felschr/nixos-config
1
1
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

fix(authelia): set up tailscale OIDC

Browse source
This commit is contained in:
Felix Schröter 2023-12-27 04:31:40 +01:00
parent 0304b2348a
commit 0b267a5a51
Signed by: felschr
GPG key ID: 671E39E6744C807D
1 changed files with 50 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

59
services/authelia.nix
View file

@ -1,4 +1,4 @@
{ config, ... }: { config, pkgs, lib, ... }:
let let
domain = "auth.felschr.com"; domain = "auth.felschr.com";
@ -7,6 +7,19 @@ let
ldapPort = config.services.lldap.settings.ldap_port; ldapPort = config.services.lldap.settings.ldap_port;
redis = config.services.redis.servers.authelia; redis = config.services.redis.servers.authelia;
cfg = config.services.authelia.instances.main; cfg = config.services.authelia.instances.main;
mkWebfinger = v:
pkgs.writeTextDir (lib.escapeURL v.subject) (lib.generators.toJSON { } v);
webfingerRoot = pkgs.symlinkJoin {
name = "felschr.com-webfinger";
paths = builtins.map mkWebfinger [{
subject = "acct:me@felschr.com";
links = [{
rel = "http://openid.net/specs/connect/1.0/issuer";
href = "https://auth.felschr.com";
}];
}];
};
in { in {
age.secrets.authelia-jwt = { age.secrets.authelia-jwt = {
file = ../secrets/authelia/jwt.age; file = ../secrets/authelia/jwt.age;
@ -108,14 +121,25 @@ in {
# host = "smtp.web.de"; # host = "smtp.web.de";
# port = 587; # port = 587;
# }; # };
identity_providers.oidc.clients = [{ identity_providers.oidc.clients = [
id = "miniflux"; {
secret = id = "miniflux";
"$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw"; secret =
redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ]; "$pbkdf2-sha512$310000$1iBgcyIDTDzELv49KWtcHQ$WaRknbgeOHPWIc1BdQsUJaftwISJlY5S1Nyw6Z5omPvnZINhPyn7WVMgogVv1Dekmici7Oz7opb8S7uQAc8hzw";
authorization_policy = "one_factor"; redirect_uris = [ "https://news.felschr.com/oauth2/oidc/callback" ];
scopes = [ "openid" "email" "profile" ]; authorization_policy = "one_factor";
}]; scopes = [ "openid" "email" "profile" ];
}
{
id = "tailscale";
# The digest of "insecure_secret"
secret =
"$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];
authorization_policy = "one_factor";
scopes = [ "openid" "email" "profile" ];
}
];
}; };
}; };
@ -143,5 +167,22 @@ in {
locations."/".proxyPass = "http://[::1]:${toString port}"; locations."/".proxyPass = "http://[::1]:${toString port}";
}; };
services.nginx.virtualHosts."felschr.com" = {
enableACME = true;
forceSSL = true;
locations."/.well-known/webfinger" = {
root = webfingerRoot;
extraConfig = ''
add_header Access-Control-Allow-Origin "*";
default_type "application/jrd+json";
types { application/jrd+json json; }
if ($arg_resource) {
rewrite ^(.*)$ /$arg_resource break;
}
return 400;
'';
};
};
users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ]; users.users.${cfg.user}.extraGroups = [ "smtp" "ldap" ];
} }