Commit bc214b0
Changed files (3)
hosts
chaser-pardofelis
secrets
hosts
pardofelis
hosts/chaser-pardofelis/authelia.nix
@@ -24,22 +24,23 @@
identity_validation.reset_password.jwt_algorithm = "HS512";
identity_providers.oidc.clients = [
{
- # TODO: Just a placeholder to run Authelia correctly,
- # Because `identity_providers.oidc.clients` should note be empty.
- client_id = "alist_example";
- client_name = "Alist";
- # The digest of 'insecure_secret'.
- # In real deployment, it should be a secret managed by sops-nix.
- client_secret = "$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng";
+ # Refer: https://www.authelia.com/integration/openid-connect/clients/forgejo
+ client_id = "forgejo";
+ client_name = "Forgejo";
+ client_secret = ''{{ secret "${config.sops.secrets."authelia-main-client-secrets-forgejo".path}" }}'';
public = false;
- authorization_policy = "one_factor";
+ authorization_policy = "two_factor";
+ require_pkce = true;
+ pkce_challenge_method = "S256";
redirect_uris = [
- "https://alist.example.com/api/auth/sso_callback?method=sso_get_token"
- "https://alist.example.com/api/auth/sso_callback?method=get_sso_id"
+ "https://repo.hpcesia.com/user/oauth2/Authelia/callback"
];
- scopes = ["openid" "profile"];
+ scopes = ["openid" "email" "profile" "groups"];
+ response_types = ["code"];
+ grant_types = ["authorization_code"];
+ access_token_signed_response_alg = "none";
userinfo_signed_response_alg = "none";
- token_endpoint_auth_method = "client_secret_post";
+ token_endpoint_auth_method = "client_secret_basic";
}
];
authentication_backend.file = {
secrets/hosts/pardofelis/default.nix
@@ -61,6 +61,11 @@ in
}
// secretFileConf;
}
+ {
+ name = "restic-backup-password";
+ value = {key = "services/restic/password";} // secretFileConf;
+ }
+ # === GoToSocial === #
{
name = "gotosocial-s3-endpoint";
value = {key = "services/gotosocial/s3Endpoint";} // secretFileConf;
@@ -73,6 +78,7 @@ in
