test

sbulav · Nov 18, 2024 · 0400e96 · 0400e96
1 parent 3bc15ac
commit 0400e96
Show file tree

Hide file tree

Showing 3 changed files with 79 additions and 5 deletions.
diff --git a/nix/modules/nixos/containers/authelia/default.nix b/nix/modules/nixos/containers/authelia/default.nix
@@ -46,6 +46,22 @@ in {
         uid = 999;
         restartUnits = ["[email protected]"];
       };
+      authelia-jwt_secret = {
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
+        uid = 999;
+        restartUnits = ["[email protected]"];
+      };
+      authelia-session_secret = {
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
+        uid = 999;
+        restartUnits = ["[email protected]"];
+      };
+      # "authelia-jwt_rsa_key.pem" = {
+      #   # format = "binary";
+      #   sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
+      #   uid = 999;
+      #   restartUnits = ["[email protected]"];
+      # };
     };
     containers.authelia = {
       ephemeral = true;
@@ -64,6 +80,15 @@ in {
         "${config.sops.secrets.authelia-storage-encryption-key.path}" = {
           isReadOnly = true;
         };
+        "${config.sops.secrets.authelia-session_secret.path}" = {
+          isReadOnly = true;
+        };
+        "${config.sops.secrets.authelia-jwt_secret.path}" = {
+          isReadOnly = true;
+        };
+        # "${config.sops.secrets."authelia-jwt_rsa_key.pem".path}" = {
+        #   isReadOnly = true;
+        # };
 
         "/var/lib/authelia-main/users/" = {
           hostPath = "${cfg.dataPath}/users/";
@@ -85,9 +110,9 @@ in {
             enable = true;
             secrets = {
               storageEncryptionKeyFile = config.sops.secrets.authelia-storage-encryption-key.path;
-              #   jwtSecretFile = config.sops.secrets.authelia_jwt_secret_file.path;
-              #   sessionSecretFile = config.sops.secrets.authelia_session_secret_file.path;
-              manual = true;
+              jwtSecretFile = config.sops.secrets.authelia-jwt_secret.path;
+              sessionSecretFile = config.sops.secrets.authelia-session_secret.path;
+              # manual = true;
             };
 
             settings = {
@@ -141,6 +166,38 @@ in {
                   }
                 ];
               };
+
+              identity_providers = {
+                oidc = {
+                  # jwks = [
+                  #   {
+                  #     key_id = "main";
+                  #     key = config.sops.secrets.authelia-storage-encryption-key;
+                  #   }
+                  # ];
+                  clients = [
+                    # {
+                    #   client_id = "jellyfin";
+                    #   client_name = "Jellyfin";
+                    #   client_secret = "$pbkdf2-sha512$310000$w8/7AXV6ljEACFLwkc.neQ$bMnyFnhUjuFjhKGw.awXKfK1EK6n9XS5P6RcywAbBxLhI6hcJqJ8jDCt3oOBp9YpaPCbNh3Sm23NCwJaUIci5w";
+                    #   require_pkce = true;
+                    #   pkce_challenge_method = "S256";
+                    #   authorization_policy = "one_factor";
+                    #   redirect_uris = [ "https://jellyfin.${config.domain.base}/sso/OID/redirect/authelia" ];
+                    #   token_endpoint_auth_method = "client_secret_post";
+                    # }
+                    {
+                      client_id = "nextcloud";
+                      client_name = "Nextcloud";
+                      client_secret = "$pbkdf2-sha512$310000$UO0xTTiZTXcj6cUL1R7P/A$4SQ.Zzv//x02/sZ5WM8EBPYd/Tps07K8.Zq19sjVVV6vIMCb.e5giDgHeZokgD3lBv4MOVlxttCjRU0dhFO15w";
+                      require_pkce = true;
+                      pkce_challenge_method = "S256";
+                      authorization_policy = "one_factor";
+                      redirect_uris = ["https://nextcloud2.${cfg.domain}/apps/oidc_login/oidc"];
+                    }
+                  ];
+                };
+              };
             };
           };
         };

diff --git a/nix/modules/nixos/containers/nextcloud/default.nix b/nix/modules/nixos/containers/nextcloud/default.nix
@@ -146,6 +146,20 @@ in {
                 "OC\\Preview\\Movie"
                 "OC\\Preview\\MP4"
               ];
+              user_oidc = {
+                single_logout = false;
+                auto_provision = true;
+                soft_auto_provision = true;
+              };
+
+              oidc_login_client_id = "nextcloud";
+              oidc_login_provider_url = "https://authelia.sbulav.ru";
+              oidc_login_attributes = {
+                id = "preferred_username";
+              };
+              oidc_login_scope = "openid profile";
+              oidc_login_button_text = "Log in with OpenID";
+              oidc_login_code_challenge_method = "S256";
             };
           };
         };

