0Xti9rg$5K70qyNktBEs6PVnJYMrve4insptBzRD1eTi76zFVnJ2aFEc1.7f3yzRTpQ9HVWfEfxRoowXNMNdLxHeDcbLDw"; public = false; - authorization_policy = "internal"; + authorization_policy = "one_factor"; redirect_uris = [ "https://nextcloud.cloonar.com/apps/oidc_login/oidc" ]; @@ -236,7 +226,7 @@ in { description = "Grafana"; secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA"; public = false; - authorization_policy = "admin-only"; + authorization_policy = "one_factor"; redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ]; consent_mode = "implicit"; scopes = [ @@ -252,7 +242,7 @@ in { description = "FreeScout Support platform"; secret = "$pbkdf2-sha512$310000$5D3wUR7CnuoeHu3eNWfETw$SY0GTnZor3BlZKPyU3evH9QTlQG6Bm32RoPAlUgdIRJ8HmL3jRLVtmPLxOcJj06ZS/dDTRfkYej2RmD5cA3T4A"; public = false; - authorization_policy = "admin-only"; + authorization_policy = "one_factor"; redirect_uris = [ "https://support.cloonar.dev/oauth-login/callback/fryg87l64" ]; consent_mode = "implicit"; token_endpoint_auth_method = "client_secret_post";