add documentation for lldap and authelia blocks

This commit is contained in:
ibizaman 2025-07-12 21:58:50 +02:00 committed by Pierre Penninckx
parent 1a5ecc9328
commit 41d037206d
9 changed files with 824 additions and 212 deletions

View file

@ -31,6 +31,14 @@ services you already have deployed.
Not all blocks are yet documented. You can find all available blocks [in the repository](@REPO@/modules/blocks).
:::
```{=include=} chapters html:into-file=//blocks-authelia.html
modules/blocks/authelia/docs/default.md
```
```{=include=} chapters html:into-file=//blocks-lldap.html
modules/blocks/lldap/docs/default.md
```
```{=include=} chapters html:into-file=//blocks-sops.html
modules/blocks/sops/docs/default.md
```

View file

@ -47,6 +47,414 @@
"blocks": [
"blocks.html#blocks"
],
"blocks-authelia": [
"blocks-authelia.html#blocks-authelia"
],
"blocks-authelia-forward-auth": [
"blocks-authelia.html#blocks-authelia-forward-auth"
],
"blocks-authelia-global-setup": [
"blocks-authelia.html#blocks-authelia-global-setup"
],
"blocks-authelia-oidc": [
"blocks-authelia.html#blocks-authelia-oidc"
],
"blocks-authelia-options": [
"blocks-authelia.html#blocks-authelia-options"
],
"blocks-authelia-options-shb.authelia.autheliaUser": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.autheliaUser"
],
"blocks-authelia-options-shb.authelia.dcdomain": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.dcdomain"
],
"blocks-authelia-options-shb.authelia.domain": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.domain"
],
"blocks-authelia-options-shb.authelia.enable": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.enable"
],
"blocks-authelia-options-shb.authelia.ldapHostname": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapHostname"
],
"blocks-authelia-options-shb.authelia.ldapPort": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapPort"
],
"blocks-authelia-options-shb.authelia.mount": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mount"
],
"blocks-authelia-options-shb.authelia.mount.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mount.path"
],
"blocks-authelia-options-shb.authelia.mountRedis": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis"
],
"blocks-authelia-options-shb.authelia.mountRedis.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis.path"
],
"blocks-authelia-options-shb.authelia.oidcClients": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients"
],
"blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy"
],
"blocks-authelia-options-shb.authelia.oidcClients._.client_id": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_id"
],
"blocks-authelia-options-shb.authelia.oidcClients._.client_name": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_name"
],
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret"
],
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source"
],
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform"
],
"blocks-authelia-options-shb.authelia.oidcClients._.public": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.public"
],
"blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris"
],
"blocks-authelia-options-shb.authelia.oidcClients._.scopes": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.scopes"
],
"blocks-authelia-options-shb.authelia.port": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.port"
],
"blocks-authelia-options-shb.authelia.rules": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.rules"
],
"blocks-authelia-options-shb.authelia.secrets": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result"
],
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result"
],
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result"
],
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result"
],
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result"
],
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path"
],
"blocks-authelia-options-shb.authelia.smtp": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.smtp"
],
"blocks-authelia-options-shb.authelia.ssl": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl"
],
"blocks-authelia-options-shb.authelia.ssl.paths": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths"
],
"blocks-authelia-options-shb.authelia.ssl.paths.cert": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.cert"
],
"blocks-authelia-options-shb.authelia.ssl.paths.key": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.key"
],
"blocks-authelia-options-shb.authelia.ssl.systemdService": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.systemdService"
],
"blocks-authelia-options-shb.authelia.subdomain": [
"blocks-authelia.html#blocks-authelia-options-shb.authelia.subdomain"
],
"blocks-authelia-shb-forward-auth": [
"blocks-authelia.html#blocks-authelia-shb-forward-auth"
],
"blocks-authelia-shb-oidc": [
"blocks-authelia.html#blocks-authelia-shb-oidc"
],
"blocks-authelia-tests": [
"blocks-authelia.html#blocks-authelia-tests"
],
"blocks-lldap": [
"blocks-lldap.html#blocks-lldap"
],
"blocks-lldap-global-setup": [
"blocks-lldap.html#blocks-lldap-global-setup"
],
"blocks-lldap-manage-user-group": [
"blocks-lldap.html#blocks-lldap-manage-user-group"
],
"blocks-lldap-options": [
"blocks-lldap.html#blocks-lldap-options"
],
"blocks-lldap-options-shb.lldap.backup": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup"
