Stuce/server
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

first commit

Browse source
This commit is contained in:
Stuce 2025-11-13 16:01:47 +01:00
commit e46461326d
10 changed files with 632 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

118
authelia.nix Normal file
View file

@ -0,0 +1,118 @@
let host = "stuce.ch";
in {
services.authelia.instances."main" = {
enable = true;
secrets = {
oidcHmacSecretFile = "/var/lib/authelia-main/hmac";
oidcIssuerPrivateKeyFile = "/var/lib/authelia-main/rsa.2048.key";
jwtSecretFile = "/var/lib/authelia-main/jwtSecret";
storageEncryptionKeyFile =
"/var/lib/authelia-main/storageEncryptionKeyFile";
};
environmentVariables = {
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
"/var/lib/authelia-main/ldap_password";
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE =
"/var/lib/authelia-main/smtp_password";
};
settings = {
authentication_backend = {
password_reset = { disable = false; };
refresh_interval = "1m";
ldap = {
implementation = "lldap";
address = "ldap://localhost:3890";
base_dn = "dc=stuce,dc=ch";
user = "uid=bind_user,ou=people,dc=stuce,dc=ch";
additional_users_dn = "ou=people";
};
};
storage = { local = { path = "/var/lib/authelia-main/db.sqlite3"; }; };
session = {
cookies = [{
domain = "${host}";
authelia_url = "https://auth.${host}";
default_redirection_url = "https://${host}";
}];
};
notifier = {
# disable_startup_check = false;
# filesystem = { filename = "/var/lib/authelia-main/notification.txt"; };
smtp = {
address = "submissions://mail.infomaniak.com:465";
username = "no-reply@stuce.ch";
sender = "no-reply@stuce.ch";
};
};
identity_providers = {
oidc = {
jwks = { };
clients = [{
client_id =
"uZzbagYr2RZqyVFsOZ23XJktE9tjllwuMnxiicfT5Ykcx6pX9JZDXlYahdg.DRq5guobvv0k";
client_name = "Forgejo";
# TODO: find a way to remove this secret from here
client_secret =
"$pbkdf2-sha512$310000$xmkdkyjsCmFEi2U.exnetg$UYnG78UZhBY/6Fb8ztGsKdJDtJdIRUrki4bngIPnsOfKxddzQovCDZ8AWETFim0Nar5AhbecJJTEM1kf2lG3WQ";
public = false;
authorization_policy = "two_factor";
require_pkce = true;
pkce_challenge_method = "S256";
redirect_uris =
[ "https://git.stuce.ch/user/oauth2/authelia/callback" ];
scopes = [ "openid" "email" "profile" ];
response_types = [ "code" ];
grant_types = [ "authorization_code" ];
access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
token_endpoint_auth_method = "client_secret_basic";
}];
};
};
access_control = {
default_policy = "deny";
rules = [
{
domain = "todo.Stuce.ch";
policy = "one_factor";
# resources = ["^/.*"];
subject = [ "group:maison" ];
}
{
domain = "armee.stuce.ch";
policy = "one_factor";
resources = [ "^/todo.*" ];
subject = [ "user:sgt" ];
}
{
domain = "vault.stuce.ch";
policy = "two_factor";
resources = [ "^/admin.*" ];
subject = [ "user:stuce" ];
}
{
domain = "ldap.stuce.ch";
policy = "two_factor";
subject = [ "user:stuce" ];
}
{
domain = "armee.stuce.ch";
policy = "one_factor";
resources = [ "^/notes.*" ];
subject = [ "group:ada" "group:cader" ];
}
{
domain = "armee.stuce.ch";
policy = "one_factor";
resources = [ "^/plans.*" ];
subject = [ "user:lt" ];
}
];
};
};
};
}