add documentation for lldap and authelia blocks
This commit is contained in:
parent
1a5ecc9328
commit
41d037206d
9 changed files with 824 additions and 212 deletions
|
|
@ -31,6 +31,14 @@ services you already have deployed.
|
|||
Not all blocks are yet documented. You can find all available blocks [in the repository](@REPO@/modules/blocks).
|
||||
:::
|
||||
|
||||
```{=include=} chapters html:into-file=//blocks-authelia.html
|
||||
modules/blocks/authelia/docs/default.md
|
||||
```
|
||||
|
||||
```{=include=} chapters html:into-file=//blocks-lldap.html
|
||||
modules/blocks/lldap/docs/default.md
|
||||
```
|
||||
|
||||
```{=include=} chapters html:into-file=//blocks-sops.html
|
||||
modules/blocks/sops/docs/default.md
|
||||
```
|
||||
|
|
|
|||
|
|
@ -47,6 +47,414 @@
|
|||
"blocks": [
|
||||
"blocks.html#blocks"
|
||||
],
|
||||
"blocks-authelia": [
|
||||
"blocks-authelia.html#blocks-authelia"
|
||||
],
|
||||
"blocks-authelia-forward-auth": [
|
||||
"blocks-authelia.html#blocks-authelia-forward-auth"
|
||||
],
|
||||
"blocks-authelia-global-setup": [
|
||||
"blocks-authelia.html#blocks-authelia-global-setup"
|
||||
],
|
||||
"blocks-authelia-oidc": [
|
||||
"blocks-authelia.html#blocks-authelia-oidc"
|
||||
],
|
||||
"blocks-authelia-options": [
|
||||
"blocks-authelia.html#blocks-authelia-options"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.autheliaUser": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.autheliaUser"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.dcdomain": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.dcdomain"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.domain": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.domain"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.enable": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.enable"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ldapHostname": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapHostname"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ldapPort": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapPort"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.mount": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mount"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.mount.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mount.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.mountRedis": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.mountRedis.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.client_id": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_id"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.client_name": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_name"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.public": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.public"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.oidcClients._.scopes": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.scopes"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.port": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.port"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.rules": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.rules"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.smtp": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.smtp"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ssl": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ssl.paths": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ssl.paths.cert": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.cert"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ssl.paths.key": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.key"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.ssl.systemdService": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.systemdService"
|
||||
],
|
||||
"blocks-authelia-options-shb.authelia.subdomain": [
|
||||
"blocks-authelia.html#blocks-authelia-options-shb.authelia.subdomain"
|
||||
],
|
||||
"blocks-authelia-shb-forward-auth": [
|
||||
"blocks-authelia.html#blocks-authelia-shb-forward-auth"
|
||||
],
|
||||
"blocks-authelia-shb-oidc": [
|
||||
"blocks-authelia.html#blocks-authelia-shb-oidc"
|
||||
],
|
||||
"blocks-authelia-tests": [
|
||||
"blocks-authelia.html#blocks-authelia-tests"
|
||||
],
|
||||
"blocks-lldap": [
|
||||
"blocks-lldap.html#blocks-lldap"
|
||||
],
|
||||
"blocks-lldap-global-setup": [
|
||||
"blocks-lldap.html#blocks-lldap-global-setup"
|
||||
],
|
||||
"blocks-lldap-manage-user-group": [
|
||||
"blocks-lldap.html#blocks-lldap-manage-user-group"
|
||||
],
|
||||
"blocks-lldap-options": [
|
||||
"blocks-lldap.html#blocks-lldap-options"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.excludePatterns": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.excludePatterns"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.hooks": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.sourceDirectories": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.sourceDirectories"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.request.user": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.user"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.result": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.result.backupService": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.backupService"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.backup.result.restoreScript": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.restoreScript"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.dcdomain": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.dcdomain"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.debug": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.debug"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.domain": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.domain"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.enable": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.enable"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.request": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.request.group": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.group"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.request.mode": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.mode"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.request.owner": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.owner"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.result": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.jwtSecret.result.path": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result.path"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapPort": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapPort"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.request": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.group": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.group"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.result": