feat: Added ldap and authelia oidc
This commit is contained in:
uttarayan21
@@ -7,8 +7,9 @@
|
||||
"authelia/servers/darksailor/storageEncryptionSecret".owner = user;
|
||||
"authelia/servers/darksailor/sessionSecret".owner = user;
|
||||
"authelia/users/servius".owner = user;
|
||||
"authelia/oidc/immich".owner = user;
|
||||
"lldap/users/authelia".owner = user;
|
||||
users.owner = user;
|
||||
"authelia/oidc/jwks".owner = user;
|
||||
};
|
||||
};
|
||||
services = {
|
||||
@@ -18,44 +19,22 @@
|
||||
settings = {
|
||||
authentication_backend = {
|
||||
password_reset.disable = false;
|
||||
file = {
|
||||
path = "/run/secrets/users";
|
||||
password_change.disable = false;
|
||||
# file = {
|
||||
# path = "/run/secrets/users";
|
||||
# };
|
||||
ldap = {
|
||||
address = "ldap://localhost:389";
|
||||
timeout = "5s";
|
||||
# start_tls = false;
|
||||
base_dn = "dc=darksailor,dc=dev";
|
||||
user = "cn=authelia,ou=people,dc=darksailor,dc=dev";
|
||||
users_filter = "(&({username_attribute}={input})(objectClass=person))";
|
||||
groups_filter = "(&(member={dn})(objectClass=groupOfNames))";
|
||||
additional_users_dn = "OU=people";
|
||||
additional_groups_dn = "OU=groups";
|
||||
};
|
||||
};
|
||||
# identity_providers = {
|
||||
# oidc = {
|
||||
# clients = [
|
||||
# {
|
||||
# client_id = "immich";
|
||||
# client_name = "immich";
|
||||
# client_secret = ''{{ fileContent "${config.sops.secrets."authelia/oidc/immich".path}" }}'';
|
||||
# public = false;
|
||||
# authorization_policy = "two_factor";
|
||||
# require_pkce = false;
|
||||
# pkce_challenge_method = "";
|
||||
# redirect_uris = [
|
||||
# "https://photos.darksailor.dev/auth/login"
|
||||
# "https://photos.darksailor.dev/user-settings"
|
||||
# "app.immich:///oauth-callback"
|
||||
# ];
|
||||
# scopes = [
|
||||
# "openid"
|
||||
# "profile"
|
||||
# "email"
|
||||
# ];
|
||||
# response_types = [
|
||||
# "code"
|
||||
# ];
|
||||
# grant_types = [
|
||||
# "authorization_code"
|
||||
# ];
|
||||
# access_token_signed_response_alg = "none";
|
||||
# userinfo_signed_response_alg = "none";
|
||||
# token_endpoint_auth_method = "client_secret_post";
|
||||
# }
|
||||
# ];
|
||||
# };
|
||||
# };
|
||||
session = {
|
||||
cookies = [
|
||||
{
|
||||
@@ -91,6 +70,11 @@
|
||||
jwtSecretFile = config.sops.secrets."authelia/servers/darksailor/jwtSecret".path;
|
||||
storageEncryptionKeyFile = config.sops.secrets."authelia/servers/darksailor/storageEncryptionSecret".path;
|
||||
sessionSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
|
||||
oidcHmacSecretFile = config.sops.secrets."authelia/servers/darksailor/sessionSecret".path;
|
||||
oidcIssuerPrivateKeyFile = config.sops.secrets."authelia/oidc/jwks".path;
|
||||
};
|
||||
environmentVariables = {
|
||||
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE = config.sops.secrets."lldap/users/authelia".path;
|
||||
};
|
||||
};
|
||||
};
|
||||
|
||||
@@ -1,4 +1,4 @@
|
||||
{...}: {
|
||||
{config, ...}: {
|
||||
services = {
|
||||
homepage-dashboard = {
|
||||
enable = true;
|
||||
@@ -107,6 +107,13 @@
|
||||
href = "https://llama.darksailor.dev";
|
||||
};
|
||||
}
|
||||
{
|
||||
"Immich" = {
|
||||
icon = "immich.png";
|
||||
