wiro.world / dotfiles
yep, more dotfiles
fork atom

server: authelia: define oidc policies

wiro.world ae3b1e41 127d231f

verified
options
unified split
Changed files
+42 -12
nixos
profiles
server.nix
+42 -12
nixos/profiles/server.nix 
···

       
464

       
464

       
 

       



     

       
465

       
465

       
 

       
        access_control = {


     

       
466

       
466

       
 

       
          default_policy = "deny";


     

       

       
467

       
+

       
          # Rules are sequential and do not apply to OIDC


     

       
467

       
468

       
 

       
          rules = [


     

       
468

       
469

       
 

       
            {


     

       
469

       

       
-

       
              domain = "*.wiro.world";


     

       

       
470

       
+

       
              domain = "headscale.wiro.world";


     

       

       
471

       
+

       
              policy = "two_factor";


     

       

       
472

       
+

       



     

       

       
473

       
+

       
            }


     

       

       
474

       
+

       
            {


     

       

       
475

       
+

       
              domain = "news.wiro.world";


     

       
470

       
476

       
 

       
              policy = "one_factor";


     

       

       
477

       
+

       



     

       

       
478

       
+

       
              subject = [ [ "group:miniflux" "oauth2:client:miniflux" ] ];


     

       

       
479

       
+

       
            }


     

       

       
480

       
+

       
            {


     

       

       
481

       
+

       
              domain = "*.wiro.world";


     

       

       
482

       
+

       
              policy = "two_factor";


     

       
471

       
483

       
 

       
            }


     

       
472

       
484

       
 

       
          ];


     

       
473

       
485

       
 

       
        };


     

       
474

       
486

       
 

       



     

       
475

       
487

       
 

       
        identity_providers.oidc = {


     

       
476

       
488

       
 

       
          enforce_pkce = "always";


     

       

       
489

       
+

       



     

       

       
490

       
+

       
          authorization_policies =


     

       

       
491

       
+

       
            let


     

       

       
492

       
+

       
              mkStrictPolicy = policy: subject:


     

       

       
493

       
+

       
                { default_policy = "deny"; rules = [{ inherit policy subject; }]; };


     

       

       
494

       
+

       
            in


     

       

       
495

       
+

       
            {


     

       

       
496

       
+

       
              headscale = mkStrictPolicy "two_factor" [ "group:headscale" ];


     

       

       
497

       
+

       
              grafana = mkStrictPolicy "one_factor" [ "group:grafana" ];


     

       

       
498

       
+

       
              miniflux = mkStrictPolicy "one_factor" [ "group:miniflux" ];


     

       

       
499

       
+

       
            };


     

       

       
500

       
+

       



     

       
477

       
501

       
 

       
          clients = [


     

       
478

       
502

       
 

       
            {


     

       
479

       
503

       
 

       
              client_name = "Headscale";


     

       
480

       
504

       
 

       
              client_id = "headscale";


     

       
481

       
505

       
 

       
              client_secret = "$pbkdf2-sha256$310000$XY680D9gkSoWhD0UtYHNFg$ptWB3exOYCga6uq1N.oimuV3ILjK3F8lBWBpsBpibos";


     

       
482

       

       
-

       



     

       
483

       

       
-

       
              redirect_uris = [ "https://headscale.wiro.world/oidc/callback" ];


     

       
484

       

       
-

       
            }


     

       
485

       

       
-

       
            {


     

       
486

       

       
-

       
              client_name = "Grafana Console";


     

       
487

       

       
-

       
              client_id = "grafana";


     

       
488

       

       
-

       
              client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";


     

       

       
506

       
+

       
              redirect_uris = [ "https://${headscale-hostname}/oidc/callback" ];


     

       
489

       
507

       
 

       



     

       
490

       

       
-

       
              redirect_uris = [ "https://console.wiro.world/login/generic_oauth" ];


     

       

       
508

       
+

       
              authorization_policy = "headscale";


