feat(authelia): init

services/opencloud.nix

@@ -0,0 +1,72 @@
+{
+  inputs,
+  config,
+  pkgs,
+  ...
+}:
+
+let
+  host = "cloud.felschr.com";
+
+  cfg = config.services.opencloud;
+in
+{
+  imports = [
+    "${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/opencloud.nix"
+  ];
+
+  # required when using unstable NixOS module
+  documentation.nixos.enable = false;
+
+  services.opencloud = {
+    enable = true;
+    package = pkgs.unstable.opencloud;
+    webPackage = pkgs.unstable.opencloud.web;
+    idpWebPackage = pkgs.unstable.opencloud.idp-web;
+    url = "https://${host}";
+    settings = {
+      api = {
+        graph_assign_default_user_role = true;
+        graph_username_match = "none";
+      };
+      proxy = {
+        auto_provision_accounts = true;
+        oidc.rewrite_well_known = true;
+        oidc.access_token_verify_method = "none";
+        role_assignment = {
+          # driver = "oidc"; # HINT currently broken for Android & Desktop app
+          driver = "default";
+          oidc_role_mapper.role_claim = "groups";
+        };
+        csp_config_file_location = "/etc/opencloud/csp.yaml";
+      };
+      csp = {
+        directives = {
+          connect-src = [
+            "https://cloud.felschr.com/"
+            "https://auth.felschr.com/"
+          ];
+          frame-src = [
+            "https://cloud.felschr.com/"
+            "https://auth.felschr.com/"
+          ];
+        };
+      };
+      web.web.config.oidc.client_id = "opencloud";
+      web.web.config.oidc.scope = "openid profile email groups";
+    };
+    environment = {
+      OC_INSECURE = "false";
+      PROXY_TLS = "false";
+      PROXY_INSECURE_BACKENDS = "true";
+      OC_EXCLUDE_RUN_SERVICES = "idp";
+      OC_OIDC_ISSUER = "https://auth.felschr.com";
+    };
+  };
+
+  services.nginx.virtualHosts.${host} = {
+    enableACME = true;
+    forceSSL = true;
+    locations."/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
+  };
+}