description = "Immich: Self-hosted Photo and Video Backup";
|
||||
href = "https://photos.darksailor.dev";
|
||||
};
|
||||
}
|
||||
];
|
||||
}
|
||||
];
|
||||
@@ -163,8 +170,22 @@
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
}
|
||||
reverse_proxy localhost:8082
|
||||
reverse_proxy localhost:${builtins.toString config.services.homepage-dashboard.listenPort}
|
||||
'';
|
||||
};
|
||||
authelia = {
|
||||
instances.darksailor = {
|
||||
settings = {
|
||||
access_control = {
|
||||
rules = [
|
||||
{
|
||||
domain = "dashboard.darksailor.dev";
|
||||
policy = "one_factor";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -1,5 +1,78 @@
|
||||
{...}: {
|
||||
{config, ...}: {
|
||||
sops = {
|
||||
secrets."authelia/oidc/immich/client_id" = {
|
||||
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||
mode = "0440";
|
||||
};
|
||||
secrets."authelia/oidc/immich/client_secret" = {
|
||||
owner = config.systemd.services.authelia-darksailor.serviceConfig.User;
|
||||
mode = "0440";
|
||||
};
|
||||
templates = {
|
||||
"OAUTH_CLIENT.env" = {
|
||||
content = ''
|
||||
OAUTH_CLIENT_ID=${config.sops.placeholder."authelia/oidc/immich/client_id"}
|
||||
OAUTH_CLIENT_SECRET=${config.sops.placeholder."authelia/oidc/immich/client_secret"}
|
||||
'';
|
||||
mode = "0400";
|
||||
owner = config.services.immich.user;
|
||||
};
|
||||
};
|
||||
};
|
||||
users.users.immich.extraGroups = [config.systemd.services.authelia-darksailor.serviceConfig.Group];
|
||||
services.immich = {
|
||||
enable = false;
|
||||
enable = true;
|
||||
mediaLocation = "/media/photos/immich";
|
||||
settings = {
|
||||
oauth = {
|
||||
enabled = true;
|
||||
autoLaunch = true;
|
||||
autoRegister = true;
|
||||
buttonText = "Login with Authelia";
|
||||
clientId = "immich";
|
||||
scope = "openid email profile";
|
||||
issuerUrl = "https://auth.darksailor.dev/.well-known/openid-configuration";
|
||||
};
|
||||
passwordLogin = {
|
||||
enabled = false;
|
||||
};
|
||||
};
|
||||
secretsFile = config.sops.templates."OAUTH_CLIENT.env".path;
|
||||
};
|
||||
services.caddy = {
|
||||
virtualHosts."photos.darksailor.dev".extraConfig = ''
|
||||
reverse_proxy localhost:${builtins.toString config.services.immich.port}
|
||||
'';
|
||||
};
|
||||
services.authelia = {
|
||||
instances.darksailor = {
|
||||
settings = {
|
||||
identity_providers = {
|
||||
oidc = {
|
||||
clients = [
|
||||
{
|
||||
client_name = "immich";
|
||||
client_id = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_id".path}" }}'';
|
||||
client_secret = ''{{- fileContent "${config.sops.secrets."authelia/oidc/immich/client_secret".path}" }}'';
|
||||
public = false;
|
||||
authorization_policy = "one_factor";
|
||||
require_pkce = false;
|
||||
redirect_uris = [
|
||||
"https://photos.darksailor.dev/auth/login"
|
||||
"https://photos.darksailor.dev/user-settings"
|
||||
"app.immich:///oauth-callback"
|
||||
];
|
||||
scopes = ["openid" "profile" "email"];
|
||||
response_types = ["code"];
|
||||
grant_types = ["authorization_code"];
|
||||
access_token_signed_response_alg = "none";
|
||||
userinfo_signed_response_alg = "none";
|
||||
token_endpoint_auth_method = "client_secret_post";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -43,13 +43,13 @@
