xeovalyte/nix
1
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Added SearXNG, Homeassistant and Paperless

Browse Source
This commit is contained in:
xeovalyte
2024-11-05 21:03:34 +01:00
parent 728fb943af
commit cb838549be
12 changed files with 2691 additions and 155 deletions
Download Patch File Download Diff File Expand all files Collapse all files

185
homelab/authelia/config/configuration.yml
View File

@@ -648,9 +648,15 @@ access_control:
- domain: 'dozzle.timo.bmrs.nl'
policy: 'one_factor'
- domain: 'homeassistant.timo.bmrs.nl'
policy: 'bypass'
- domain: 'office.timo.bmrs.nl'
policy: 'bypass'
- domain: 'paperless.timo.bmrs.nl'
policy: 'bypass'
- domain: 'git.timo.bmrs.nl'
policy: 'bypass'
@@ -663,6 +669,9 @@ access_control:
- domain: 'ldap.timo.bmrs.nl'
policy: 'bypass'
- domain: 'search.timo.bmrs.nl'
policy: 'bypass'
- domain: 'uptime.timo.bmrs.nl'
policy: 'bypass'
@@ -1240,6 +1249,12 @@ identity_providers:
- policy: 'two_factor'
subject: 'group:forgejo'
paperless:
default_policy: 'deny'
rules:
- policy: 'two_factor'
subject: 'group:paperless'
## The lifespans configure the expiration for these token types in the duration common syntax. In addition to this
## syntax the lifespans can be customized per-client.
lifespans:
@@ -1273,173 +1288,33 @@ identity_providers:
## Clients is a list of known clients and their configuration.
clients:
-
## The Client ID is the OAuth 2.0 and OpenID Connect 1.0 Client ID which is used to link an application to a
## configuration.
client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
- client_id: '{{ env "CLIENT_ID_FORGEJO" }}'
client_name: 'Forgejo'
## The client secret is a shared secret between Authelia and the consumer of this client.
# yamllint disable-line rule:line-length
client_secret: '{{ env "CLIENT_SECRET_FORGEJO" }}'
## Sector Identifiers are occasionally used to generate pairwise subject identifiers. In most cases this is not
## necessary. It is critical to read the documentation for more information.
# sector_identifier_uri: 'https://example.com/sector.json'
## Sets the client to public. This should typically not be set, please see the documentation for usage.
public: false
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
redirect_uris:
- 'https://git.timo.bmrs.nl/user/oauth2/Authelia/callback'
## Request URI's specifies a list of valid case-sensitive TLS-secured URIs for this client for use as
## URIs to fetch Request Objects.
# request_uris:
# - 'https://oidc.example.com:8080/oidc/request-object.jwk'
## Audience this client is allowed to request.
# audience: []
## Scopes this client is allowed to request.
scopes:
- 'openid'
- 'email'
- 'profile'
## Grant Types configures which grants this client can obtain.
## It's not recommended to define this unless you know what you're doing.
# grant_types:
# - 'authorization_code'
## Response Types configures which responses this client can be sent.
## It's not recommended to define this unless you know what you're doing.
# response_types:
# - 'code'
## Response Modes configures which response modes this client supports.
# response_modes:
# - 'form_post'
# - 'query'
## The policy to require for this client; one_factor or two_factor. Can also be the key names for the
## authorization policies section.
authorization_policy: 'forgejo'
## The custom lifespan name to use for this client. This must be configured independent of the client before
## utilization. Custom lifespans are reusable similar to authorization policies.
# lifespan: ''
## The consent mode controls how consent is obtained.
# consent_mode: 'auto'
## This value controls the duration a consent on this client remains remembered when the consent mode is
## configured as 'auto' or 'pre-configured' in the duration common syntax.
# pre_configured_consent_duration: '1 week'
## Requires the use of Pushed Authorization Requests for this client when set to true.
# require_pushed_authorization_requests: false
## Enforces the use of PKCE for this client when set to true.
# require_pkce: false
## Enforces the use of PKCE for this client when configured, and enforces the specified challenge method.
## Options are 'plain' and 'S256'.
# pkce_challenge_method: 'S256'
## The permitted client authentication method for the Token Endpoint for this client.
## For confidential client types this value defaults to 'client_secret_basic' and for the public client types it
## defaults to 'none' per the specifications.
token_endpoint_auth_method: 'client_secret_basic'
