From 27b12ddb5b30f5b3a8e8b67f622f082d7811a278 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 19 Sep 2025 23:48:02 +0200 Subject: [PATCH 1/4] feat(authelia): configure CORS --- services/authelia.nix | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/services/authelia.nix b/services/authelia.nix index b707199..68d7c7e 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -162,6 +162,16 @@ in username = smtpAccount.user; sender = smtpAccount.from; }; + identity_providers.oidc.cors = { + endpoints = [ + "authorization" + "token" + "revocation" + "introspection" + "userinfo" + ]; + allowed_origins_from_client_redirect_uris = true; + }; identity_providers.oidc.clients = [ { id = "miniflux"; From 85f141d2262d470ce0f474d42a3146f183e16031 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 19 Sep 2025 23:48:43 +0200 Subject: [PATCH 2/4] docs(authelia): add hint for how to generate secret digest --- services/authelia.nix | 1 + 1 file changed, 1 insertion(+) diff --git a/services/authelia.nix b/services/authelia.nix index 68d7c7e..0800006 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -172,6 +172,7 @@ in ]; allowed_origins_from_client_redirect_uris = true; }; + # To generate new secret digests: `authelia crypto hash generate argon2` identity_providers.oidc.clients = [ { id = "miniflux"; From 2e8d29700af75d2d39e3359cd3fd8a040fc46f28 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 19 Sep 2025 23:49:48 +0200 Subject: [PATCH 3/4] feat(authelia): init --- services/authelia.nix | 63 ++++++++++++++++++++++++++++++++++++ services/opencloud.nix | 72 ++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 135 insertions(+) create mode 100644 services/opencloud.nix diff --git a/services/authelia.nix b/services/authelia.nix index 0800006..b08e782 100644 --- a/services/authelia.nix +++ b/services/authelia.nix @@ -197,6 +197,69 @@ in "profile" ]; } + { + id = "opencloud"; + description = "OpenCloud"; + public = true; + redirect_uris = [ + "https://cloud.felschr.com/" + "https://cloud.felschr.com/oidc-callback.html" + "https://cloud.felschr.com/oidc-silent-redirect.html" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + userinfo_signing_algorithm = "none"; + } + { + id = "OpenCloudAndroid"; + description = "OpenCloud Android"; + public = true; + redirect_uris = [ "oc://android.opencloud.eu" ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_modes = [ "form_post" ]; + userinfo_signed_response_alg = "none"; + } + { + id = "OpenCloudDesktop"; + description = "OpenCloud Desktop"; + public = true; + redirect_uris = [ + "http://127.0.0.1" + "http://localhost" + ]; + scopes = [ + "openid" + "email" + "profile" + "groups" + "offline_access" + ]; + grant_types = [ + "refresh_token" + "authorization_code" + ]; + response_modes = [ "form_post" ]; + userinfo_signed_response_alg = "none"; + } { id = "jellyfin"; description = "Jellyfin"; diff --git a/services/opencloud.nix b/services/opencloud.nix new file mode 100644 index 0000000..c1bfa74 --- /dev/null +++ b/services/opencloud.nix @@ -0,0 +1,72 @@ +{ + inputs, + config, + pkgs, + ... +}: + +let + host = "cloud.felschr.com"; + + cfg = config.services.opencloud; +in +{ + imports = [ + "${inputs.nixpkgs-unstable}/nixos/modules/services/web-apps/opencloud.nix" + ]; + + # required when using unstable NixOS module + documentation.nixos.enable = false; + + services.opencloud = { + enable = true; + package = pkgs.unstable.opencloud; + webPackage = pkgs.unstable.opencloud.web; + idpWebPackage = pkgs.unstable.opencloud.idp-web; + url = "https://${host}"; + settings = { + api = { + graph_assign_default_user_role = true; + graph_username_match = "none"; + }; + proxy = { + auto_provision_accounts = true; + oidc.rewrite_well_known = true; + oidc.access_token_verify_method = "none"; + role_assignment = { + # driver = "oidc"; # HINT currently broken for Android & Desktop app + driver = "default"; + oidc_role_mapper.role_claim = "groups"; + }; + csp_config_file_location = "/etc/opencloud/csp.yaml"; + }; + csp = { + directives = { + connect-src = [ + "https://cloud.felschr.com/" + "https://auth.felschr.com/" + ]; + frame-src = [ + "https://cloud.felschr.com/" + "https://auth.felschr.com/" + ]; + }; + }; + web.web.config.oidc.client_id = "opencloud"; + web.web.config.oidc.scope = "openid profile email groups"; + }; + environment = { + OC_INSECURE = "false"; + PROXY_TLS = "false"; + PROXY_INSECURE_BACKENDS = "true"; + OC_EXCLUDE_RUN_SERVICES = "idp"; + OC_OIDC_ISSUER = "https://auth.felschr.com"; + }; + }; + + services.nginx.virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + locations."/".proxyPass = "http://${cfg.address}:${toString cfg.port}"; + }; +} From 7b381ad7cb4344e513f76bc1bc905bf2f11d27b3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Felix=20Schr=C3=B6ter?= Date: Fri, 19 Sep 2025 23:51:16 +0200 Subject: [PATCH 4/4] feat(home-server): switch from Nextcloud to OpenCloud --- hosts/home-server/default.nix | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/hosts/home-server/default.nix b/hosts/home-server/default.nix index f127875..60b9285 100644 --- a/hosts/home-server/default.nix +++ b/hosts/home-server/default.nix @@ -43,7 +43,7 @@ in ../../services/matrix ../../services/miniflux.nix ../../services/paperless.nix - ../../services/nextcloud.nix + ../../services/opencloud.nix ../../services/collabora-office.nix ../../services/calibre-web.nix ];