Commit 9480ba6
Changed files (5)
hosts
chaser-pardofelis
secrets
hosts
pardofelis
hosts/chaser-pardofelis/authelia.nix
@@ -22,44 +22,67 @@
};
};
identity_validation.reset_password.jwt_algorithm = "HS512";
- identity_providers.oidc.cors = {
- endpoints = ["authorization" "token" "revocation" "introspection"];
- allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+ identity_providers.oidc = {
+ cors = {
+ endpoints = ["authorization" "token" "revocation" "introspection"];
+ allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+ };
+ clients = [
+ {
+ # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+ client_id = "forgejo";
+ client_name = "Forgejo";
+ client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
+ public = false;
+ authorization_policy = "two_factor";
+ require_pkce = true;
+ pkce_challenge_method = "S256";
+ redirect_uris = [
+ "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ response_types = ["code"];
+ grant_types = ["authorization_code"];
+ access_token_signed_response_alg = "none";
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_basic";
+ }
+ {
+ # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
+ client_id = "gokapi";
+ client_name = "Tribios";
+ client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
+ public = false;
+ authorization_policy = "one_factor";
+ redirect_uris = [
+ "https://send.hpcesia.com/oauth-callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ userinfo_signed_response_alg = "none";
+ }
+ {
+ # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
+ client_id = "gts-trinnon";
+ claims_policy = "gotosocial";
+ client_name = "Trinnon (GoToSocial)";
+ client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
+ public = false;
+ authorization_policy = "two_factor";
+ require_pkce = false;
+ pkce_challenge_method = "";
+ redirect_uris = [
+ "https://trin.one/auth/callback"
+ ];
+ scopes = ["openid" "email" "profile" "groups"];
+ response_types = ["code"];
+ grant_types = ["authorization_code"];
+ access_token_signed_response_alg = "none";
+ userinfo_signed_response_alg = "none";
+ token_endpoint_auth_method = "client_secret_basic";
+ }
+ ];
+ claims_policies.gotosocial.id_token = ["preferred_username"];
};
- identity_providers.oidc.clients = [
- {
- # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
- client_id = "forgejo";
- client_name = "Forgejo";
- client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
- public = false;
- authorization_policy = "two_factor";
- require_pkce = true;
- pkce_challenge_method = "S256";
- redirect_uris = [
- "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
- ];
- scopes = ["openid" "email" "profile" "groups"];
- response_types = ["code"];
- grant_types = ["authorization_code"];
- access_token_signed_response_alg = "none";
- userinfo_signed_response_alg = "none";
- token_endpoint_auth_method = "client_secret_basic";
- }
- {
- # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
- client_id = "gokapi";
- client_name = "Tribios";
- client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
- public = false;
- authorization_policy = "one_factor";
- redirect_uris = [
- "https://send.hpcesia.com/oauth-callback"
- ];
- scopes = ["openid" "email" "profile" "groups"];
- userinfo_signed_response_alg = "none";
- }
- ];
authentication_backend.file = {
path = "/var/lib/authelia-main/users_database.yaml";
password.algorithm = "argon2";
@@ -72,13 +95,19 @@
};
session.cookies = [
{
- name = "authelia_session";
domain = "hpcesia.com";
authelia_url = "https://authelia.hpcesia.com";
expiration = "1 hour";
inactivity = "5 minutes";
remember_me = "2 week";
}
+ {
+ domain = "trin.one";
+ authelia_url = "https://auth.trin.one";
+ expiration = "1 hour";
+ inactivity = "5 minutes";
+ remember_me = "4 week";
+ }
];
access_control = {
default_policy = "deny";
@@ -88,10 +117,19 @@
policy = "bypass";
resources = ["^/api$" "^/api/"];
}
+ {
+ domain = "*.trin.one";
+ policy = "bypass";
+ resources = ["^/api$" "^/api/"];
