feat(nix): auth nextcloud via oidc

sbulav · Nov 18, 2024 · 3f99e54 · 3f99e54
1 parent 1c11422
commit 3f99e54
Show file tree

Hide file tree

Showing 3 changed files with 45 additions and 22 deletions.
diff --git a/nix/modules/nixos/containers/authelia/default.nix b/nix/modules/nixos/containers/authelia/default.nix
@@ -36,11 +36,6 @@ in {
 
   config = mkIf cfg.enable {
     sops.secrets = {
-      # authelia-env = {
-      #   sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
-      #   uid = 999;
-      #   restartUnits = ["[email protected]"];
-      # };
       authelia-storage-encryption-key = {
         sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
         uid = 999;
@@ -104,7 +99,6 @@ in {
         };
       };
       config = {...}: {
-        # systemd.services.authelia-main.serviceConfig.EnvironmentFile = "/run/secrets/authelia-env";
         services.authelia.instances = {
           main = {
             enable = true;
@@ -113,7 +107,6 @@ in {
               jwtSecretFile = config.sops.secrets.authelia-jwt-secret.path;
               sessionSecretFile = config.sops.secrets.authelia-session-secret.path;
               oidcIssuerPrivateKeyFile = config.sops.secrets.authelia-jwt-rsa-key.path;
-              # manual = true;
             };
 
             settings = {
@@ -170,12 +163,6 @@ in {
 
               identity_providers = {
                 oidc = {
-                  # jwks = [
-                  #   {
-                  #     key_id = "main";
-                  #     key = config.sops.secrets.authelia-storage-encryption-key;
-                  #   }
-                  # ];
                   clients = [
                     # {
                     #   client_id = "jellyfin";

diff --git a/nix/modules/nixos/containers/nextcloud/default.nix b/nix/modules/nixos/containers/nextcloud/default.nix
@@ -3,6 +3,7 @@
   lib,
   namespace,
   inputs,
+  pkgs,
   ...
 }:
 with lib;
@@ -44,6 +45,10 @@ in {
         sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
         uid = 999;
       };
+      nextcloud-oidc-login-client-secret = {
+        sopsFile = lib.snowfall.fs.get-file "${cfg.secret_file}";
+        uid = 999;
+      };
     };
     containers.nextcloud = {
       ephemeral = true;
@@ -58,6 +63,9 @@ in {
         "${config.sops.secrets.nextcloud-admin-pass.path}" = {
           isReadOnly = true;
         };
+        "${config.sops.secrets.nextcloud-oidc-login-client-secret.path}" = {
+          isReadOnly = true;
+        };
 
         "/var/lib/nextcloud/config/" = {
           hostPath = "${cfg.dataPath}/config/";
@@ -84,6 +92,7 @@ in {
       config = {
         config,
         inputs,
+        pkgs,
         ...
       }: {
         systemd.tmpfiles.rules = [
@@ -113,8 +122,12 @@ in {
                 (config.services.nextcloud.package.packages.apps)
                 previewgenerator
                 notes
-                user_oidc
                 ;
+              oidc_login = pkgs.fetchNextcloudApp {
+                license = "agpl3Plus";
+                url = "https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.0/oidc_login.tar.gz";
+                sha256 = "sha256-DrbaKENMz2QJfbDKCMrNGEZYpUEvtcsiqw9WnveaPZA=";
+              };
             };
 
             config = {
@@ -151,14 +164,36 @@ in {
                 auto_provision = true;
                 soft_auto_provision = true;
               };
-
-              oidc_login_client_id = "nextcloud";
+              allow_user_to_change_display_name = false;
+              lost_password_link = "disabled";
               oidc_login_provider_url = "https://authelia.sbulav.ru";
+              oidc_login_client_id = "nextcloud";
+              oidc_login_client_secret = "$(cat /run/secrets/nextcloud-oidc-login-client-secret)";
+              oidc_login_auto_redirect = false;
+              oidc_login_end_session_redirect = false;
+              oidc_login_button_text = "Log in with Authelia";
+              oidc_login_hide_password_form = false;
+              oidc_login_use_id_token = true;
               oidc_login_attributes = {
                 id = "preferred_username";
+                name = "name";
+                mail = "email";
+                groups = "groups";
               };
-              oidc_login_scope = "openid profile";
-              oidc_login_button_text = "Log in with OpenID";
+              oidc_login_default_group = "oidc";
+              oidc_login_use_external_storage = false;
+              oidc_login_scope = "openid profile email groups";
+              oidc_login_proxy_ldap = false;
+              oidc_login_disable_registration = false; # different from doc, to enable auto creation of new users
+              oidc_login_redir_fallback = false;
+              oidc_login_tls_verify = true;
+              oidc_create_groups = false;
+              oidc_login_webdav_enabled = false;
+              oidc_login_password_authentication = false;
+              oidc_login_public_key_caching_time = 86400;
+              oidc_login_min_time_between_jwks_requests = 10;
+              oidc_login_well_known_caching_time = 86400;
+              oidc_login_update_avatar = false;
               oidc_login_code_challenge_method = "S256";
             };
           };
@@ -171,9 +206,9 @@ in {
           };
           # Use systemd-resolved inside the container
           # Workaround for bug https://github.com/NixOS/nixpkgs/issues/162686
-          useHostResolvConf = lib.mkForce false;
+          # useHostResolvConf = lib.mkForce false;
         };
-        services.resolved.enable = true;
+        # services.resolved.enable = true;
         system.stateVersion = "24.11";
       };
     };

