Commit 9480ba6

HPCesia <me@hpcesia.com>
2025-08-10 09:44:42
feat: add oidc for gotosocial
1 parent 6b53ed5
Changed files (5)
hosts/chaser-pardofelis/authelia.nix
@@ -22,44 +22,67 @@
           };
         };
         identity_validation.reset_password.jwt_algorithm = "HS512";
-        identity_providers.oidc.cors = {
-          endpoints = ["authorization" "token" "revocation" "introspection"];
-          allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+        identity_providers.oidc = {
+          cors = {
+            endpoints = ["authorization" "token" "revocation" "introspection"];
+            allowed_origins = ["https://*.hpcesia.com" "https://*.trin.one"];
+          };
+          clients = [
+            {
+              # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+              client_id = "forgejo";
+              client_name = "Forgejo";
+              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
+              public = false;
+              authorization_policy = "two_factor";
+              require_pkce = true;
+              pkce_challenge_method = "S256";
+              redirect_uris = [
+                "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
+              ];
+              scopes = ["openid" "email" "profile" "groups"];
+              response_types = ["code"];
+              grant_types = ["authorization_code"];
+              access_token_signed_response_alg = "none";
+              userinfo_signed_response_alg = "none";
+              token_endpoint_auth_method = "client_secret_basic";
+            }
+            {
+              # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
+              client_id = "gokapi";
+              client_name = "Tribios";
+              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
+              public = false;
+              authorization_policy = "one_factor";
+              redirect_uris = [
+                "https://send.hpcesia.com/oauth-callback"
+              ];
+              scopes = ["openid" "email" "profile" "groups"];
+              userinfo_signed_response_alg = "none";
+            }
+            {
+              # Refer: https://www.authelia.com/integration/openid-connect/clients/go-to-social
+              client_id = "gts-trinnon";
+              claims_policy = "gotosocial";
+              client_name = "Trinnon (GoToSocial)";
+              client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gts-trinnon".path}" }}'';
+              public = false;
+              authorization_policy = "two_factor";
+              require_pkce = false;
+              pkce_challenge_method = "";
+              redirect_uris = [
+                "https://trin.one/auth/callback"
+              ];
+              scopes = ["openid" "email" "profile" "groups"];
+              response_types = ["code"];
+              grant_types = ["authorization_code"];
+              access_token_signed_response_alg = "none";
+              userinfo_signed_response_alg = "none";
+              token_endpoint_auth_method = "client_secret_basic";
+            }
+          ];
+          claims_policies.gotosocial.id_token = ["preferred_username"];
         };
-        identity_providers.oidc.clients = [
-          {
-            # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
-            client_id = "forgejo";
-            client_name = "Forgejo";
-            client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
-            public = false;
-            authorization_policy = "two_factor";
-            require_pkce = true;
-            pkce_challenge_method = "S256";
-            redirect_uris = [
-              "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
-            ];
-            scopes = ["openid" "email" "profile" "groups"];
-            response_types = ["code"];