name = "gotosocial-s3-secret-key";
value = {key = "services/gotosocial/s3SecretKey";} // secretFileConf;
}
+ # === Authelia === #
{
name = "authelia-main-oidc-hmac-secret";
value =
@@ -109,9 +115,13 @@ in
// secretFileConf;
}
{
- name = "restic-backup-password";
- value = {key = "services/restic/password";} // secretFileConf;
+ name = "authelia-main-client-secrets-forgejo";
+ value =
+ {key = "services/authelia/main/clientSecrets/forgejo";}
+ // autheliaMainConf
+ // secretFileConf;
}
+ # === Artalk === #
{
name = "artalk-akismet-key";
value =
secrets/hosts/pardofelis/secrets.yaml
@@ -21,11 +21,13 @@ services:
githubClientSecret: ENC[AES256_GCM,data:pyt5ddWBtBA2A8MQDkT4toLgwVwa5VnlWGOwEFldMerYCtw4F9X7Ow==,iv:H2YbbmBTGskZ+1yLTZTICO0bzR9LADN+4Bl+/P1s1TE=,tag:DF9WXdE/isxZUNblpRUv5g==,type:str]
authelia:
main:
+ clientSecrets:
+ forgejo: ENC[AES256_GCM,data:UvHmLsPzcpibjh9fJL5TawicsgGfhCi7kNO5LexWwWU3je8qTZmt9uWPUSW+MkJoN7Mx4EWG7T3ZqReK1t6/rMeE8zmNHw+ea6AfIpOhNejxTMd0j1CnMrIKnCvSWnXNgTueo0mYQxT7qnsh8Q+VurrOr1TudvNpIjoXISLIQ5yxABo=,iv:WZm/Z4VwcEZ8Ipd3Bw98PkjZdcWYXFt1Uhgq/+wgUSA=,tag:s/nx+8pWAVkTmRyuP07auQ==,type:str]
jwtSecret: ENC[AES256_GCM,data:czKoD+m8bu0ioTjXYmGv8ZhQphTgsv3GEAvgY4JsxbhAEDgzR1U/Pm7n3FuoIbCCPI6TQcRN2cB4NrvNNUoqZg==,iv:MZbgnw3GkgkQQNk2i4wNFkqcrsyIqdB1GbfeN+NTlwQ=,tag:MN7dV2BDjXxI3AxOYNie1Q==,type:str]
oidcHmacSecret: ENC[AES256_GCM,data:BOB1jTSl/yi/rPll1Frd2eFJQdZ+vI2c291Aot50eKZcaLzqA9OwUKY3MlXhyk68RF0p/krFNwRq1c4vhOTrDg==,iv:l5AS24F/Zv2iLf4TYpqR9AOFAzloYEoOVq/SHl2+OuQ=,tag:8nMMAI8TghiMSfDJ+qOYLQ==,type:str]
- oidcIssuerPrivateKey: ENC[AES256_GCM,data:TRui0p/mI93Rfi6SZuZFuanMTIpQx0ODvkMlgJ8aNsI2SNScAMy+nXcojUE1Fa/TYkKXdUmgol62PIsjXTWGl+onUiyvYC+gMcJUVcNNDbUGruELeUYLFKLCciF8iAO5iuef6rJJIrrb6AHCqoNGuNxy7PL9F4T7LiKNCAv/vn4MxRfS3OEO3svdrDFSNwTieRBvL5RW43LkKwiV4fRSPMDKng6/N5oIU10fslP2tnGa0S14M2EHE4GMbfm0FUlvudCQjVcWoWp9H2h7XGB5ykqUWli5oAJA8JV5wJdRp+ADtWJA2zyPEMTjwis0M1UBdvDZ1h13Kf5Rv