diff --git a/nix/secrets/serverz/default.yaml b/nix/secrets/serverz/default.yaml
@@ -1,6 +1,9 @@
 traefik-cf-env: ENC[AES256_GCM,data:g7Xw9UM1FeOFh+R0jGmPl9Gipix2WNilkCw30iDutxduhYCRmh3cye4D43Zy5x31kvdHej0pwlaSgEVbDOfBMoeENezrcDnLd3xqZHks75QleXv8Ujqoag==,iv:w/byUzrl/9+qcMnUERmO7RYpk991WbhRtcBJkIQIF1o=,tag:CxFiyegx/ZhzU+CU0Bkabg==,type:str]
 authelia-env: ENC[AES256_GCM,data:6fFB2jhyMiGKY/Y/cbel3p9wkEX72OPYHjoEereC7vj6kVH6fne7ctCKFgzZF0bGyET6iS7sh01Xgj+BNCejdSAoqjouoUHBcFc3VE7Vrecg/0LLDjLZ4sc1Fd1ZGLvcPNDTVL0j7UQTBX0MirB1yy4t2s1gNLUvjunwxtglLaAxjDIi541pZb4d9FL/BJ1g76dvGLIlyF4tKssSPSujLls/JrlG3/jbdrmS4sbA+ZI=,iv:eqeV4P1Rw0RxQqs//oYTzEQLyavLfbvKkz2JXs9fkmc=,tag:1rsGSeGVn3c3IYAsfghTXw==,type:str]
+authelia-jwt_secret: ENC[AES256_GCM,data:Y+B6kS6Zoo9Z2h5VPbn0mwFiP9sdWAPP/ztCNbtGRa+6Slt9HP9ccbWcno7kdi6LdHq+ocEJJTOHnztmLBMxZQ==,iv:CyCga7SDtpYVl2GDOcA4eFCqx4bDmEhkM2kFD74laJU=,tag:nKLzB8+vrOPnwf0x+F/G4g==,type:str]
+authelia-session_secret: ENC[AES256_GCM,data:h5ypDJtUSkF+dtD1edMlXATx6tkTejTG93n3enZz8VwUuMdxjYhIiA7R4KpRpXbgdDbRRbgjb+naunTAZZjQpw==,iv:5wUFCQfOxkSZ9RnMG7fU3U5neAM4jkE5+mP33JyNjSo=,tag:uK5682nzik96MTy6xtrCmw==,type:str]
 authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str]
+authelia-jwt_rsa_key.pem: ENC[AES256_GCM,data:milUMHhao5r3wbwHRtsshdNYF0VOw/LjHkg4blXDHeoMTJjwk9S9mnP/DSXELtpAgOhRyAotzt0kipaaraqIq6hvCZBozJJkUIdMp07gJbPOvKXa3GNTlzJl72lvUoaEDpKCbTkUgxGYgL55gahBByPdrFpJaxDp6F3TeQq6Ms0UJMVbzIWecVzDO0w0gdDjc80cZF8PM+Lcbcw/BfI7T3AvRuaSg1EsbwhvhnAioOG3mynRvlvupe0qy+5iXIjhgGPIVVXdL/0Xx5em820gFHQoZbWGXpl5LgRF2YhhuVQttb8IJP7nY/DIUkZ+TEHIc2jonxicH9kxtbDavPsYaaIsHUw1lJ3bOFsmpBzJuT9hCJ4IRQRXph8gvTQ3Of0c09u+wI6eAelZiigc2aunUnHzOWj8UzQoMvYb+UP+IZu8YeA7MjTb1mMsobBqoOJ3+0GtaB36Tsk9ba+U7xgU/xogNPNvgUQ7LsawyG2l3zdfzNCv2VmsHEttRKMtO68BzZErnqptyLs9ifgmTtLmo4bmh+TaqLUA9ScMjLRzqXOqmoBoEbSxhirbbI0PB7O9mjsP+qBzUzj/gef8INMxBLIjSuM7oza1biLfTuVNXSKO3KNwHTrMBAfRQbpB3rp6SU04BlZPiUY1TZd8DiKwYnMttC9GAtTZZA37gTaVlQIOz9MdKdtteI6TvjtHGtAxUI69PNexKNlwqZJMUTfiC/MiMUp61wT5edVGbc3NYnrSQ2Atp8yyOPy77wThxYzsfN0IjsLRmKkahbuSZG1uobFzVlgOTWF85W2r1B9Gqd9Y2q2pJTA+bhdKmfoaK9LrvtroMHCKl2yqkLZU8JEWFCKpilRxwbp3E76BjWToAmvgN91+88AmxPb/OhqEtAqw8pniUlt0Zi0HosFSYdnZ+wQnaIzAiupcouoSG/QdrqYSouG41Nzh7ZzQJuxpv9fvF6tOjUcK3lfPwPaQLJOB40boY+8GhRVquRCx6LVdoN9+gO81cJI4kSahlgNZEmFdoNkwjCWLyBtT5Io5NpEaj+gE82wVHb0dPSccg