-            grant_types = ["authorization_code"];
-            access_token_signed_response_alg = "none";
-            userinfo_signed_response_alg = "none";
-            token_endpoint_auth_method = "client_secret_basic";
-          }
-          {
-            # Refer: https://gokapi.readthedocs.io/en/latest/examples.html#oidcconfig-authelia
-            client_id = "gokapi";
-            client_name = "Tribios";
-            client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-gokapi".path}" }}'';
-            public = false;
-            authorization_policy = "one_factor";
-            redirect_uris = [
-              "https://send.hpcesia.com/oauth-callback"
-            ];
-            scopes = ["openid" "email" "profile" "groups"];
-            userinfo_signed_response_alg = "none";
-          }
-        ];
         authentication_backend.file = {
           path = "/var/lib/authelia-main/users_database.yaml";
           password.algorithm = "argon2";
@@ -72,13 +95,19 @@
         };
         session.cookies = [
           {
-            name = "authelia_session";
             domain = "hpcesia.com";
             authelia_url = "https://authelia.hpcesia.com";
             expiration = "1 hour";
             inactivity = "5 minutes";
             remember_me = "2 week";
           }
+          {
+            domain = "trin.one";
+            authelia_url = "https://auth.trin.one";
+            expiration = "1 hour";
+            inactivity = "5 minutes";
+            remember_me = "4 week";
+          }
         ];
         access_control = {
           default_policy = "deny";
@@ -88,10 +117,19 @@
               policy = "bypass";
               resources = ["^/api$" "^/api/"];
             }
+            {
+              domain = "*.trin.one";
+              policy = "bypass";
+              resources = ["^/api$" "^/api/"];
+            }
             {
               domain = "*.hpcesia.com";
               policy = "one_factor";
             }
+            {
+              domain = "*.trin.one";
+              policy = "one_factor";
+            }
           ];
         };
         regulation = {
hosts/chaser-pardofelis/caddy.nix
@@ -40,6 +40,8 @@
         encode zstd gzip
         reverse_proxy ${localAddress.atuin}
       '';
+
+      "auth.trin.one".extraConfig = config.services.caddy.virtualHosts."authelia.hpcesia.com".extraConfig;
       "authelia.hpcesia.com".extraConfig = ''
         encode zstd gzip
         reverse_proxy ${localAddress.authelia}
hosts/chaser-pardofelis/gotosocial.nix
@@ -17,6 +17,19 @@
       instance-languages = ["zh-Hans"];
       instance-expose-public-timeline = true;
       instance-inject-mastodon-version = true;
+      # SMTP
+      smtp-host = "glacier.mxrouting.net";
+      smtp-port = 587;
+      smtp-username = "no-reply@trin.one";
+      smtp-from = "no-reply@trin.one";
+      # OIDC
+      oidc-enabled = true;
+      oidc-idp-name = "Authelia";
+      oidc-issuer = "https://auth.trin.one";
+      oidc-client-id = "gts-trinnon";
+      oidc-scopes = ["openid" "email" "profile" "groups"];
+      oidc-allowed-groups = [];
+      oidc-admin-groups = ["admin"];
     };
     environmentFile = config.sops.templates.gotosocial-env.path;
   };
@@ -26,6 +39,8 @@
       GTS_STORAGE_S3_ENDPOINT=${config.sops.placeholder.gotosocial-s3-endpoint}
       GTS_STORAGE_S3_ACCESS_KEY=${config.sops.placeholder.gotosocial-s3-access-key}
       GTS_STORAGE_S3_SECRET_KEY=${config.sops.placeholder.gotosocial-s3-secret-key}
+      GTS_OIDC_CLIENT_SECRET=${config.sops.placeholder.gotosocial-oidc-secret}
+      GTS_SMTP_PASSWORD=${config.sops.placeholder.gotosocial-smtp-password}
     '';
     owner = "root";
     group = "gotosocial";
secrets/hosts/pardofelis/default.nix
@@ -78,6 +78,10 @@ in
           name = "gotosocial-s3-secret-key";
           value = {key = "services/gotosocial/s3SecretKey";} // secretFileConf;