|
||||
};
|
||||
|
||||
caddy = {
|
||||
# virtualHosts."llama.darksailor.dev".extraConfig = ''
|
||||
# forward_auth localhost:5555 {
|
||||
# uri /api/authz/forward-auth
|
||||
# copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
# }
|
||||
# reverse_proxy localhost:7070
|
||||
# '';
|
||||
virtualHosts."llama.darksailor.dev".extraConfig = ''
|
||||
forward_auth localhost:5555 {
|
||||
uri /api/authz/forward-auth
|
||||
copy_headers Remote-User Remote-Groups Remote-Email Remote-Name
|
||||
}
|
||||
reverse_proxy localhost:${builtins.toString config.services.open-webui.port}
|
||||
'';
|
||||
virtualHosts."ollama.darksailor.dev".extraConfig = ''
|
||||
@apikey {
|
||||
header Authorization "Bearer {env.LLAMA_API_KEY}"
|
||||
@@ -61,12 +61,26 @@
|
||||
Access-Control-Allow-Origin *
|
||||
-Authorization "Bearer {env.LLAMA_API_KEY}" # Remove the header after validation
|
||||
}
|
||||
reverse_proxy localhost:11434
|
||||
reverse_proxy localhost:${builtins.toString config.services.ollama.port}
|
||||
}
|
||||
|
||||
respond "Unauthorized" 403
|
||||
'';
|
||||
};
|
||||
authelia = {
|
||||
instances.darksailor = {
|
||||
settings = {
|
||||
access_control = {
|
||||
rules = [
|
||||
{
|
||||
domain = "llama.darksailor.dev";
|
||||
policy = "one_factor";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
};
|
||||
systemd.services.caddy = {
|
||||
serviceConfig = {
|
||||
|
||||
@@ -6,23 +6,24 @@
|
||||
services.lldap = {
|
||||
enable = true;
|
||||
settings = {
|
||||
# ldap_user_dn = "admin";
|
||||
ldap_user_dn = "admin";
|
||||
ldap_base_dn = "dc=darksailor,dc=dev";
|
||||
# ldap_user_email = "admin@darksailor.dev";
|
||||
# http_host = "127.0.0.1";
|
||||
ldap_user_email = "admin@darksailor.dev";
|
||||
http_host = "127.0.0.1";
|
||||
http_port = 5090;
|
||||
ldap_port = 389;
|
||||
# ldap_host = "::";
|
||||
environment = {
|
||||
LLDAP_JWT_SECRET_FILE = config.sops.secrets."lldap/jwt".path;
|
||||
LLDAP_KEY_SEED_FILE = config.sops.secrets."lldap/seed".path;
|
||||
# LLDAP_LDAP_USER_PASS_FILE = config.sops.secrets."lldap/admin".path;
|
||||
LLDAP_LDAP_USER_PASS = "foobar123";
|
||||
};
|
||||
ldap_host = "::";
|
||||
# environment = {
|
||||
# };
|
||||
environmentFile = ''
|
||||
LLDAP_LDAP_USER_PASS_FILE = ${config.sops.secrets."lldap/admin".path};
|
||||
LLDAP_JWT_SECRET_FILE = ${config.sops.secrets."lldap/jwt".path};
|
||||
LLDAP_KEY_SEED_FILE = ${config.sops.secrets."lldap/seed".path};
|
||||
'';
|
||||
};
|
||||
};
|
||||
services.caddy = {
|
||||
virtualHosts."console.darksailor.dev".extraConfig = ''
|
||||
virtualHosts."ldap.darksailor.dev".extraConfig = ''
|
||||
reverse_proxy localhost:5090
|
||||
'';
|
||||
};
|
||||
@@ -34,15 +35,12 @@
|
||||
};
|
||||
users.groups.lldap = {};
|
||||
|
||||
# systemd.services.sops-install-secrets = {
|
||||
# after = ["lldap.service"];
|
||||
# };
|
||||
|
||||
systemd.services.lldap = {
|
||||
# wants = ["sops-install-secrets.service"];
|
||||
serviceConfig = {
|
||||
AmbientCapabilities = "CAP_NET_BIND_SERVICE";
|
||||
DynamicUser = lib.mkForce false;
|
||||
User = "lldap";
|
||||
Group = "lldap";
|
||||
};
|
||||
};
|
||||
sops = {
|
||||
|
||||
Reference in New Issue
Block a user