07I0V+gKIWFaBgMLQ+Gm8HjHirmibLp1k/LSGy6gDtvNtU8Ps9hiEAAVIyX65O4t74HhtOaDuJl6twi4Olro+8P56oyV6JTTQ2MtwKpJh92rIhClb3vg7pN2Zgug6IwEImwc800iQaxNMBZIMOVEy3u1+TP6HWGHE5wDtqSSZfS7rM/bl5lIhCaeOixvjfj5nOZ7/VousIHpANDR8xi3HZn8AYLI9jx8YGgyjqTucqC9s/6V5LsGLw4hwUR6F+4RqSO1taswzVZv6D9rGDZciMnavvdrECePEz5iR8LnZ3gBvBl3g7rtO832R2aSNlEZZJU9uhi4nAZUUNW5/gDcmLjCJzaBLamwg4UW3IssNlXigoOLNUAkfinZBYetHs8WCx3g0WIxVpxhpPxkR3H80lTP4EP2tMmBh3XfXIdvGrc0UG6oN05D/lTurq3Yvso1r/DBzVkH/JKHENvNvxnKZ6HhDBDjZygYVCcUAWdge5LVq7y+4HpJC9nMjLFQnx0IzfdTcF1j4BDxjyx3m1MgjMUHjT9CnzpSvtyQ+OfDuSWM2s9XWQcxhqP/uzvviXBk5PChLVAQ+CeLXz5LvgbJ3S/AqkZLYsVmQHR90fkp82oRnbTRv8z/VHjazfc8AVXXF06hFTQ3y5F3XSU7ZsgLtk6cZwdOPITg8HGLjRXzciTh3eW/tAp5LcvEAbb9Gbz3tZNHw2ZtDKFmmHH2GYpAgaq/ZoEDYBjySpGddAb/xxWE9YdlPLRYIswYQkyLzCnpNTeCtu3CxYis7gk2p2cL90vWbdEO+XKi55j7oKB1OX8ARKyi6aY5U2lFrE1h4JGUlbF3hI9sY1KZRjkn5uQkuBItbYofOzEu7u3KjGZWdi9ZRnoSYyVpM3zJEr8GWEz6SvtdQCeND0stj7LkGXgmwK8/LG4aVX7qqGjMxe0Tv5B6FXIm9dwjcLVdr+49Eo7NgWxd+4YICk+iclF57xOCtsNAJpAEpyjxnANvRDII0b014g6EJiOR4OlQsGpWod0m3VM8dkCxiQOscONPFzv+P8sIYtCxSjROaFGxYbH1cfLnx6vdOK91A2scDkvUqBFThZK1r9FB2umKKjD9uXYsVy1y/sktPvVHleF/iYRnx2GzT1ZLePC3P9DlPXarqHm+ei3YTDVVeQTkeNMkGjKqH932hdWlWwCmlJAaZKaXzeeFunDAMVzDNUMaE/5QMff6sZwajhz44HJWgLjsYleeNrqsOIKtF5FqNA0/8MXkrZLqmBrctmAaE3VtWFBrtBkhcy4bKv9Nf120+jRsE35T4yKptuF18x+etdzVsJmmo8cDF0YhxV5fgQf9Xixs880DBTp/hXDt2NhvFzA9jaWKJPRXV5DErOYyfZRg99v7qos/dGaNS9U8XWkjpynd7U6iA5sKy8aqLaUsE3cjKpb/cTpL4JY+f+QA/SWf6/oeA+nyUnipIG5UQE1DdY9I9LP4l+3dQSGkTEs3ZQVF778vmDld2X1w3FdeQpmRqjkPkmZw874Iwv7u3b+yhzaYN/6p2Z0W1RHmUTMiuCqgFDNLQgZfXFu7P8kNohkBL2LuVJJcQ2S0xgtQMn4xnc5lBRVLUsTL1RR2pMQJJrmNxPJDUfogofV8DzYthtHMNjvDeK41oD7pk5QsKvtjbN/PuQEpbMBUzUnnDAEQ7QtobOKO/p5dv5JnTDd3tnxqkOYvEYJ90Z58zO7RMQYmeyVfWL3o2hEKTa8rUc62/6FFBw3/sSQSRXCnLKfF/wswP1hS6MdLDHLl30H6I1+pZU+tvU9D/r8VftvTg3wy80dPy9IrRfyYRQkST5EQ3JVD1tCeYkQ8laZ1fEFdWFM1keB3jfWHlEwUSsyLHiDD6ps4IkOqWAlXeO7RnWO2qk4YmU5jrEEtXwmyWXiAPlK1JxwO8YIFWut43t4OVM5XBVCTE4U,iv:SXeiK4/QCqmQpdoOuFZR2cFjoox44YPvw+eKkL9wT+I=,tag:KkdOkpIojnGmTZ0uJEvwcw==,type:str]
