272 lines
8.4 KiB
Nix
272 lines
8.4 KiB
Nix
{ config, ... }:
|
|
|
|
{
|
|
sops.secrets.authelia-jwt-secret = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-backend-ldap-password = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-storage-encryption-key = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-session-secret = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-identity-providers-oidc-hmac-secret = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-identity-providers-oidc-issuer-certificate-chain = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
sops.secrets.authelia-identity-providers-oidc-issuer-private-key = {
|
|
owner = "authelia-main";
|
|
sopsFile = ./secrets.yaml;
|
|
};
|
|
|
|
services.authelia.instances.main = {
|
|
enable = true;
|
|
secrets = {
|
|
jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
|
|
storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
|
|
sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
|
|
oidcHmacSecretFile = config.sops.secrets.authelia-identity-providers-oidc-hmac-secret.path;
|
|
oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-identity-providers-oidc-issuer-private-key.path;
|
|
};
|
|
environmentVariables = {
|
|
"AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE" = config.sops.secrets.authelia-backend-ldap-password.path;
|
|
|
|
};
|
|
settings = {
|
|
theme = "dark";
|
|
default_redirection_url = "https://cloonar.com";
|
|
|
|
server = {
|
|
host = "127.0.0.1";
|
|
port = 9091;
|
|
};
|
|
|
|
# log = {
|
|
# level = "debug";
|
|
# format = "text";
|
|
# };
|
|
|
|
authentication_backend = {
|
|
ldap = {
|
|
url = "ldaps://ldap.cloonar.com";
|
|
base_dn = "DC=cloonar,DC=com";
|
|
additional_users_dn = "OU=users";
|
|
users_filter = "(&({username_attribute}={input})(objectClass=person))";
|
|
username_attribute = "mail";
|
|
mail_attribute = "mail";
|
|
display_name_attribute = "displayName";
|
|
additional_groups_dn = "OU=groups";
|
|
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
|
|
group_name_attribute = "cn";
|
|
permit_referrals = false;
|
|
permit_unauthenticated_bind = false;
|
|
user = "cn=authelia,ou=system,ou=users,dc=cloonar,dc=com";
|
|
};
|
|
};
|
|
|
|
access_control = {
|
|
default_policy = "deny";
|
|
rules = [
|
|
{
|
|
domain = ["auth.cloonar.com"];
|
|
policy = "bypass";
|
|
}
|
|
{
|
|
domain = ["*.cloonar.com"];
|
|
policy = "one_factor";
|
|
}
|
|
];
|
|
};
|
|
|
|
session = {
|
|
name = "authelia_session";
|
|
expiration = "12h";
|
|
inactivity = "45m";
|
|
remember_me_duration = "1M";
|
|
domain = "cloonar.com";
|
|
# todo: enable with 4.38
|
|
# cookies = [
|
|
# {
|
|
# domain = "cloonar.com";
|
|
# }
|
|
# {
|
|
# domain = "cloonar.dev";
|
|
# }
|
|
# {
|
|
# domain = "gbv-aktuell.at";
|
|
# same_site = "strict";
|
|
# }
|
|
# ];
|
|
};
|
|
|
|
regulation = {
|
|
max_retries = 3;
|
|
find_time = "5m";
|
|
ban_time = "15m";
|
|
};
|
|
|
|
storage = {
|
|
# mysql = {
|
|
# host = "/run/mysqld/mysqld.sock'";
|
|
# port = 3306;
|
|
# database = "authelia_main";
|
|
# username = "authelia_main";
|
|
# password = "socket_auth";
|
|
# timeout = "5s";
|
|
# };
|
|
local = {
|
|
path = "/var/lib/authelia-main/db.sqlite3";
|
|
};
|
|
};
|
|
|
|
notifier = {
|
|
disable_startup_check = false;
|
|
filesystem = {
|
|
filename = "/var/lib/authelia-main/notification.txt";
|
|
};
|
|
};
