diff --git a/services/authelia.nix b/services/authelia.nix index 0800006..7310c71 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -197,6 +197,69 @@ in "profile" ]; } + { + id = "opencloud"; + description = "OpenCloud"; + public = true; + redirect_uris = [ + "https://cloud.felschr.com/" + "https://cloud.felschr.com/oidc-callback.html" + "https://cloud.felschr.com/oidc-silent-redirect.html" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + userinfo_signed_response_alg = "none"; + } + { + id = "OpenCloudAndroid"; + description = "OpenCloud Android"; + public = true; + redirect_uris = [ "oc://android.opencloud.eu" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_modes = [ "form_post" ]; + userinfo_signed_response_alg = "none"; + } + { + id = "OpenCloudDesktop"; + description = "OpenCloud Desktop"; + public = true; + redirect_uris = [ + "http://127.0.0.1" + "http://localhost" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_modes = [ "form_post" ]; + userinfo_signed_response_alg = "none"; + } { id = "jellyfin"; description = "Jellyfin"; diff --git a/services/opencloud.nix b/services/opencloud.nix new file mode 100644 index 0000000..c1bfa74 --- /dev/null +++ b/services/opencloud.nix @@ -0,0 +1,72 @@ +{ + inputs, + config, + pkgs, + ... +}: + +let + host = "cloud.felschr.com"; + + cfg = config.services.opencloud; +in +{ + imports = [ + "${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/opencloud.nix" + ]; + + # required when using unstable NixOS module + documentation.nixos.enable = false; + + services.opencloud = { + enable = true; + package = pkgs.unstable.opencloud; + webPackage = pkgs.unstable.opencloud.web; + idpWebPackage = pkgs.unstable.opencloud.idp-web; + url = "https://${host}"; + settings = { + api = { + graph_assign_default_user_role = true; + graph_username_match = "none"; + }; + proxy = { + auto_provision_accounts = true; + oidc.rewrite_well_known = true; + oidc.access_token_verify_method = "none"; + role_assignment = { + # driver = "oidc"; # HINT currently broken for Android & Desktop app + driver = "default"; + oidc_role_mapper.role_claim = "groups"; + }; + csp_config_file_location = "/etc/opencloud/csp.yaml"; + }; + csp = { + directives = { + connect-src = [ + "https://cloud.felschr.com/" + "https://auth.felschr.com/" + ]; + frame-src = [ + "https://cloud.felschr.com/" + "https://auth.felschr.com/" + ]; + }; + }; + web.web.config.oidc.client_id = "opencloud"; + web.web.config.oidc.scope = "openid profile email groups"; + }; + environment = { + OC_INSECURE = "false"; + PROXY_TLS = "false"; + PROXY_INSECURE_BACKENDS = "true"; + OC_EXCLUDE_RUN_SERVICES = "idp"; + OC_OIDC_ISSUER = "https://auth.felschr.com"; + }; + }; + + services.nginx.virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${cfg.address}:${toString cfg.port}"; + }; +}