],
"blocks-lldap-options-shb.lldap.backup.request": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request"
],
"blocks-lldap-options-shb.lldap.backup.request.excludePatterns": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.excludePatterns"
],
"blocks-lldap-options-shb.lldap.backup.request.hooks": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks"
],
"blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup"
],
"blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup"
],
"blocks-lldap-options-shb.lldap.backup.request.sourceDirectories": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.sourceDirectories"
],
"blocks-lldap-options-shb.lldap.backup.request.user": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.user"
],
"blocks-lldap-options-shb.lldap.backup.result": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result"
],
"blocks-lldap-options-shb.lldap.backup.result.backupService": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.backupService"
],
"blocks-lldap-options-shb.lldap.backup.result.restoreScript": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.restoreScript"
],
"blocks-lldap-options-shb.lldap.dcdomain": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.dcdomain"
],
"blocks-lldap-options-shb.lldap.debug": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.debug"
],
"blocks-lldap-options-shb.lldap.domain": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.domain"
],
"blocks-lldap-options-shb.lldap.enable": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.enable"
],
"blocks-lldap-options-shb.lldap.jwtSecret": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret"
],
"blocks-lldap-options-shb.lldap.jwtSecret.request": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request"
],
"blocks-lldap-options-shb.lldap.jwtSecret.request.group": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.group"
],
"blocks-lldap-options-shb.lldap.jwtSecret.request.mode": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.mode"
],
"blocks-lldap-options-shb.lldap.jwtSecret.request.owner": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.owner"
],
"blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits"
],
"blocks-lldap-options-shb.lldap.jwtSecret.result": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result"
],
"blocks-lldap-options-shb.lldap.jwtSecret.result.path": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result.path"
],
"blocks-lldap-options-shb.lldap.ldapPort": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapPort"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.request": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.group": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.group"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.result": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result"
],
"blocks-lldap-options-shb.lldap.ldapUserPassword.result.path": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result.path"
],
"blocks-lldap-options-shb.lldap.mount": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.mount"
],
"blocks-lldap-options-shb.lldap.mount.path": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.mount.path"
],
"blocks-lldap-options-shb.lldap.restrictAccessIPRange": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.restrictAccessIPRange"
],
"blocks-lldap-options-shb.lldap.ssl": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl"
],
"blocks-lldap-options-shb.lldap.ssl.paths": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths"
],
"blocks-lldap-options-shb.lldap.ssl.paths.cert": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.cert"
],
"blocks-lldap-options-shb.lldap.ssl.paths.key": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.key"
],
"blocks-lldap-options-shb.lldap.ssl.systemdService": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.systemdService"
],
"blocks-lldap-options-shb.lldap.subdomain": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.subdomain"
],
"blocks-lldap-options-shb.lldap.webUIListenPort": [
"blocks-lldap.html#blocks-lldap-options-shb.lldap.webUIListenPort"
],
"blocks-lldap-restrict-access-by-ip": [
"blocks-lldap.html#blocks-lldap-restrict-access-by-ip"
],
"blocks-lldap-ssl": [
"blocks-lldap.html#blocks-lldap-ssl"
],
"blocks-lldap-tests": [
"blocks-lldap.html#blocks-lldap-tests"
],
"blocks-lldap-troubleshooting": [
"blocks-lldap.html#blocks-lldap-troubleshooting"
],
"blocks-monitoring": [
"blocks-monitoring.html#blocks-monitoring"
],
@ -2597,15 +3005,18 @@
"services-vaultwarden-options-shb.vaultwarden.subdomain": [
"services-vaultwarden.html#services-vaultwarden-options-shb.vaultwarden.subdomain"
],
"services-vaultwarden-secrets": [
"services-vaultwarden.html#services-vaultwarden-secrets"
],
"services-vaultwarden-sso": [
"services-vaultwarden.html#services-vaultwarden-sso"
],
"services-vaultwarden-usage": [
"services-vaultwarden.html#services-vaultwarden-usage"
],
"services-vaultwarden-usage-configuration": [
"services-vaultwarden.html#services-vaultwarden-usage-configuration"
],
"services-vaultwarden-usage-https": [
"services-vaultwarden.html#services-vaultwarden-usage-https"
],
"services-vaultwarden-usage-sso": [
"services-vaultwarden.html#services-vaultwarden-usage-sso"
],
"services-vaultwarden-zfs": [
"services-vaultwarden.html#services-vaultwarden-zfs"
],

