felschr/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

feat(authelia): init

Browse source
This commit is contained in:
Felix Schröter 2025-09-19 23:49:48 +02:00
parent 85f141d226
commit b2a77bbca1
Signed by: felschr
GPG key ID: 671E39E6744C807D
2 changed files with 135 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

63
services/authelia.nix
View file

@ -197,6 +197,69 @@ in
"profile"
];
}
{
id = "opencloud";
description = "OpenCloud";
public = true;
redirect_uris = [
"https://cloud.felschr.com/"
"https://cloud.felschr.com/oidc-callback.html"
"https://cloud.felschr.com/oidc-silent-redirect.html"
];
scopes = [
"openid"
"email"
"profile"
"groups"
"offline_access"
];
grant_types = [
"refresh_token"
"authorization_code"
];
userinfo_signed_response_alg = "none";
}
{
id = "OpenCloudAndroid";
description = "OpenCloud Android";
public = true;
redirect_uris = [ "oc://android.opencloud.eu" ];
scopes = [
"openid"
"email"
"profile"
"groups"
"offline_access"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_modes = [ "form_post" ];
userinfo_signed_response_alg = "none";
}
{
id = "OpenCloudDesktop";
description = "OpenCloud Desktop";
public = true;
redirect_uris = [
"http://127.0.0.1"
"http://localhost"
];
scopes = [
"openid"
"email"
"profile"
"groups"
"offline_access"
];
grant_types = [
"refresh_token"
"authorization_code"
];
response_modes = [ "form_post" ];
userinfo_signed_response_alg = "none";
}
{
id = "jellyfin";
description = "Jellyfin";

72
services/opencloud.nix Normal file
View file

@ -0,0 +1,72 @@
{
inputs,
config,
pkgs,
...
}:
let
host = "cloud.felschr.com";
cfg = config.services.opencloud;
in
{
imports = [
"${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/opencloud.nix"
];
# required when using unstable NixOS module
documentation.nixos.enable = false;
services.opencloud = {
enable = true;
package = pkgs.unstable.opencloud;
webPackage = pkgs.unstable.opencloud.web;
idpWebPackage = pkgs.unstable.opencloud.idp-web;
url = "https://${host}";
settings = {
api = {
graph_assign_default_user_role = true;
graph_username_match = "none";
};
proxy = {
auto_provision_accounts = true;
oidc.rewrite_well_known = true;
oidc.access_token_verify_method = "none";
role_assignment = {
# driver = "oidc"; # HINT currently broken for Android & Desktop app
driver = "default";
oidc_role_mapper.role_claim = "groups";
};
csp_config_file_location = "/etc/opencloud/csp.yaml";
};
csp = {
directives = {
connect-src = [
"https://cloud.felschr.com/"
"https://auth.felschr.com/"
];
frame-src = [
"https://cloud.felschr.com/"
"https://auth.felschr.com/"
];
};
};
web.web.config.oidc.client_id = "opencloud";
web.web.config.oidc.scope = "openid profile email groups";
};
environment = {
OC_INSECURE = "false";
PROXY_TLS = "false";
PROXY_INSECURE_BACKENDS = "true";
OC_EXCLUDE_RUN_SERVICES = "idp";
OC_OIDC_ISSUER = "https://auth.felschr.com";
};
};
services.nginx.virtualHosts.${host} = {
enableACME = true;
forceSSL = true;
locations."/".proxyPass = "http://${cfg.address}:${toString cfg.port}";
};
}