xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added multiple services

Browse Source
This commit is contained in:
xeovalyte
2024-10-17 19:28:08 +02:00
parent 9a273df98a
commit 4eefcd1933
27 changed files with 3083 additions and 81 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
homelab/authelia/config/.gitignore vendored
View File

@@ -1,2 +0,0 @@
db.sqlite3
notifications.txt

158
homelab/authelia/config/configuration.yml
View File

@@ -632,9 +632,30 @@ access_control:
rules:
## Rules applied to everyone
- domain: '*.timo.bmrs.nl'
- domain: 'auth.timo.bmrs.nl'
policy: 'bypass'
- domain: 'adguard.timo.bmrs.nl'
policy: 'two_factor'
subject: 'group:adguard'
- domain: 'bitwarden.timo.bmrs.nl'
policy: 'two_factor'
- domain: 'git.timo.bmrs.nl'
policy: 'bypass'
- domain: 'home.timo.bmrs.nl'
policy: 'one_factor'
- domain: 'ldap.timo.bmrs.nl'
policy: 'two_factor'
subject: 'group:admin'
- domain: 'uptime.timo.bmrs.nl'
policy: 'bypass'
## Domain Regex examples. Generally we recommend just using a standard domain.
# - domain_regex: '^(?P<User>\w+)\.example\.com$'
# policy: 'one_factor'
@@ -1138,62 +1159,58 @@ notifier:
##
## Identity Providers
##
# identity_providers:
identity_providers:
##
## OpenID Connect (Identity Provider)
##
## It's recommended you read the documentation before configuration of this section:
## https://www.authelia.com/c/oidc
# oidc:
oidc:
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
## HMAC Secret can also be set using a secret: https://www.authelia.com/c/secrets
# hmac_secret: 'this_is_a_secret_abc123abc123abc'
hmac_secret: $HMAC_SECRET
## The JWK's issuer option configures multiple JSON Web Keys. It's required that at least one of the JWK's
## configured has the RS256 algorithm. For RSA keys (RS or PS) the minimum is a 2048 bit key.
# jwks:
# -
## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
## This value is automatically generated if not provided. It's recommended to not configure this.
# key_id: 'example'
jwks:
-
## Key ID embedded into the JWT header for key matching. Must be an alphanumeric string with 7 or less characters.
## This value is automatically generated if not provided. It's recommended to not configure this.
# key_id: 'exmple'
## The key algorithm used with this key.
# algorithm: 'RS256'
## The key algorithm used with this key.
algorithm: 'RS256'
## The key use expected with this key. Currently only 'sig' is supported.
# use: 'sig'
## The key use expected with this key. Currently only 'sig' is supported.
use: 'sig'
## Required Private Key in PEM DER form.
# key: |
# -----BEGIN RSA PRIVATE KEY-----
# ...
# -----END RSA PRIVATE KEY-----
## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## Required Private Key in PEM DER form.
key: |
{{- fileContent "/keys/private.pem" | nindent 10 }}
## Optional matching certificate chain in PEM DER form that matches the key. All certificates within the chain
## must be valid and current, and from top to bottom each certificate must be signed by the subsequent one.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
## Enables additional debug messages.
# enable_client_debug_messages: false
enable_client_debug_messages: false
## SECURITY NOTICE: It's not recommended changing this option and values below 8 are strongly discouraged.
# minimum_parameter_entropy: 8
minimum_parameter_entropy: 8
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it set to 'never'
## for security reasons.
# enforce_pkce: 'public_clients_only'
enforce_pkce: 'public_clients_only'
## SECURITY NOTICE: It's not recommended changing this option. We encourage you to read the documentation and fully
## understanding it before enabling this option.
# enable_jwt_access_token_stateless_introspection: false
enable_jwt_access_token_stateless_introspection: false
## The signing algorithm used for signing the discovery and metadata responses. An issuer JWK with a matching
## algorithm must be available when configured. Most clients completely ignore this and it has a performance cost.
@@ -1205,68 +1222,68 @@ notifier:
## Authorization Policies which can be utilized by clients. The 'policy_name' is an arbitrary value that you pick
## which is utilized as the value for the 'authorization_policy' on the client.
# authorization_policies:
# policy_name:
# default_policy: 'two_factor'
# rules:
# - policy: 'one_factor'
# subject: 'group:services'
authorization_policies:
forgejo:
default_policy: 'deny'
rules:
- policy: 'two_factor'
subject: 'group:forgejo'
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
## syntax the lifespans can be customized per-client.
# lifespans:
lifespans:
## Configures the default/fallback lifespan for given token types. This behaviour applies to all clients and all
## grant types but you can override this behaviour using the custom lifespans.
# access_token: '1 hour'
# authorize_code: '1 minute'
# id_token: '1 hour'
# refresh_token: '90 minutes'
access_token: '1 hour'
authorize_code: '1 minute'
id_token: '1 hour'
refresh_token: '90 minutes'
## Cross-Origin Resource Sharing (CORS) settings.
# cors:
cors:
## List of endpoints in addition to the metadata endpoints to permit cross-origin requests on.
# endpoints:
# - 'authorization'
# - 'pushed-authorization-request'
# - 'token'
# - 'revocation'
# - 'introspection'
# - 'userinfo'
endpoints:
- 'authorization'
- 'pushed-authorization-request'
- 'token'
- 'revocation'
- 'introspection'
- 'userinfo'
## List of allowed origins.
## Any origin with https is permitted unless this option is configured or the
## allowed_origins_from_client_redirect_uris option is enabled.
# allowed_origins:
# - 'https://example.com'
allowed_origins:
- 'https://timo.bmrs.nl'
## Automatically adds the origin portion of all redirect URI's on all clients to the list of allowed_origins,
## provided they have the scheme http or https and do not have the hostname of localhost.
# allowed_origins_from_client_redirect_uris: false
allowed_origins_from_client_redirect_uris: false
## Clients is a list of known clients and their configuration.
# clients:
# -
clients:
-
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
## configuration.
# client_id: 'myapp'
client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
# client_name: 'My Application'
client_name: 'Forgejo'
## The client secret is a shared secret between Authelia and the consumer of this client.
# yamllint disable-line rule:line-length
# client_secret: '$pbkdf2-sha512$310000$c8p78n7pUMln0jzvd4aK4Q$JNRBzwAo0ek5qKn50cFzzvE9RXV88h1wJn5KGiHrD0YKtZaR/nCb2CJPOsKaPK0hjf.9yHxzQGZziziccp6Yng' # The digest of 'insecure_secret'.
client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. It is critical to read the documentation for more information.
# sector_identifier_uri: 'https://example.com/sector.json'
## Sets the client to public. This should typically not be set, please see the documentation for usage.
# public: false
public: false
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
# redirect_uris:
# - 'https://oidc.example.com:8080/oauth2/callback'
redirect_uris:
- 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
## URIs to fetch Request Objects.
@@ -1277,11 +1294,10 @@ notifier:
# audience: []
## Scopes this client is allowed to request.
# scopes:
# - 'openid'
# - 'groups'
# - 'email'
# - 'profile'
scopes:
- 'openid'
- 'email'
- 'profile'
## Grant Types configures which grants this client can obtain.
## It's not recommended to define this unless you know what you're doing.
@@ -1300,7 +1316,7 @@ notifier:
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
## authorization policies section.
# authorization_policy: 'two_factor'
authorization_policy: 'forgejo'
## The custom lifespan name to use for this client. This must be configured independent of the client before
## utilization. Custom lifespans are reusable similar to authorization policies.
@@ -1326,7 +1342,7 @@ notifier:
## The permitted client authentication method for the Token Endpoint for this client.
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
## defaults to 'none' per the specifications.
# token_endpoint_auth_method: 'client_secret_basic'
token_endpoint_auth_method: 'client_secret_basic'
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
@@ -1368,7 +1384,7 @@ notifier:
## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
## available. Has no effect if userinfo_signing_key_id is configured.
# userinfo_signed_response_alg: 'none'
userinfo_signed_response_alg: 'none'
## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
## configured.