View file

@ -151,6 +151,8 @@
"./usage.md"
];
modules = {
"blocks/authelia" = ./modules/blocks/authelia.nix;
"blocks/lldap" = ./modules/blocks/lldap.nix;
"blocks/ssl" = ./modules/blocks/ssl.nix;
"blocks/monitoring" = ./modules/blocks/monitoring.nix;
"blocks/postgresql" = ./modules/blocks/postgresql.nix;

View file

@ -0,0 +1,234 @@
# Authelia Block {#blocks-authelia}
Defined in [`/modules/blocks/authelia.nix`](@REPO@/modules/blocks/authelia.nix).
This block sets up an [Authelia][] service for Single-Sign On integration.
[Authelia]: https://www.authelia.com/
## Global Setup {#blocks-authelia-global-setup}
Authelia cannot work without SSL and LDAP.
So setting up the Authelia block requires to setup the [SSL block][] first
and the [LLDAP block][] first.
[SSL block]: blocks-ssl.html
[LLDAP block]: blocks-lldap.html
SSL is required to encrypt the communication and LDAP is used to handle users and group assignments.
Authelia will allow access to a given resource only if the user that is authenticated
is a member of the corresponding LDAP group.
Afterwards, assuming the LDAP service runs on the same machine,
the Authelia configuration can be done with:
```nix
shb.authelia = {
enable = true;
domain = "example.com";
subdomain = "auth";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapHostname = "127.0.0.1";
ldapPort = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
smtp = {
host = "smtp.eu.mailgun.org";
port = 587;
username = "postmaster@mg.example.com";
from_address = "authelia@example.com";
password.result = config.shb.sops.secrets."authelia/smtp_password".result;
};
secrets = {
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
};
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
shb.sops.secrets."authelia/ldap_admin_password" = {
request = config.shb.authelia.secrets.ldapAdminPassword.request;
settings.key = "lldap/user_password";
};
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
```
This assumes secrets are setup with SOPS
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
It's a bit annoying to setup all those secrets but it's only necessary once.
Use `nix run nixpkgs#openssl -- rand -hex 64` to generate them.
Crucially, the `shb.authelia.secrets.ldapAdminPasswordFile` must be the same
as the `shb.lldap.ldapUserPassword` defined for the [LLDAP block][].
This is done using Sops' `key` option.
## SHB OIDC integration {#blocks-authelia-shb-oidc}
For services [provided by SelfHostBlocks][services] that handle [OIDC integration][OIDC],
integrating with this block is done by configuring the service itself
and linking it to this Authelia block through the `endpoint` option
and by sharing a secret:
[services]: services.html
[OIDC]: https://openid.net/developers/how-connect-works/
```nix
shb.<service>.sso = {
enable = true;
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
secret.result = config.shb.sops.secrets."<service>/sso/secret".result;
secretForAuthelia.result = config.shb.sops.secrets."<service>/sso/secretForAuthelia".result;
};
shb.sops.secret."<service>/sso/secret".request = config.shb.<service>.sso.secret.request;
shb.sops.secret."<service>/sso/secretForAuthelia" = {
request = config.shb.<service>.sso.secretForAuthelia.request;
settings.key = "<service>/sso/secret";
};
```
To share a secret between the service and Authelia,
we generate a secret with `nix run nixpkgs#openssl -- rand -hex 64` under `<service>/sso/secret`
then we ask Sops to use the same password for `<service>/sso/secretForAuthelia`
thanks to the `settings.key` option.
The difference between both secrets is one if owned by the `authelia` user
while the other is owned by the user of the `<service`> we are configuring.