         }
+        {
+          name = "gotosocial-oidc-secret";
+          value = {key = "services/gotosocial/oidcSecret";} // secretFileConf;
+        }
         # === Authelia === #
         {
           name = "authelia-main-oidc-hmac-secret";
@@ -128,6 +132,13 @@ in
             // autheliaMainConf
             // secretFileConf;
         }
+        {
+          name = "authelia-main-client-secrets-gts-trinnon";
+          value =
+            {key = "services/authelia/main/clientSecrets/gts-trinnon";}
+            // autheliaMainConf
+            // secretFileConf;
+        }
         # === Artalk === #
         {
           name = "artalk-akismet-key";
secrets/hosts/pardofelis/secrets.yaml
@@ -11,6 +11,7 @@ services:
         s3Endpoint: ENC[AES256_GCM,data:zUe0nDSW1T9i3YOq2Cao87nM4I05yquKMLsD7gMKYJ/M8bj9usBiFr3aAOW5mEiATzSy4VtupTDT,iv:UluVNVCcF1LUWYJWlCVS4y197TSuD34MNuUC7Mr+Tjg=,tag:AyLcTDPZoleKSMDX39ApBg==,type:str]
         s3AccessKey: ENC[AES256_GCM,data:2hOwCwYROPZ/ZBs+QHjuaHZR8DZdBoz96Dh0g6ohFpg=,iv:6FGLKG+Y9/8tFqLsC+h7oBbT2HkMBDF1zobv61/a6j0=,tag:0OZ5KpK3P47ZqyEWdUEGRQ==,type:str]
         s3SecretKey: ENC[AES256_GCM,data:zg0JEJvuGDLuEgm1clp7CI4tF47CtLsyR9kn9vr8YJvyDxPL9cSWgGMVffrGFf/AY9q4k7SSrNS047k5SB1nHQ==,iv:0LAatRgKfCrkdvQLfrCLl/BvdwkzH0SSRp17/6ssClA=,tag:U520Cp1+XZMjdW9RpwX2YQ==,type:str]
+        oidcSecret: ENC[AES256_GCM,data:SlFx334faSnViGXGHE8P+s/q49PDnTxJpCYdaIZd3KfhfzSvDV6XfodY10wgxs881+Ddcqs3063Z3aVE7CXn9kjFAudhqYt+,iv:AbtfLUpQrLj+0C7mRaKDjCyd9j8/3jyzJ43jaE4GZMw=,tag:PZjhijH3SG6Iiv8wkW5fPg==,type:str]
     restic:
         password: ENC[AES256_GCM,data:KrT+kv+1hbWnkZUOw+8m5c0bg2JacV/frOUi6zq6wIA=,iv:n5mIZ8FYcpCC3+RsYInfrYfs1WVBkguFmKT3juYzlMI=,tag:w6mN5hNNbdCK/qdW5U/a7w==,type:str]
     artalk:
@@ -28,6 +29,7 @@ services:
             clientSecrets:
                 forgejo: ENC[AES256_GCM,data:UvHmLsPzcpibjh9fJL5TawicsgGfhCi7kNO5LexWwWU3je8qTZmt9uWPUSW+MkJoN7Mx4EWG7T3ZqReK1t6/rMeE8zmNHw+ea6AfIpOhNejxTMd0j1CnMrIKnCvSWnXNgTueo0mYQxT7qnsh8Q+VurrOr1TudvNpIjoXISLIQ5yxABo=,iv:WZm/Z4VwcEZ8Ipd3Bw98PkjZdcWYXFt1Uhgq/+wgUSA=,tag:s/nx+8pWAVkTmRyuP07auQ==,type:str]
                 gokapi: ENC[AES256_GCM,data:kbICBV5SUIHCCL8RU2/0dHQEugrHvl3YP7r/k1tOlKC0mRh6m3XTgcYKpttEgm+Y3PgK3X6/0wQL7k2jWAQq6pMn5kQ4gH7L6BCdjUiE2TxI1wjOFd4LR2koM9x7LTkgb0md23IoCIG+QbpF/a+tRonmqg+FJh2gH0iwpqt9k3cmP8E=,iv:mKJ2AXJ1o/dcRnWiGMVwamWywjk6SwWxhyDXmQaoopE=,tag:/RXJCkpI85aeoUCCbfejDw==,type:str]
+                gts-trinnon: ENC[AES256_GCM,data:2OyqEjl2MrrWbQ4JjwAYVcRvJ0eFJS5JMfAQdQtSkzanQVrlxayT7eQkGOwz0CVOIYH3F1ngeZskAzwvm2id6z0wvmsUTDbaqOMqPqYjB8q39BK/2Dv7NPmP5p6z7hSzZ4hqEHsXu3HGte4vA9nEfyYlJHJb5i886Bvf9fiMUUM4PaA=,iv:/3H4UEP7RcK40Yz+C906tUr5Cv9eiNVLkLpDNz8qNZc=,tag:mRa3rPF7pXw9XF2tuKcokA==,type:str]
             jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
             oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
             sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
@@ -53,8 +55,8 @@ sops:
             SENxSmtOQUlWaFg4Tys2MU91UklURW8K8VUSmBV87SBHVtTfJJrEbX3KtxtPT+nd
             a0lbIgNit5pZu5uQVwiuENuPA3K+/3Uo0AIVRxkHJC8ZVqrjXeHhvw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-07-31T16:20:35Z"
-    mac: ENC[AES256_GCM,data:sUp5iU2DRyCg+X6iCh73hKkCXwE65B8dm73sHu8e9nB032ctaRt4Ymc8zySIDhCj/ehCj2xeZy49TymGJYrsq9APSgquDuEWdC0hDG3D6dEPlgOGh4rolY9s/EtK2ciyA3oA1UfEHKYagblm2WnkECU2oIe4PmXTWlvyQIKOYo4=,iv:vOqJi2At4QGoOLAdsKWqds76viPZJrj9giiY7gMTFi4=,tag:KuOaDP8jui5FpBriayj3lA==,type:str]
+    lastmodified: "2025-08-10T09:49:30Z"
+    mac: ENC[AES256_GCM,data:oNXYtpSdAMJKbs/t/iBWcMZMKPepRCyR5CS1jYP2OsjickNudFLgTjrepAXt7x6xFJ7bjh0PAZGT6MMGI3pAgHHdKcke0N67t9KfpY6bWQ8QVNzptmbkv1i/70kqUhpi17ti2zb4+aYuueTqxxrXc5FOrYcDJ/H7nCto0Xa9xk4=,iv:7AGsGMyfrqoGJ9bOiqWRua6priLvomxSb9JLrHQBJiM=,tag:L2AyU/8i236l1c95aS8g1g==,type:str]
     pgp:
         - created_at: "2025-08-06T11:08:38Z"
           enc: |-