diff --git a/nix/secrets/serverz/default.yaml b/nix/secrets/serverz/default.yaml
@@ -5,6 +5,7 @@ authelia-session-secret: ENC[AES256_GCM,data:qgCJ9d4PwiUYhUEeuzRL+hXb1mMt0W17LNP
 authelia-storage-encryption-key: ENC[AES256_GCM,data:ub+rSg3lNyxVJapVhMJBu+9kfG6ToSJSXmgie3qOvlkRZy4oLYdEIvgcie9yZ6CnSAASMLVBX8GSt2XKee8Lbg==,iv:vHNERwAxZ8ndFKANC40GUqt1JF1ivBOPWt70MWgSMso=,tag:yQN8dDoXl6Uqg3VSG3hhUw==,type:str]
 authelia-jwt-rsa-key: ENC[AES256_GCM,data:YCeVD0O03Wm5D+i51YzCReFrLqgUjkmy1P7/KKjJdD2cqX8pRRTgB4t+gv/5JTfaFd+N5gtjKvFIml7oTFUT2y/l8ywoVswbFUN7sPMlBh1R7W+aUWOKOJTlHxFUDupJWbtkgcz1H8FrnWM8v2d9ICQ1hYmh4pqUZPZ0dQEg8al7IquCoUXKgPTdazwCLus9OpjMl2XAPd+1w2qE3G02eSDx9lx3MrP7t+oacQ8tAq49D7XHKZuRkiMsK54xScICq9DKzOODE4LMd9xvTnpzyJxNnZsBs1zJA+crCpDTGjIB8NruzL61jTbh57Mht7YJeTYJbTCdAwowoFNmwWIhavZilafV6H3Vzu8OtD+co5fejp/Oq3W8CQ4YPfUvRxz0rUHmepacJZCZqqPchPQ4tM+zpnHZpjaofFjowaBdbYXWRYfgfEmb3YY7xOp6OhAoxUyl7jdu+ZJIR0zUZjFfHBC8oYS4v32h/6hgNPB3OHSCHTZfoaymgiI+yf+vndor7OvEE/fmR3jEbpfcYMNKeaZjEt4jcMsolRoAEOXeAScw7wGIpL5WNE78JwCHGhikbuTLpLIwfz9ftT3KSGxhJk3/H10Uj7wfkZTx/TLo6SO6i24I4zlNrM+4rgLs4B0nYyzQRJfeZhMA9+LE4bU3NU68QvT4BeHi9smQ0TpjXaQW+Rs+oB7UEki4juzzB4tWjtLvp2L22B+2n1STa1q1hocfCE8p2o57IwaSKG/F7Njwh9HOkIFNKyNUY4DlD1dM4cz0vZpbVAuwk3nmctqFvL1mMSfiuq7E04zVOi2M9zczkxNzylVIedurYrTDG6KpOZbJ+6n+bbASdF5FEpWNIbb1sCx507D1bIS2p9ejBplNu40RkGvptf5c8i8D8WwIi51ubc0qItogGdR100JQY/bgKmR1uqTyPlaBN8yVq1+v8noTLh8VlSlwyNZrP8X9e0HJ22ASm7qvbpman2FiX8QUwhopH3AC14c6ya4j5j6+7yPCjsgfla+tkRrkPyPa92tkmo0XZ5gQJUofJH6jdIHnsxrQsDCOF/cDouCIwl3YVKFhgxDM702eijv2ki7eXHNbLRJsSFPjrzOgOsdKiSAmkDoF4bIcwroDuvbEnQfCuYbS9l1p5qmVboqk8Rd0UZ5t00H6106kE4NIQiQqGqFv5BH0aMmsrz0izB8XRvkhL9//jCZ452n/PfCuy3KjRS6mScYdiKOX50MF9Nc1wscvjWLDWcCzwUJUt7PgRrYTub4Rt6kYiFDREQEQrjFisRvwvzGqaLE7+Z+l6rg1xM+ba/KeW/eYda1jn6nM4N2l3eBdplCItIDPVcbbdi6tTBL4kYe88D7yAGkcmX3HxWn7Wsn+cC+lwosukjJW+1AE9hwW4rPmRUzEhdw6y610joTmR5zDzfO9oz9KbhMzXf9/u/vJyMFS7UJkBn7T5U8emBhInMz5YCHwtXgjq4Yx7j9GLBxlfOqe81H+tCEMGO0PcyxKKMWnZZGBasd7ckghE32fKrOPa9sPzdEjtM7c7jBpzX0SxdbP+iKbgYSLao/V/x1QrGt5JhOK4udPapKSFdV/4NQ+vBaUeAGMdMSEbMXhu5yO5Ba2Ywk1S22g113FS9GxC02PzkOfAFXnPhBOx4TfwRiFuKuEKkvD9twUuwSZcabHVI+9acoEIArAUz8QdAlq8wIXKTps9sfwOa/N45nZkpnaDHP91Ihfxi0hwmoCX5N5El2mrdfbwPpuua3D0wJY07k9kFHikyAJjpb0YPMslGut+a6rMb8k0xAMBouIGODVvYUqmT8Gz6ZH4D7pvPhyHxV7jMqgh9knjCwwTJRiHkkW+Wbh7G0I8fDR/GvWsMKD9wg4aUFfDw93OxmoXnqs0XVsRFlPLknYlx+lPjLIN1yjzNYLVwuNxb80jwwDPOGlee/rmIPCW/yKlOedl+aQQSKwAh8fi/UOTn+rzGJaVTmpb5Ans+d0aXs8DKBxDGCk5XLb/By9D/p3vXRXnvpdul16MSWrk3QDwfTTIPD6EGw2pjpXjKy7xnIsHe6BIWEElYu7WlCoMVFwLX09Cbat6YelLu/uuI2eNzTaAZXBgGTckBZMvFBRzsS8TDwZvfaUbuLGNDq8abUt5I0lOz/+vsZFUqxWuEC/H5izjZcUwUbvDMZ18Bhe+YptQ7CmqIcolDoarjLbubiNc/Gmou1egSG69/cRnkGb2wNZqqCIdxzBWTI2b09YM2bJDxd4lxitdNt5iP7G0a4ohkAhgJnr4ro=,iv:1Mdm76uIxkYvK4NO0HlvO5azAx5npHCHrHs74i1qzCA=,tag:M2o2mTE0jAtQLmpzy4tsoQ==,type:str]
 nextcloud-admin-pass: ENC[AES256_GCM,data:yJFfJ7K/gyM71omo//qURGs=,iv:5JmRGdHHtJtiZeuF4kjok2nUrWQArRRTr5XbwJtDXxI=,tag:SY9Lz7QMCNoixUesA3Q9WQ==,type:str]
+nextcloud-oidc-login-client-secret: ENC[AES256_GCM,data:OZKlcKuymUoUDyql2vunjGED5Q5EdGdXsKOuj322qiXTodnAM3wh/l+rZYtQ24kINDf+6XTD1wiGdzjbbTwBTOEv6d2SVAcT,iv:HzBvCsrzSMmParyrbK+3oGkau1oeoJiNJEYsTEU1Ho4=,tag:cdMeeGbsfWmA1tEwoLWsDA==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -29,8 +30,8 @@ sops:
             SVdkN2htWTBaLy9jdGJ6S0RocE9JMFUK8yejh6yKp+OLsNFXWHUJzvHnwaGI1yXA
             Y4F7JY6bhXcu8KJGvjgy08ox+n82V6xY9ov1hwhUlfyIZf4H0/bjuA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-11-18T11:21:28Z"
-    mac: ENC[AES256_GCM,data:zdhnrIy+QcoUcPG6c18R0B8OPT/I/4QXFkJL4gcPmDaz3bMrKvXfV9JNdNHeQdVx3VV95h02ymYn1KtlXIKVWzAxiPpWWOf5dKdiDzFOb7pnK3uBn6KdMWtSJCc45WHdGNQWn3Fq880foi39IXzC8npfuWcEtm7SZjy4KsN1F0E=,iv:Ki2RLnPzbgWjU1/iWsuhKvylzwPuU9msSKfAhCUJZUQ=,tag:ZFQl4+bVYhWE7opoz75Mhw==,type:str]
+    lastmodified: "2024-11-18T12:37:15Z"
+    mac: ENC[AES256_GCM,data:6RBpAqkREnsusxVULRiOgHGk+RiXT7GmyevnHyAQxMkvMd5AQu19vD58F1Y4Z6EEeWLwtfsAi93KVLYhtHrQxBBZ7hogIneMH3KLT6sxM4WycqPgcqum4JEqF2ZMMUuLw7oaWEMYJuDVAymnBS6ahu6LWBd7WxsLeOUTvHeMDpM=,iv:PjqfAwOlppOAnr64VEqSICOhx6qhZXKVDnYitJiw0mw=,tag:Ba9wfgwBsgtPOP48EYA/9A==,type:str]
     pgp: []
     unencrypted_suffix: _unencrypted
     version: 3.9.1