## OIDC Integration {#blocks-authelia-oidc}
To integrate a service handling OIDC integration not provided by SelfHostBlocks with this Authelia block,
the necessary configuration is:
```nix
shb.authelia.oidcClients = [
{
client_id = "<service>";
client_secret.source = shb.sops.secret."<service>/sso/secretForAuthelia".response.path;
scopes = [ "openid" "email" "profile" ];
redirect_uris = [
"<provided by service documentation>"
];
}
];
shb.sops.secret."<service>/sso/secret".request = {
owner = "<service_user>";
};
shb.sops.secret."<service>/sso/secretForAuthelia" = {
request.owner = "authelia";
settings.key = "<service>/sso/secret";
};
```
As in the previous section, we create a shared secret using Sops'
`settings.key` option.
The configuration for the service itself is much dependent on the service itself.
For example for [open-webui][], the configuration looks like so:
[open-webui]: https://search.nixos.org/options?query=services.open-webui
```nix
services.open-webui.environment = {
ENABLE_SIGNUP = "False";
WEBUI_AUTH = "True";
ENABLE_FORWARD_USER_INFO_HEADERS = "True";
ENABLE_OAUTH_SIGNUP = "True";
OAUTH_UPDATE_PICTURE_ON_LOGIN = "True";
OAUTH_CLIENT_ID = "open-webui";
OAUTH_CLIENT_SECRET = "<raw secret>";
OPENID_PROVIDER_URL = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}/.well-known/openid-configuration";
OAUTH_PROVIDER_NAME = "Single Sign-On";
OAUTH_SCOPES = "openid email profile";
OAUTH_ALLOWED_ROLES = "open-webui_user";
OAUTH_ADMIN_ROLES = "open-webui_admin";
ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
};
shb.authelia.oidcClients = [
{
client_id = "open-webui";
client_secret.source = shb.sops.secret."open-webui/sso/secretForAuthelia".response.path;
scopes = [ "openid" "email" "profile" ];
redirect_uris = [
"<provided by service documentation>"
];
}
];
shb.sops.secret."open-webui/sso/secret".request = {
owner = "open-webui";
};
shb.sops.secret."open-webui/sso/secretForAuthelia" = {
request.owner = "authelia";
settings.key = "open-webui/sso/secret";
};
```
Here, there is no way to give a path for the `OAUTH_CLIENT_SECRET`,
we are obligated to pass the raw secret which is a very bad idea.
There are ways around this but they are out of scope for this section.
Inspiration can be taken from SelfHostBlocks' source code.
To access the UI, we will need to create an `open-webui_user` and
`open-webui_admin` LDAP group and assign our user to it.
## SHB Forward Auth {#blocks-authelia-shb-forward-auth}
For services provided by SelfHostBlocks that do not handle [OIDC integration][OIDC],
this block can provide [forward authentication][] which still allows the service to be protected by Authelia.
The user could still be required to authenticate to the service itself,
although some services can automatically users authorized by Authelia.
[forward authentication]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/
Integrating with this block is done with the following code:
```nix
shb.<services>.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
```
## Forward Auth {#blocks-authelia-forward-auth}
To integrate a service that does not handle OIDC integration
and which is not provided by SelfHostBlocks with this Authelia block,
the necessary configuration is:
```nix
shb.nginx.vhosts = [
{
subdomain = "<service>";
domain = "example.com";
ssl = config.shb.certs.certs.letsencrypt."example.com";
upstream = "http://127.0.0.1:${toString config.services.<service>.port}/";
}
];
```
This configuration assumes usage of the [SSL block][].
## Tests {#blocks-authelia-tests}
Specific integration tests are defined in [`/test/blocks/authelia.nix`](@REPO@/test/blocks/authelia.nix).
## Options Reference {#blocks-authelia-options}
```{=include=} options
id-prefix: blocks-authelia-options-
list-id: selfhostblocks-block-authelia-options
source: @OPTIONS_JSON@
```