+ }
{
domain = "*.hpcesia.com";
policy = "one_factor";
}
+ {
+ domain = "*.trin.one";
+ policy = "one_factor";
+ }
];
};
regulation = {
hosts/chaser-pardofelis/caddy.nix
@@ -40,6 +40,8 @@
encode zstd gzip
reverse_proxy ${localAddress.atuin}
'';
+
+ "auth.trin.one".extraConfig = config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
"authelia.hpcesia.com".extraConfig = ''
encode zstd gzip
reverse_proxy ${localAddress.authelia}
secrets/hosts/pardofelis/default.nix
@@ -78,6 +78,10 @@ in
name = "gotosocial-s3-secret-key";
value = {key = "services/gotosocial/s3SecretKey";} // secretFileConf;
}
+ {
+ name = "gotosocial-oidc-secret";
+ value = {key = "services/gotosocial/oidcSecret";} // secretFileConf;
+ }
# === Authelia === #
{
name = "authelia-main-oidc-hmac-secret";
@@ -128,6 +132,13 @@ in
// autheliaMainConf
// secretFileConf;
}
+ {
+ name = "authelia-main-client-secrets-gts-trinnon";
+ value =
+ {key = "services/authelia/main/clientSecrets/gts-trinnon";}
+ // autheliaMainConf
+ // secretFileConf;
+ }
# === Artalk === #
{
name = "artalk-akismet-key";
secrets/hosts/pardofelis/secrets.yaml
@@ -11,6 +11,7 @@ services:
s3Endpoint: ENC[AES256_GCM,data:zUe0nDSW1T9i3YOq2Cao87nM4I05yquKMLsD7gMKYJ/M8bj9usBiFr3aAOW5mEiATzSy4VtupTDT,iv:UluVNVCcF1LUWYJWlCVS4y197TSuD34MNuUC7Mr+Tjg=,tag:AyLcTDPZoleKSMDX39ApBg==,type:str]
s3AccessKey: ENC[AES256_GCM,data:2hOwCwYROPZ/ZBs+QHjuaHZR8DZdBoz96Dh0g6ohFpg=,iv:6FGLKG+Y9/8tFqLsC+h7oBbT2HkMBDF1zobv61/a6j0=,tag:0OZ5KpK3P47ZqyEWdUEGRQ==,type:str]
s3SecretKey: ENC[AES256_GCM,data:zg0JEJvuGDLuEgm1clp7CI4tF47CtLsyR9kn9vr8YJvyDxPL9cSWgGMVffrGFf/AY9q4k7SSrNS047k5SB1nHQ==,iv:0LAatRgKfCrkdvQLfrCLl/BvdwkzH0SSRp17/6ssClA=,tag:U520Cp1+XZMjdW9RpwX2YQ==,type:str]
+ oidcSecret: ENC[AES256_GCM,data:SlFx334faSnViGXGHE8P+s/q49PDnTxJpCYdaIZd3KfhfzSvDV6XfodY10wgxs881+Ddcqs3063Z3aVE7CXn9kjFAudhqYt+,iv:AbtfLUpQrLj+0C7mRaKDjCyd9j8/3jyzJ43jaE4GZMw=,tag:PZjhijH3SG6Iiv8wkW5fPg==,type:str]
restic:
password: ENC[AES256_GCM,data:KrT+kv+1hbWnkZUOw+8m5c0bg2JacV/frOUi6zq6wIA=,iv:n5mIZ8FYcpCC3+RsYInfrYfs1WVBkguFmKT3juYzlMI=,tag:w6mN5hNNbdCK/qdW5U/a7w==,type:str]
artalk:
@@ -28,6 +29,7 @@ services:
clientSecrets:
forgejo: ENC[AES256_GCM,data:UvHmLsPzcpibjh9fJL5TawicsgGfhCi7kNO5LexWwWU3je8qTZmt9uWPUSW+MkJoN7Mx4EWG7T3ZqReK1t6/rMeE8zmNHw+ea6AfIpOhNejxTMd0j1CnMrIKnCvSWnXNgTueo0mYQxT7qnsh8Q+VurrOr1TudvNpIjoXISLIQ5yxABo=,iv:WZm/Z4VwcEZ8Ipd3Bw98PkjZdcWYXFt1Uhgq/+wgUSA=,tag:s/nx+8pWAVkTmRyuP07auQ==,type:str]
gokapi: ENC[AES256_GCM,data:kbICBV5SUIHCCL8RU2/0dHQEugrHvl3YP7r/k1tOlKC0mRh6m3XTgcYKpttEgm+Y3PgK3X6/0wQL7k2jWAQq6pMn5kQ4gH7L6BCdjUiE2TxI1wjOFd4LR2koM9x7LTkgb0md23IoCIG+QbpF/a+tRonmqg+FJh2gH0iwpqt9k3cmP8E=,iv:mKJ2AXJ1o/dcRnWiGMVwamWywjk6SwWxhyDXmQaoopE=,tag:/RXJCkpI85aeoUCCbfejDw==,type:str]
+ gts-trinnon: ENC[AES256_GCM,data:2OyqEjl2MrrWbQ4JjwAYVcRvJ0eFJS5JMfAQdQtSkzanQVrlxayT7eQkGOwz0CVOIYH3F1ngeZskAzwvm2id6z0wvmsUTDbaqOMqPqYjB8q39BK/2Dv7NPmP5p6z7hSzZ4hqEHsXu3HGte4vA9nEfyYlJHJb5i886Bvf9fiMUUM4PaA=,iv:/3H4UEP7RcK40Yz+C906tUr5Cv9eiNVLkLpDNz8qNZc=,tag:mRa3rPF7pXw9XF2tuKcokA==,type:str]
jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
@@ -53,8 +55,8 @@ sops:
SENxSmtOQUlWaFg4Tys2MU91UklURW8K8VUSmBV87SBHVtTfJJrEbX3KtxtPT+nd
a0lbIgNit5pZu5uQVwiuENuPA3K+/3Uo0AIVRxkHJC8ZVqrjXeHhvw==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-07-31T16:20:35Z"
- mac: ENC[AES256_GCM,data:sUp5iU2DRyCg+X6iCh73hKkCXwE65B8dm73sHu8e9nB032ctaRt4Ymc8zySIDhCj/ehCj2xeZy49TymGJYrsq9APSgquDuEWdC0hDG3D6dEPlgOGh4rolY9s/EtK2ciyA3oA1UfEHKYagblm2WnkECU2oIe4PmXTWlvyQIKOYo4=,iv:vOqJi2At4QGoOLAdsKWqds76viPZJrj9giiY7gMTFi4=,tag:KuOaDP8jui5FpBriayj3lA==,type:str]
+ lastmodified: "2025-08-10T09:49:30Z"
+ mac: ENC[AES256_GCM,data:oNXYtpSdAMJKbs/t/iBWcMZMKPepRCyR5CS1jYP2OsjickNudFLgTjrepAXt7x6xFJ7bjh0PAZGT6MMGI3pAgHHdKcke0N67t9KfpY6bWQ8QVNzptmbkv1i/70kqUhpi17ti2zb4+aYuueTqxxrXc5FOrYcDJ/H7nCto0Xa9xk4=,iv:7AGsGMyfrqoGJ9bOiqWRua6priLvomxSb9JLrHQBJiM=,tag:L2AyU/8i236l1c95aS8g1g==,type:str]
pgp:
- created_at: "2025-08-06T11:08:38Z"
enc: |-