lander/nix-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
nix-config/hosts/hosting-01/auth/authelia.nix
Lander Van den Bulcke 7abff709f9
fix: authelia group filter 
Signed-off-by: Lander Van den Bulcke <landervandenbulcke@gmail.com>
2025-09-28 12:36:49 +02:00

191 lines
6.2 KiB
Nix
Raw Blame History

{ config, lib, ... }:
{
services = {
authelia.instances.escapeangle = {
enable = true;
settings = {
theme = "auto";
authentication_backend.ldap = {
address = "ldap://localhost:3890";
base_dn = "dc=escapeangle,dc=com";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
groups_filter = "(&(member={dn})(objectClass=groupOfUniqueNames))";
user = "uid=authelia,ou=people,dc=escapeangle,dc=com";
};
access_control = {
default_policy = "deny";
rules = lib.mkAfter [
{
domain = "*.escapeangle.com";
policy = "one_factor";
}
];
};
storage.postgres = {
address = "db-01.tailnet.escapeangle.com";
database = "authelia";
username = "authelia";
password = "authelia"; # using peer auth
};
session = {
cookies = [
{
domain = "escapeangle.com";
authelia_url = "https://auth.escapeangle.com";
inactivity = "1M";
expiration = "3M";
remember_me = "1y";
}
];
};
notifier.smtp = {
address = "smtp://mail.escapeangle.com:587";
username = "authelia@escapeangle.com";
sender = "authelia@escapeangle.com";
};
log.level = "info";
identity_providers.oidc = {
cors = {
endpoints = [ "token" ];
allowed_origins_from_client_redirect_uris = true;
};
authorization_policies.default = {
default_policy = "one_factor";
rules = [
{
policy = "deny";
subject = "group:lldap_strict_readonly";
}
];
};
clients = [
{
client_id = "forgejo";
client_name = "Forgejo";
client_secret = "$pbkdf2-sha512$310000$C696AL9dgf0.yv6VF.jLvA$iNAWSUckoX/6y6yQcfo5FMjICl6D8iAeElIG5AZD5vC8Z8unBcLFR9LcqdMQgsYK3S9DNekQtJpNbbRzXrliDQ";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://git.escapeangle.com/user/oauth2/Authelia/callback" ];
scopes = [
"openid"
"email"
"profile"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
{
client_id = "headscale";
client_name = "Headscale";
client_secret = "$pbkdf2-sha512$310000$fvaPyF69vBFs3oG1h4Qa1w$ezdJFynGV6bSA8UzGNangyOcaST7a3.LZ6WkVYeI.Ag5znxPsjmm9U23BL7OBMQWAY75CsvftYJWK5eE8nxi9A";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
redirect_uris = [ "https://headscale.escapeangle.com/oidc/callback" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
{
client_id = "mealie";
client_name = "Mealie";
client_secret = "$pbkdf2-sha512$310000$Bi3.Z5ewisL.INFbSquvHQ$.Dicey0nFqoqGtmwoncmoNCARnK32twdVUcveWaO9OMKz5f8neIOEFTXSmIL7hf1erO20A08khv9W2I7aReZMw";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris = [ "https://recipes.escapeangle.com/login" ];
scopes = [
"openid"
"email"
"profile"
"groups"
];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}
];
};
};
secrets = with config.sops; {
jwtSecretFile = secrets."authelia/jwt_secret".path;
oidcIssuerPrivateKeyFile = secrets."authelia/jwks".path;
oidcHmacSecretFile = secrets."authelia/hmac_secret".path;
sessionSecretFile = secrets."authelia/session_secret".path;
storageEncryptionKeyFile = secrets."authelia/storage_encryption_key".path;
};
environmentVariables = with config.sops; {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
secrets."authelia/lldap_authelia_password".path;
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE = secrets."authelia/smtp_password".path;
};
};
};
services.nginx.virtualHosts."auth.escapeangle.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
proxyPass = "http://localhost:9091";
};
};
sops.secrets = {
"authelia/hmac_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/jwks" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/jwt_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/session_secret" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/storage_encryption_key" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/lldap_authelia_password" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
"authelia/smtp_password" = {
owner = "authelia-escapeangle";
sopsFile = ../secrets.yaml;
};
};
}
Reference in a new issue View git blame Copy permalink