View file

@ -0,0 +1,82 @@
# LLDAP Block {#blocks-lldap}
Defined in [`/modules/blocks/lldap.nix`](@REPO@/modules/blocks/lldap.nix).
This block sets up an [LLDAP][] service for user and group management
across services.
[LLDAP]: https://github.com/lldap/lldap
## Global Setup {#blocks-lldap-global-setup}
```nix
shb.lldap = {
enable = true;
subdomain = "ldap";
domain = "example.com";
dcdomain = "dc=example,dc=com";
ldapPort = 3890;
webUIListenPort = 17170;
jwtSecret.result = config.shb.sops.secret."lldap/jwt_secret".result;
ldapUserPassword.result = config.shb.sops.secret."lldap/user_password".result;
};
shb.sops.secret."lldap/jwt_secret".request = config.shb.ldap.jwtSecret.request;
shb.sops.secret."lldap/user_password".request = config.shb.ldap.ldapUserPassword.request;
```
This assumes secrets are setup with SOPS
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
## SSL {#blocks-lldap-ssl}
Using SSL is an important security practice, like always.
Using the [SSL block][], the configuration to add to the one above is:
[SSL block]: blocks-ssl.html
```nix
shb.certs.certs.letsencrypt.${domain}.extraDomains = [
"${config.shb.lldap.subdomain}.${config.shb.lldap.domain}"
];
shb.ldap.ssl = config.shb.certs.certs.letsencrypt.${config.shb.lldap.domain};
```
## Restrict Access By IP {#blocks-lldap-restrict-access-by-ip}
For added security, you can restrict access to the LLDAP UI
by adding the following line:
```nix
shb.lldap.restrictAccessIPRange = "192.168.50.0/24";
```
## Manage User and Group {#blocks-lldap-manage-user-group}
Currently, managing users and groups must be done manually.
Work is in progress to make this declarative.
## Troubleshooting {#blocks-lldap-troubleshooting}
To increase logging verbosity, add:
```nix
shb.lldap.debug = true;
```
Note that verbosity is truly verbose here
so you will want to revert this at some point.
## Tests {#blocks-lldap-tests}
Specific integration tests are defined in [`/test/blocks/lldap.nix`](@REPO@/test/blocks/lldap.nix).
## Options Reference {#blocks-lldap-options}
```{=include=} options
id-prefix: blocks-lldap-options-
list-id: selfhostblocks-block-lldap-options
source: @OPTIONS_JSON@
```