     

       
491

       
509

       
 

       
            }


     

       
492

       
510

       
 

       
            {


     

       
493

       
511

       
 

       
              client_name = "Tailscale";


     

       
494

       
512

       
 

       
              client_id = "tailscale";


     

       
495

       
513

       
 

       
              client_secret = "$pbkdf2-sha256$310000$PcUaup9aWKI9ZLeCF6.avw$FpsTxkDaxcoQlBi8aIacegXpjEDiCI6nXcaHyZ2Sxyc";


     

       

       
514

       
+

       
              redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];


     

       
496

       
515

       
 

       



     

       
497

       

       
-

       
              redirect_uris = [ "https://login.tailscale.com/a/oauth_response" ];


     

       

       
516

       
+

       
              authorization_policy = "headscale";


     

       

       
517

       
+

       
            }


     

       

       
518

       
+

       
            {


     

       

       
519

       
+

       
              client_name = "Grafana Console";


     

       

       
520

       
+

       
              client_id = "grafana";


     

       

       
521

       
+

       
              client_secret = "$pbkdf2-sha256$310000$UkwrqxTZodGMs9.Ca2cXAA$HCWFgQbFHGXZpuz.I3HHdkTZLUevRVGlhKEFaOlPmKs";


     

       

       
522

       
+

       
              redirect_uris = [ "https://${grafana-hostname}/login/generic_oauth" ];


     

       

       
523

       
+

       



     

       

       
524

       
+

       
              authorization_policy = "grafana";


     

       
498

       
525

       
 

       
            }


     

       
499

       
526

       
 

       
            {


     

       
500

       
527

       
 

       
              client_name = "Miniflux";


     

       
501

       
528

       
 

       
              client_id = "miniflux";


     

       
502

       
529

       
 

       
              client_secret = "$pbkdf2-sha256$310000$uPqbWfCOBXDY6nV1vsx3uA$HOWG2hL.c/bs9Dwaee3b9DxjH7KFO.SaZMbasXV9Vdw";


     

       

       
530

       
+

       
              redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];


     

       
503

       
531

       
 

       



     

       
504

       

       
-

       
              redirect_uris = [ "https://${miniflux-hostname}/oauth2/oidc/callback" ];


     

       

       
532

       
+

       
              authorization_policy = "miniflux";


     

       
505

       
533

       
 

       
            }


     

       
506

       
534

       
 

       
          ];


     

       
507

       
535

       
 

       
        };


     
···

       
576

       
604

       
 

       
      enable = true;


     

       
577

       
605

       
 

       



     

       
578

       
606

       
 

       
      createDatabaseLocally = true;


     

       
579

       

       
-

       
      adminCredentialsFile = config.age.secrets.miniflux-oidc-secret.path;


     

       
580

       
607

       
 

       
      config = {


     

       
581

       
608

       
 

       
        BASE_URL = "https://${miniflux-hostname}/";


     

       
582

       
609

       
 

       
        LISTEN_ADDR = "127.0.0.1:${toString miniflux-port}";


     

       

       
610

       
+

       
        CREATE_ADMIN = 0;


     

       
583

       
611

       
 

       



     

       
584

       
612

       
 

       
        # TODO: scrape metrics endpoint with prometheus


     

       
585

       
613

       
 

       



     
···

       
591

       
619

       
 

       
        OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.wiro.world";


     

       
592

       
620

       
 

       
        OAUTH2_USER_CREATION = 1;


     

       
593

       
621

       
 

       
        DISABLE_LOCAL_AUTH = 1;


     

       

       
622

       
+

       



     

       

       
623

       
+

       
        RUN_MIGRATIONS = 1;


     

       
594

       
624

       
 

       



     

       
595

       
625

       
 

       
        # NetNewsWire is a very good iOS oss client that integrates well


     

       
596

       
626

       
 

       
        # https://b.j4.lc/2025/05/05/setting-up-netnewswire-with-miniflux/