118 lines
3.8 KiB
Nix
118 lines
3.8 KiB
Nix
let host = "stuce.ch";
|
|
in {
|
|
services.authelia.instances."main" = {
|
|
enable = true;
|
|
secrets = {
|
|
oidcHmacSecretFile = "/var/lib/authelia-main/hmac";
|
|
oidcIssuerPrivateKeyFile = "/var/lib/authelia-main/rsa.2048.key";
|
|
jwtSecretFile = "/var/lib/authelia-main/jwtSecret";
|
|
storageEncryptionKeyFile =
|
|
"/var/lib/authelia-main/storageEncryptionKeyFile";
|
|
};
|
|
environmentVariables = {
|
|
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE =
|
|
"/var/lib/authelia-main/ldap_password";
|
|
AUTHELIA_NOTIFIER_SMTP_PASSWORD_FILE =
|
|
"/var/lib/authelia-main/smtp_password";
|
|
};
|
|
settings = {
|
|
authentication_backend = {
|
|
password_reset = { disable = false; };
|
|
refresh_interval = "1m";
|
|
ldap = {
|
|
implementation = "lldap";
|
|
address = "ldap://localhost:3890";
|
|
base_dn = "dc=stuce,dc=ch";
|
|
user = "uid=bind_user,ou=people,dc=stuce,dc=ch";
|
|
additional_users_dn = "ou=people";
|
|
};
|
|
};
|
|
storage = { local = { path = "/var/lib/authelia-main/db.sqlite3"; }; };
|
|
session = {
|
|
cookies = [{
|
|
domain = "${host}";
|
|
authelia_url = "https://auth.${host}";
|
|
default_redirection_url = "https://${host}";
|
|
}];
|
|
};
|
|
|
|
notifier = {
|
|
# disable_startup_check = false;
|
|
# filesystem = { filename = "/var/lib/authelia-main/notification.txt"; };
|
|
smtp = {
|
|
address = "submissions://mail.infomaniak.com:465";
|
|
username = "no-reply@stuce.ch";
|
|
sender = "no-reply@stuce.ch";
|
|
};
|
|
};
|
|
|
|
identity_providers = {
|
|
oidc = {
|
|
jwks = { };
|
|
clients = [{
|
|
client_id =
|
|
"uZzbagYr2RZqyVFsOZ23XJktE9tjllwuMnxiicfT5Ykcx6pX9JZDXlYahdg.DRq5guobvv0k";
|
|
client_name = "Forgejo";
|
|
# TODO: find a way to remove this secret from here
|
|
client_secret =
|
|
"$pbkdf2-sha512$310000$xmkdkyjsCmFEi2U.exnetg$UYnG78UZhBY/6Fb8ztGsKdJDtJdIRUrki4bngIPnsOfKxddzQovCDZ8AWETFim0Nar5AhbecJJTEM1kf2lG3WQ";
|
|
public = false;
|
|
authorization_policy = "two_factor";
|
|
require_pkce = true;
|
|
pkce_challenge_method = "S256";
|
|
redirect_uris =
|
|
[ "https://git.stuce.ch/user/oauth2/authelia/callback" ];
|
|
scopes = [ "openid" "email" "profile" ];
|
|
response_types = [ "code" ];
|
|
grant_types = [ "authorization_code" ];
|
|
access_token_signed_response_alg = "none";
|
|
userinfo_signed_response_alg = "none";
|
|
token_endpoint_auth_method = "client_secret_basic";
|
|
}];
|
|
};
|
|
};
|
|
|
|
access_control = {
|
|
default_policy = "deny";
|
|
rules = [
|
|
{
|
|
domain = "todo.Stuce.ch";
|
|
policy = "one_factor";
|
|
# resources = ["^/.*"];
|
|
subject = [ "group:maison" ];
|
|
}
|
|
{
|
|
domain = "armee.stuce.ch";
|
|
policy = "one_factor";
|
|
resources = [ "^/todo.*" ];
|
|
subject = [ "user:sgt" ];
|
|
}
|
|
{
|
|
domain = "vault.stuce.ch";
|
|
policy = "two_factor";
|
|
resources = [ "^/admin.*" ];
|
|
subject = [ "user:stuce" ];
|
|
}
|
|
{
|
|
domain = "ldap.stuce.ch";
|
|
policy = "two_factor";
|
|
subject = [ "user:stuce" ];
|
|
}
|
|
{
|
|
domain = "armee.stuce.ch";
|
|
policy = "one_factor";
|
|
resources = [ "^/notes.*" ];
|
|
subject = [ "group:ada" "group:cader" ];
|
|
}
|
|
{
|
|
domain = "armee.stuce.ch";
|
|
policy = "one_factor";
|
|
resources = [ "^/plans.*" ];
|
|
subject = [ "user:lt" ];
|
|
}
|
|
|
|
];
|
|
};
|
|
};
|
|
};
|
|
}
|