View file

@ -98,33 +98,14 @@ We will build upon the [HTTPS](#services-forgejo-usage-https) section,
so please follow that first.
::::
We will use the LDAP block provided by Self Host Blocks
to setup a [LLDAP](https://github.com/lldap/lldap) service.
We will use the [LLDAP block][] provided by Self Host Blocks.
Assuming it [has been set already][LLDAP block setup], add the following configuration:
[LLDAP block]: blocks-lldap.html
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
```nix
shb.lldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
```
We also need to configure the `forgejo` service
to talk to the LDAP server we just defined:
```nix
shb.forgejo.ldap
shb.forgejo.ldap = {
enable = true;
host = "127.0.0.1";
port = config.shb.lldap.ldapPort;
@ -158,47 +139,11 @@ We will build upon the [LDAP](#services-forgejo-usage-ldap) section,
so please follow that first.
::::
We then need to setup the SSO provider,
here Authelia thanks to the corresponding SHB block:
We will use the [SSO block][] provided by Self Host Blocks.
Assuming it [has been set already][SSO block setup], add the following configuration:
```nix
shb.authelia = {
enable = true;
domain = "example.com";
subdomain = "auth";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapHostname = "127.0.0.1";
ldapPort = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
secrets = {
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
};
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request;
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
```
The `shb.authelia.secrets.ldapAdminPasswordFile` must be the same
as the `shb.lldap.ldapUserPasswordFile` defined in the previous section.
The other secrets can be randomly generated
with `nix run nixpkgs#openssl -- rand -hex 64`.
Now, on the forgejo side, you need to add the following options:
[SSO block]: blocks-sso.html
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
```nix
shb.forgejo.sso = {

