wiro.world / dotfiles
yep, more dotfiles
fork atom

server: authelia: define oidc policies

wiro.world ae3b1e41 127d231f

verified
+42 -12
+42 -12
nixos/profiles/server.nix
··· 464 464 465 465 access_control = { 466 466 default_policy = "deny"; 467 + # Rules are sequential and do not apply to OIDC 467 468 rules = [ 468 469 { 469 - domain = "*.wiro.world"; 470 + domain = "headscale.wiro.world"; 471 + policy = "two_factor"; 472 + 473 + } 474 + { 475 + domain = "news.wiro.world"; 470 476 policy = "one_factor"; 477 + 478 + subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ]; 479 + } 480 + { 481 + domain = "*.wiro.world"; 482 + policy = "two_factor"; 471 483 } 472 484 ]; 473 485 }; 474 486 475 487 identity_providers.oidc = { 476 488 enforce_pkce = "always"; 489 + 490 + authorization_policies = 491 + let 492 + mkStrictPolicy = policy: subject: 493 + { default_policy = "deny"; rules = [{ inherit policy subject; }]; }; 494 + in 495 + { 496 + headscale = mkStrictPolicy "two_factor" [ "group:headscale" ]; 497 + grafana = mkStrictPolicy "one_factor" [ "group:grafana" ]; 498 + miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ]; 499 + }; 500 + 477 501 clients = [ 478 502 { 479 503 client_name = "Headscale"; 480 504 client_id = "headscale"; 481 505 client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos"; 482 - 483 - redirect_uris = [ "https://headscale.wiro.world/oidc/callback" ]; 484 - } 485 - { 486 - client_name = "Grafana Console"; 487 - client_id = "grafana"; 488 - client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs"; 506 + redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ]; 489 507 490 - redirect_uris = [ "https://console.wiro.world/login/generic_oauth" ]; 508 + authorization_policy = "headscale"; 491 509 } 492 510 { 493 511 client_name = "Tailscale"; 494 512 client_id = "tailscale"; 495 513 client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc"; 514 + redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ]; 496 515 497 - redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ]; 516 + authorization_policy = "headscale"; 517 + } 518 + { 519 + client_name = "Grafana Console"; 520 + client_id = "grafana"; 521 + client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs"; 522 + redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ]; 523 + 524 + authorization_policy = "grafana"; 498 525 } 499 526 { 500 527 client_name = "Miniflux"; 501 528 client_id = "miniflux"; 502 529 client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw"; 530 + redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ]; 503 531 504 - redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ]; 532 + authorization_policy = "miniflux"; 505 533 } 506 534 ]; 507 535 }; ··· 576 604 enable = true; 577 605 578 606 createDatabaseLocally = true; 579 - adminCredentialsFile = config.age.secrets.miniflux-oidc-secret.path; 580 607 config = { 581 608 BASE_URL = "https://${miniflux-hostname}/"; 582 609 LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}"; 610 + CREATE_ADMIN = 0; 583 611 584 612 # TODO: scrape metrics endpoint with prometheus 585 613 ··· 591 619 OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world"; 592 620 OAUTH2_USER_CREATION = 1; 593 621 DISABLE_LOCAL_AUTH = 1; 622 + 623 + RUN_MIGRATIONS = 1; 594 624 595 625 # NetNewsWire is a very good iOS oss client that integrates well 596 626 # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/