+8mliEwM0524GHQXKX6Hz3wJvLAp0unEePuJNrlAF1D7n4WyBg7xt777hT8Ku3/ViyE/ITTtiHUutRcoTkwxBYA6VDv2QMDm2uGWa5qWWutotT77wzhAl2Ww0usYLvowOywwSAz9FXcigu3MOLhJPKtEykUYiuGVmqArOWZdPCz2mQvt22oze9f90gP/+PeaSokvCb1D2vLK8H5mV/AC1FDESoqbIN1rOohn5sk4TRiZk/SXF+dwertoSx8/chOjTGQDkyt0tNVuGHrc+MvGIyfz/ewAJQzDZ0vUozIui+ZLknaICxVo5GNw5m2r6Si2QL5q0+HBhMGE/uoOcbTa242oSzkEmrvWNGpg8Kpl2pMkAQrHocGhQNSHKy5b7lyuDJ6Bq5BfCxeEFvL7msayZ/TvonRUV+1t5T44oD8bWxIfWr+54fSD2q35Fnvil9/KAKpRaWE1zfRfK9xohV8zpc6si8rogAxLr7P4VhD5KwqxS6WzKEW5QuE4FR9WA+gUsWGwBdJYdZoRpWF+vXyL2qizR9+5f1HytJMfbJ8s003UicXB1ZIVpe/zje0Au5/aJLT1lSmMJHsglSWZU5pidSer2B31lDqulzYqTmlNJUj5kCjf23iQ/weHUgfRKTRCzSxvkSJlcjyBo9B/TDfmiiGJ6tPslSC8oeiJs5JUTz/p9cTfKVzOVVf8tUMIGe06RJQhX+p3nY/rbpq7rXD+H0gDH+FJOjedp4kTrORF70W5TYoDu9k2379F08uKipklylTT2p4xNGj9ql9vo1KAxElgc4d5AYAqFr90pKlnzvsvWvWeqMIi70fkSeBUTKEzmngrxprRM76ciasaAog709cXOUB8/vheFA7z7B+KTBMgeRTEgk3a6zBcVZgs4Ws3WqNSQ2QLOymahCwM/qFRCvLmMkpkcsKdZZOCpG43VbpNTNLI+D/6pMalsthuQcQnYKodGkfk7vKXAA1WTuEz0g+lTMg2l5KzL9tj/FTyqa1uF7h0aOcMldeGyX7yLs+qWZT86TFUQYumOfOFZBEv7iP/E/HYSv4H/zpnVBr8GbSgKjtGaCp52zzjFPWM4pD48cquHntiNJGDen55fDh/VS2bo2u9kNgvshGIbL1umawIoRGCoFNHwOG70AC3M6X1eoF9nuicadIIJpgtwjv1z4p3TplQ8nYVNuOQNRSKL4MdnwlgU5QBrqYUtzE,iv:QuJpw9N81fGOlx9D+r+HT5mzQHA0mQ4twAZKiGXQwJM=,tag:0eAeZ8p6GulohKG6915PeQ==,type:str]
 nextcloud-admin-pass: ENC[AES256_GCM,data:yJFfJ7K/gyM71omo//qURGs=,iv:5JmRGdHHtJtiZeuF4kjok2nUrWQArRRTr5XbwJtDXxI=,tag:SY9Lz7QMCNoixUesA3Q9WQ==,type:str]
 sops:
     kms: []
@@ -26,8 +29,8 @@ sops:
             SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA
             Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-13T07:50:57Z"
-    mac: ENC[AES256_GCM,data:3ww7LvMEg/qa8JJ6C4OlEvf4eqlQgvPtWDEkuY9QewnjSs7pAGNxQrOPpNCO4zLrO7Kx2u73Rcg8bzQXbBsPypR5LmlOC8hqi+OqW8k0YPmG8Ep0WVMX7v9IQsjM34JSyQFIKC7iD55diTi5B7W+a/MOpqJ0wvNPqPUwrbRA1/M=,iv:IgbubkYWcOrxXLRvHCknUNNkt1rQ+JDgcRTAaAgKZwU=,tag:WGVSgNnybAqfEgLl1kZx+w==,type:str]
+    lastmodified: "2024-11-18T11:04:07Z"
+    mac: ENC[AES256_GCM,data:xyoVGkZcl/HK7TaYAew5HMrFJuBW3fj7pnriWvl885/aJPd27o3MvVnZnW2MCjC9CFKdlXrVamfm6W8q4p7Y2ZVCoMK3o9n5qm9Lynjro3vKn2qPYKjSF/5OocFathAow2L+UOacTCiNl9CFdevKRjWAgybpOzjjCdjBdjz9Hsw=,iv:SQo0nKgbnAXCn8B6yvr9msAiv3PlhkoyszR6KP7fWIQ=,tag:1r7IdPnuaEm+mgLC40+NoQ==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1