View file

@ -115,31 +115,11 @@ We will build upon the [HTTPS](#services-home-assistant-usage-https) section,
so please follow that first.
::::
We will use the LDAP block provided by Self Host Blocks
to setup a [LLDAP](https://github.com/lldap/lldap) service.
First, setup the global ldap block if not done yet:
We will use the [LLDAP block][] provided by Self Host Blocks.
Assuming it [has been set already][LLDAP block setup], add the following configuration:
```nix
shb.lldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
```
We then need to configure the `home-assistant` service
to talk to the LDAP server we just defined:
[LLDAP block]: blocks-lldap.html
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
```nix
shb.home-assistant.ldap
@ -157,8 +137,6 @@ create a user and add it to one or both groups.
When that's done, go back to the Home-Assistant server at
`http://home-assistant.example.com` and login with that user.
Work is in progress to make the creation of the LDAP user and group declarative too.
### With SSO Support {#services-home-assistant-usage-sso}
:::: {.warning}

View file

@ -149,31 +149,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-ldap).
We will build upon the [HTTP][] and [HTTPS][] sections,
so please read those first.
We will use the LDAP block provided by Self Host Blocks to setup a
[LLDAP](https://github.com/lldap/lldap) service.
If did already configure this for another service, you can skip this snippet.
```nix
shb.lldap = {
enable = true;
domain = "example.com";
subdomain = "ldap";
ssl = config.shb.certs.certs.letsencrypt."example.com";
ldapPort = 3890;
webUIListenPort = 17170;
dcdomain = "dc=example,dc=com";
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
};
We will use the [LLDAP block][] provided by Self Host Blocks.
Assuming it [has been set already][LLDAP block setup], add the following configuration:
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
```
On the `nextcloud` module side, we need to configure it to talk to the LDAP server we
just defined:
[LLDAP block]: blocks-lldap.html
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
```nix
shb.nextcloud.apps.ldap = {
@ -219,52 +200,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-sso).
We will build upon the [HTTP][], [HTTPS][] and [LDAP][] sections,
so please read those first.
We need to setup the SSO provider, here Authelia, thanks to the corresponding SHB block
and we link it to the LDAP server:
```nix
shb.authelia = {
enable = true;
domain = "example.com";
subdomain = "auth";
ssl = config.shb.certs.certs.letsencrypt."example.com";
We will use the [SSO block][] provided by Self Host Blocks.
Assuming it [has been set already][SSO block setup], add the following configuration:
ldapHostname = "127.0.0.1";
ldapPort = config.shb.lldap.ldapPort;
dcdomain = config.shb.lldap.dcdomain;
smtp = {
host = "smtp.eu.mailgun.org";
port = 587;
username = "postmaster@mg.example.com";
from_address = "authelia@example.com";
password.result = config.shb.sops.secrets."authelia/smtp_password".result;
};
secrets = {
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
};
};
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request;
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
```
The secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`.
Now, on the Nextcloud side, you need to add the following options:
[SSO block]: blocks-sso.html
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
```nix
shb.nextcloud.apps.sso = {

View file

@ -16,48 +16,20 @@ This NixOS module is a service that sets up a [Vaultwarden Server](https://githu
## Usage {#services-vaultwarden-usage}
### Secrets {#services-vaultwarden-secrets}
### Initial Configuration {#services-vaultwarden-usage-configuration}
All the secrets should be readable by the vaultwarden user.
Secrets should not be stored in the nix store. If you're using
[sops-nix](https://github.com/Mic92/sops-nix) and assuming your secrets file is located at
`./secrets.yaml`, you can define a secret with:
The following snippet enables Vaultwarden and makes it available under the `vaultwarden.example.com` endpoint.
```nix
sops.secrets."vaultwarden/db" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "vaultwarden";
group = "postgres";
restartUnits = [ "vaultwarden.service" ];
};
```
Then you can use that secret:
```nix
shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
```
### SSO {#services-vaultwarden-sso}
To protect the `/admin` endpoint, we use SSO.
This requires the SSL, LDAP and SSO block to be configured.
Follow those links first if needed.
```nix
let
domain = <...>;
in
shb.vaultwarden = {
enable = true;
inherit domain;
domain = "example.com";
subdomain = "vaultwarden";
ssl = config.shb.certs.certs.letsencrypt.${domain};
port = 8222;
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
databasePassword.result = config.shb.sops.secrets."vaultwarden/db".result;
smtp = {
host = "smtp.eu.mailgun.org";
port = 587;
@ -67,22 +39,61 @@ shb.vaultwarden = {
};
};
sops.secrets."vaultwarden/db" = {
sopsFile = ./secrets.yaml;
mode = "0440";
owner = "vaultwarden";
group = "postgres";
restartUnits = [ "vaultwarden.service" "postgresql.service" ];
};
sops.secrets."vaultwarden/smtp" = {
sopsFile = ./secrets.yaml;
mode = "0400";
owner = "vaultwarden";
group = "vaultwarden";
restartUnits = [ "vaultwarden.service" ];
shb.sops.secret."vaultwarden/db".request = config.shb.vaultwarden.databasePassword.request;
shb.sops.secret."vaultwarden/smtp".request = config.shb.vaultwarden.smtp.password.request;
```
This assumes secrets are setup with SOPS
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
Secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`.
The SMTP configuration is needed to invite users to Vaultwarden.
### HTTPS {#services-vaultwarden-usage-https}
If the `shb.ssl` block is used (see [manual](blocks-ssl.html#usage) on how to set it up),
the instance will be reachable at `https://vaultwarden.example.com`.
Here is an example with Let's Encrypt certificates, validated using the HTTP method:
```nix
shb.certs.certs.letsencrypt."example.com" = {
domain = "example.com";
group = "nginx";
reloadServices = [ "nginx.service" ];
adminEmail = "myemail@mydomain.com";
};
```
Then you can tell Vaultwarden to use those certificates.
```nix
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "vaultwarden.example.com" ];
shb.forgejo = {
ssl = config.shb.certs.certs.letsencrypt."example.com";
};
```
### SSO {#services-vaultwarden-usage-sso}
To protect the `/admin` endpoint and avoid needing a secret passphrase for it, we can use SSO.
We will use the [SSO block][] provided by Self Host Blocks.
Assuming it [has been set already][SSO block setup], add the following configuration:
[SSO block]: blocks-sso.html
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
```nix
shb.vaultwarden.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
```
Now, go to the LDAP server at `https://ldap.example.com`,
create the `vaultwarden_admin` group and add a user to that group.
When that's done, go back to the Vaultwarden server at
`https://vaultwarden.example.com/admin` and login with that user.
### ZFS {#services-vaultwarden-zfs}
Integration with the ZFS block allows to automatically create the relevant datasets.