|
|
identity_providers = {
|
|
oidc = {
|
|
## The other portions of the mandatory OpenID Connect 1.0 configuration go here.
|
|
## See: https://www.authelia.com/c/oidc
|
|
clients = [
|
|
{
|
|
id = "gitea";
|
|
description = "Gitea";
|
|
secret = "$pbkdf2-sha512$310000$ngFGgCoDClB0xPLxxMJ.Qw$hFuXXizjiC73gZtwi2bPBHzpX8/1GmR8ux1aAz9esVhPEgB58d/vB2jLFKyc13mFJx7qc0ErIdla4/K0CsvM.A";
|
|
public = false;
|
|
authorization_policy = "one_factor";
|
|
redirect_uris = [ "https://git.cloonar.com/user/oauth2/authelia/callback" ];
|
|
pre_configured_consent_duration = "1y";
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
];
|
|
userinfo_signing_algorithm = "none";
|
|
}
|
|
{
|
|
id = "nextcloud";
|
|
description = "Nextcloud";
|
|
secret = "$pbkdf2-sha512$310000$UqX35Fh.7uTZLQqD.mk5wg$e139D4g9SGUFc.ZdKt3RAZljC8A7C9nixUQd7rQoHFMKop643SuwfazjNn0ehdyAjydM2zV.KzKnMLgSajo.xw";
|
|
public = false;
|
|
authorization_policy = "one_factor";
|
|
redirect_uris = [
|
|
"https://nextcloud.cloonar.com/apps/oidc_login/oidc"
|
|
"https://cloud.cloonar.com/apps/user_oidc/code"
|
|
];
|
|
pre_configured_consent_duration = "1y";
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
"groups"
|
|
];
|
|
userinfo_signing_algorithm = "none";
|
|
}
|
|
{
|
|
id = "hv";
|
|
description = "proxmox";
|
|
secret = "$pbkdf2-sha512$310000$j5XK.Af8d3BImh/tzaffoA$//S88bs99FmA0I48w2V862cgyCl7vvLIfXh9LNaZJs69jjcTYdzcFRgca8Nt23.6EouVT8cv/92MLJqOEI6Gow";
|
|
public = false;
|
|
authorization_policy = "one_factor";
|
|
redirect_uris = [ "https://hv.cloonar.com:8006" ];
|
|
pre_configured_consent_duration = "1y";
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
"groups"
|
|
];
|
|
userinfo_signing_algorithm = "none";
|
|
}
|
|
{
|
|
id = "grafana";
|
|
description = "Grafana";
|
|
secret = "$pbkdf2-sha512$310000$TP7.qfcevrHJFGcIMdZgGw$mLQ.AC5M28ETouxyiCeRkenQuKPvH0.oF1exp6LXBpleV56PI6sWrwmBgD7sMsHrMbkvCX4lNPx0vMf0urVpYA";
|
|
public = false;
|
|
authorization_policy = "one_factor";
|
|
redirect_uris = [ "https://grafana.cloonar.com/login/generic_oauth" ];
|
|
pre_configured_consent_duration = "1y";
|
|
scopes = [
|
|
"openid"
|
|
"profile"
|
|
"email"
|
|
"groups"
|
|
];
|
|
userinfo_signing_algorithm = "none";
|
|
}
|
|
];
|
|
};
|
|
};
|
|
};
|
|
};
|
|
services.nginx.virtualHosts."auth.cloonar.com" = {
|
|
enableACME = true;
|
|
forceSSL = true;
|
|
acmeRoot = null;
|
|
|
|
locations."/api/verify" = {
|
|
proxyPass = "http://127.0.0.1:9091";
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
allow 127.0.0.1;
|
|
allow 49.12.244.139;
|
|
deny all;
|
|
'';
|
|
};
|
|
|
|
locations."/" = {
|
|
proxyPass = "http://127.0.0.1:9091";
|
|
proxyWebsockets = true;
|
|
|
|
extraConfig = ''
|
|
client_body_buffer_size 128k;
|
|
|
|
#Timeout if the real server is dead
|
|
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;
|
|
|
|
# Advanced Proxy Config
|
|
send_timeout 5m;
|
|
proxy_read_timeout 360;
|
|
proxy_send_timeout 360;
|
|
proxy_connect_timeout 360;
|
|
|
|
# Basic Proxy Config
|
|
proxy_set_header Host $host;
|
|
proxy_set_header X-Real-IP $remote_addr;
|
|
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
|
|
proxy_set_header X-Forwarded-Proto $scheme;
|
|
proxy_set_header X-Forwarded-Host $http_host;
|
|
proxy_set_header X-Forwarded-Uri $request_uri;
|
|
proxy_set_header X-Forwarded-Ssl on;
|
|
proxy_redirect http:// $scheme://;
|
|
proxy_set_header Connection "";
|
|
proxy_cache_bypass $cookie_session;
|
|
proxy_no_cache $cookie_session;
|
|
proxy_buffers 64 256k;
|
|
|
|
# If behind reverse proxy, forwards the correct IP
|
|
set_real_ip_from 10.0.0.0/8;
|
|
set_real_ip_from 172.0.0.0/8;
|
|
set_real_ip_from 192.168.0.0/16;
|
|
set_real_ip_from fc00::/7;
|
|
real_ip_header X-Forwarded-For;
|
|
real_ip_recursive on;
|
|
'';
|
|
};
|
|
};
|
|
}
|