sessionSecret: ENC[AES256_GCM,data:kztWuKe/1zcnOypdbKh2SQ5LzS96XdjOngkJGDmtc8JdyJNbDbbAztLvN5FdUtJgo+Ltq6xFMsK5vQfIhmzttg==,iv://+sTH+dyZ18OUP9yJ67xEUhlR7gTLaL6Pich5VT4Qw=,tag:2JEAqUfmIwzSmKEaxBhkAQ==,type:str]
storageEncryptionKey: ENC[AES256_GCM,data:Izqst2AzXvOG4qi3BYIp4BY2nGfuVEUro3mjrHRtMfY=,iv:CYqOylrTvPGvCTJ8ObCg9um4hWLY4cqRqMBruzCeAko=,tag:IQ9CAr9sGKaZKVbAOeFXVA==,type:str]
+ oidcIssuerPrivateKey: ENC[AES256_GCM,data:TRui0p/mI93Rfi6SZuZFuanMTIpQx0ODvkMlgJ8aNsI2SNScAMy+nXcojUE1Fa/TYkKXdUmgol62PIsjXTWGl+onUiyvYC+gMcJUVcNNDbUGruELeUYLFKLCciF8iAO5iuef6rJJIrrb6AHCqoNGuNxy7PL9F4T7LiKNCAv/vn4MxRfS3OEO3svdrDFSNwTieRBvL5RW43LkKwiV4fRSPMDKng6/N5oIU10fslP2tnGa0S14M2EHE4GMbfm0FUlvudCQjVcWoWp9H2h7XGB5ykqUWli5oAJA8JV5wJdRp+ADtWJA2zyPEMTjwis0M1UBdvDZ1h13Kf5Rv07I0V+gKIWFaBgMLQ+Gm8HjHirmibLp1k/LSGy6gDtvNtU8Ps9hiEAAVIyX65O4t74HhtOaDuJl6twi4Olro+8P56oyV6JTTQ2MtwKpJh92rIhClb3vg7pN2Zgug6IwEImwc800iQaxNMBZIMOVEy3u1+TP6HWGHE5wDtqSSZfS7rM/bl5lIhCaeOixvjfj5nOZ7/VousIHpANDR8xi3HZn8AYLI9jx8YGgyjqTucqC9s/6V5LsGLw4hwUR6F+4RqSO1taswzVZv6D9rGDZciMnavvdrECePEz5iR8LnZ3gBvBl3g7rtO832R2aSNlEZZJU9uhi4nAZUUNW5/gDcmLjCJzaBLamwg4UW3IssNlXigoOLNUAkfinZBYetHs8WCx3g0WIxVpxhpPxkR3H80lTP4EP2tMmBh3XfXIdvGrc0UG6oN05D/lTurq3Yvso1r/DBzVkH/JKHENvNvxnKZ6HhDBDjZygYVCcUAWdge5LVq7y+4HpJC9nMjLFQnx0IzfdTcF1j4BDxjyx3m1MgjMUHjT9CnzpSvtyQ+OfDuSWM2s9XWQcxhqP/uzvviXBk5PChLVAQ+CeLXz5LvgbJ3S/AqkZLYsVmQHR90fkp82oRnbTRv8z/VHjazfc8AVXXF06hFTQ3y5F3XSU7ZsgLtk6cZwdOPITg8HGLjRXzciTh3eW/tAp5LcvEAbb9Gbz3tZNHw2ZtDKFmmHH2GYpAgaq/ZoEDYBjySpGddAb/xxWE9YdlPLRYIswYQkyLzCnpNTeCtu3CxYis7gk2p2cL90vWbdEO+XKi55j7oKB1OX8ARKyi6aY5U2lFrE1h4JGUlbF3hI9sY1KZRjkn5uQkuBItbYofOzEu7u3KjGZWdi9ZRnoSYyVpM3zJEr8GWEz6SvtdQCeND0stj7LkGXgmwK8/LG4aVX7qqGjMxe0Tv5B6FXIm9dwjcLVdr+49Eo7NgWxd+4YICk+iclF57xOCtsNAJpAEpyjxnANvRDII0b014g6EJiOR4OlQsGpWod0m3VM8dkCxiQOscONPFzv+P8sIYtCxSjROaFGxYbH1cfLnx6vdOK91A2scDkvUqBFThZK1r9FB2umKKjD9uXYsVy1y/sktPvVHleF/iYRnx2GzT1ZLePC3P9DlPXarqHm+ei3YTDVVeQTkeNMkGjKqH932hdWlWwCmlJAaZKaXzeeFunDAMVzDNUMaE/5QMff6sZwajhz44HJWgLjsYleeNrqsOIKtF5FqNA0/8MXkrZLqmBrctmAaE3VtWFBrtBkhcy4bKv9Nf120+jRsE35T4yKptuF18x+etdzVsJmmo8cDF0YhxV5fgQf9Xixs880DBTp/hXDt2NhvFzA9jaWKJPRXV5DErOYyfZRg99v7qos/dGaNS9U8XWkjpynd7U6iA5sKy8aqLaUsE3cjKpb/cTpL4JY+f+QA/SWf6/oeA+nyUnipIG5UQE1DdY9I9LP4l+3dQSGkTEs3ZQVF778vmDld2X1w3FdeQpmRqjkPkmZw874Iwv7u3b+yhzaYN/6p2Z0W1RHmUTMiuCqgFDNLQgZfXFu7P8kNohkBL2LuVJJcQ2S0xgtQMn4xnc5lBRVLUsTL1RR2pMQJJrmNxPJDUfogofV8DzYthtHMNjvDeK41oD7pk5QsKvtjbN/PuQEpbMBUzUnnDAEQ7QtobOKO/p5dv5JnTDd3tnxqkOYvEYJ90Z58zO7RMQYmeyVfWL3o2hEKTa8rUc62/6FFBw3/sSQSRXCnLKfF/wswP1hS6MdLDHLl30H6I1+pZU+tvU9D/r8VftvTg3wy80dPy9IrRfyYRQkST5EQ3JVD1tCeYkQ8laZ1fEFdWFM1keB3jfWHlEwUSsyLHiDD6ps4IkOqWAlXeO7RnWO2qk4YmU5jrEEtXwmyWXiAPlK1JxwO8YIFWut43t4OVM5XBVCTE4U,iv:SXeiK4/QCqmQpdoOuFZR2cFjoox44YPvw+eKkL9wT+I=,tag:KkdOkpIojnGmTZ0uJEvwcw==,type:str]
sops:
age:
- recipient: age1sur93fevme8az4v6txee9uw7gk8xcpz2u0mfzvayavrcx9zkefxsmcpnln
@@ -46,8 +48,8 @@ sops:
MmVobitCNUxvUGJmRUtWWEhZekdHaEEKcx1nN+bR2wsexYV/B5PC+Pu9Yi9w+KE8
Kcy2S1Cyu7MEkE8it447yqixIA5l5mbFGRjfTvI8KZXZUGgLecAktQ==
-----END AGE ENCRYPTED FILE-----
- lastmodified: "2025-07-20T13:54:12Z"
- mac: ENC[AES256_GCM,data:TgGnlL2defU2u1NngvEqQxh5N+V1BNpQbVXCt/jCPJbz/GkbCnser168Tu+guQYjWUnqXphOPIAaAd/hORwa0OVFxm4cSN1UGtffdjc7SYxgi23xIbB2L9XyknrzPjEbX9Ue7CnNr9v5a3m3sOvVr+OM4TzuLPLOEBdpAPtJ3gU=,iv:twBMhm4oVsxHQypz42C2gX2hGR2GpqeuAPBVrg4diw8=,tag:ZLObSACwmWszdZ7W+lYBpw==,type:str]
+ lastmodified: "2025-07-31T12:56:51Z"
+ mac: ENC[AES256_GCM,data:8nvliPtSMgYYos0PTHHa8O+THld8IJnCWIPtD8/9YZfMfK7YBXm/yMEgDe7mcOa0y796MjDtwt7TFTZFF3L7bX1tQJ1HWGURPGhROskVlurN9j50qyU83LFOTbI0gGCJjiYWDOfCT0IZxDwJcdOxBD+MZRZwqMH8akefgAODte0=,iv:SyL7R9H0t/WZhUwFqKhc+9x1nKCJX9x44X3XD2+Zjro=,tag:gv+Y4I11ulQKAr9Q2QarBA==,type:str]
pgp:
- created_at: "2025-07-15T13:47:27Z"
enc: |-