## The permitted client authentication signing algorithm for the Token Endpoint for this client when using
## the 'client_secret_jwt' or 'private_key_jwt' token_endpoint_auth_method.
# token_endpoint_auth_signing_alg: 'RS256'
## The signing algorithm which must be used for request objects. A client JWK with a matching algorithm must be
## available if configured.
# request_object_signing_alg: 'RS256'
## The signing algorithm used for signing the authorization response. An issuer JWK with a matching algorithm
## must be available when configured. Configuring this value enables the JWT Secured Authorization Response
## Mode (JARM) for this client. JARM is not understood by a majority of clients so you should only configure
## this when you know it's supported.
## Has no effect if authorization_signed_response_key_id is configured.
# authorization_signed_response_alg: 'none'
## The signing key id used for signing the authorization response. An issuer JWK with a matching key id must be
## available when configured. Configuring this value enables the JWT Secured Authorization Response Mode (JARM)
## for this client. JARM is not understood by a majority of clients so you should only configure this when you
## know it's supported.
# authorization_signed_response_key_id: ''
## The signing algorithm used for ID Tokens. An issuer JWK with a matching algorithm must be available when
## configured. Has no effect if id_token_signed_response_key_id is configured.
# id_token_signed_response_alg: 'RS256'
## The signing key id used for ID Tokens. An issuer JWK with a matching key id must be available when
## configured.
# id_token_signed_response_key_id: ''
## The signing algorithm used for Access Tokens. An issuer JWK with a matching algorithm must be available.
## Has no effect if access_token_signed_response_key_id is configured. Values other than 'none' enable RFC9068
## for this client.
# access_token_signed_response_alg: 'none'
## The signing key id used for Access Tokens. An issuer JWK with a matching key id must be available when
## configured. Values other than a blank value enable RFC9068 for this client.
# access_token_signed_response_key_id: ''
## The signing algorithm used for User Info responses. An issuer JWK with a matching algorithm must be
## available. Has no effect if userinfo_signing_key_id is configured.
userinfo_signed_response_alg: 'none'
## The signing key id used for User Info responses. An issuer JWK with a matching key id must be available when
## configured.
# userinfo_signed_response_key_id: ''
- client_id: '{{ env "CLIENT_ID_PAPERLESS" }}'
client_name: 'Forgejo'
client_secret: '{{ env "CLIENT_SECRET_PAPERLESS" }}'
public: false
redirect_uris:
- 'https://paperless.timo.bmrs.nl/accounts/oidc/authelia/login/callback/'
scopes:
- 'openid'
- 'email'
- 'profile'
- 'groups'
authorization_policy: 'paperless'
token_endpoint_auth_method: 'client_secret_basic'
userinfo_signed_response_alg: 'none'
## The signing algorithm used for Introspection responses. An issuer JWK with a matching algorithm must be
## available when configured. Has no effect if introspection_signed_response_key_id is configured.
# introspection_signed_response_alg: 'none'
## The signing key id used for Introspection responses. An issuer JWK with a matching key id must be available
## when configured.
# introspection_signed_response_key_id: ''
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
## URL of the HTTPS endpoint which serves the keys. Please note the 'jwks_uri' and the 'jwks' option below
## are mutually exclusive.
# jwks_uri: 'https://app.example.com/jwks.json'
## Trusted public keys configuration for request object signing for things such as 'private_key_jwt'.
## List of JWKs known and registered with this client. It's recommended to use the 'jwks_uri' option if
## available due to key rotation. Please note the 'jwks' and the 'jwks_uri' option above are mutually exclusive.
# jwks:
# -
## Key ID used to match the JWT's to an individual identifier. This option is required if configured.
# key_id: 'example'
## The key algorithm expected with this key.
# algorithm: 'RS256'
## The key use expected with this key. Currently only 'sig' is supported.
# use: 'sig'
## Required Public Key in PEM DER form.
# key: |
# -----BEGIN RSA PUBLIC KEY-----
# ...
# -----END RSA PUBLIC KEY-----
## The matching certificate chain in PEM DER form that matches the key if available.
# certificate_chain: |
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
# -----BEGIN CERTIFICATE-----
# ...
# -----END CERTIFICATE-----
...