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ldapUserPassword.result.path": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result.path"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.mount": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.mount"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.mount.path": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.mount.path"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.restrictAccessIPRange": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.restrictAccessIPRange"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ssl": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ssl.paths": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ssl.paths.cert": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.cert"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ssl.paths.key": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.key"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.ssl.systemdService": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.systemdService"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.subdomain": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.subdomain"
|
||||
],
|
||||
"blocks-lldap-options-shb.lldap.webUIListenPort": [
|
||||
"blocks-lldap.html#blocks-lldap-options-shb.lldap.webUIListenPort"
|
||||
],
|
||||
"blocks-lldap-restrict-access-by-ip": [
|
||||
"blocks-lldap.html#blocks-lldap-restrict-access-by-ip"
|
||||
],
|
||||
"blocks-lldap-ssl": [
|
||||
"blocks-lldap.html#blocks-lldap-ssl"
|
||||
],
|
||||
"blocks-lldap-tests": [
|
||||
"blocks-lldap.html#blocks-lldap-tests"
|
||||
],
|
||||
"blocks-lldap-troubleshooting": [
|
||||
"blocks-lldap.html#blocks-lldap-troubleshooting"
|
||||
],
|
||||
"blocks-monitoring": [
|
||||
"blocks-monitoring.html#blocks-monitoring"
|
||||
],
|
||||
|
|
@ -2597,15 +3005,18 @@
|
|||
"services-vaultwarden-options-shb.vaultwarden.subdomain": [
|
||||
"services-vaultwarden.html#services-vaultwarden-options-shb.vaultwarden.subdomain"
|
||||
],
|
||||
"services-vaultwarden-secrets": [
|
||||
"services-vaultwarden.html#services-vaultwarden-secrets"
|
||||
],
|
||||
"services-vaultwarden-sso": [
|
||||
"services-vaultwarden.html#services-vaultwarden-sso"
|
||||
],
|
||||
"services-vaultwarden-usage": [
|
||||
"services-vaultwarden.html#services-vaultwarden-usage"
|
||||
],
|
||||
"services-vaultwarden-usage-configuration": [
|
||||
"services-vaultwarden.html#services-vaultwarden-usage-configuration"
|
||||
],
|
||||
"services-vaultwarden-usage-https": [
|
||||
"services-vaultwarden.html#services-vaultwarden-usage-https"
|
||||
],
|
||||
"services-vaultwarden-usage-sso": [
|
||||
"services-vaultwarden.html#services-vaultwarden-usage-sso"
|
||||
],
|
||||
"services-vaultwarden-zfs": [
|
||||
"services-vaultwarden.html#services-vaultwarden-zfs"
|
||||
],
|
||||
|
|
|
|||
|
|
@ -151,6 +151,8 @@
|
|||
"./usage.md"
|
||||
];
|
||||
modules = {
|
||||
"blocks/authelia" = ./modules/blocks/authelia.nix;
|
||||
"blocks/lldap" = ./modules/blocks/lldap.nix;
|
||||
"blocks/ssl" = ./modules/blocks/ssl.nix;
|
||||
"blocks/monitoring" = ./modules/blocks/monitoring.nix;
|
||||
"blocks/postgresql" = ./modules/blocks/postgresql.nix;
|
||||
|
|
|
|||
234
modules/blocks/authelia/docs/default.md
Normal file
234
modules/blocks/authelia/docs/default.md
Normal file
|
|
@ -0,0 +1,234 @@
|
|||
# Authelia Block {#blocks-authelia}
|
||||
|
||||
Defined in [`/modules/blocks/authelia.nix`](@REPO@/modules/blocks/authelia.nix).
|
||||
|
||||
This block sets up an [Authelia][] service for Single-Sign On integration.
|
||||
|
||||
[Authelia]: https://www.authelia.com/
|
||||
|
||||
## Global Setup {#blocks-authelia-global-setup}
|
||||
|
||||
Authelia cannot work without SSL and LDAP.
|
||||
So setting up the Authelia block requires to setup the [SSL block][] first
|
||||
and the [LLDAP block][] first.
|
||||
|
||||
[SSL block]: blocks-ssl.html
|
||||
[LLDAP block]: blocks-lldap.html
|
||||
|
||||
SSL is required to encrypt the communication and LDAP is used to handle users and group assignments.
|
||||
Authelia will allow access to a given resource only if the user that is authenticated
|
||||
is a member of the corresponding LDAP group.
|
||||
|
||||
Afterwards, assuming the LDAP service runs on the same machine,
|
||||
the Authelia configuration can be done with:
|
||||
|
||||
```nix
|
||||
shb.authelia = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "auth";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
|
||||
ldapHostname = "127.0.0.1";
|
||||
ldapPort = config.shb.lldap.ldapPort;
|
||||
dcdomain = config.shb.lldap.dcdomain;
|
||||
|
||||
smtp = {
|
||||
host = "smtp.eu.mailgun.org";
|
||||
port = 587;
|
||||
username = "postmaster@mg.example.com";
|
||||
from_address = "authelia@example.com";
|
||||
password.result = config.shb.sops.secrets."authelia/smtp_password".result;
|
||||
};
|
||||
|
||||
secrets = {
|
||||
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
|
||||
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
|
||||
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
|
||||
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
|
||||
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
|
||||
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
|
||||
};
|
||||
};
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
|
||||
|
||||
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
|
||||
shb.sops.secrets."authelia/ldap_admin_password" = {
|
||||
request = config.shb.authelia.secrets.ldapAdminPassword.request;
|
||||
settings.key = "lldap/user_password";
|
||||
};
|
||||
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
|
||||
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
|
||||
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
|
||||
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
|
||||
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
|
||||
```
|
||||
|
||||
This assumes secrets are setup with SOPS
|
||||
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
|
||||
It's a bit annoying to setup all those secrets but it's only necessary once.
|
||||
Use `nix run nixpkgs#openssl -- rand -hex 64` to generate them.
|
||||
|
||||
Crucially, the `shb.authelia.secrets.ldapAdminPasswordFile` must be the same
|
||||
as the `shb.lldap.ldapUserPassword` defined for the [LLDAP block][].
|
||||
This is done using Sops' `key` option.
|
||||
|
||||
## SHB OIDC integration {#blocks-authelia-shb-oidc}
|
||||
|
||||
For services [provided by SelfHostBlocks][services] that handle [OIDC integration][OIDC],
|
||||
integrating with this block is done by configuring the service itself
|
||||
and linking it to this Authelia block through the `endpoint` option
|
||||
and by sharing a secret:
|
||||
|
||||
[services]: services.html
|
||||
[OIDC]: https://openid.net/developers/how-connect-works/
|
||||
|
||||
```nix
|
||||
shb.<service>.sso = {
|
||||
enable = true;
|
||||
endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
|
||||
secret.result = config.shb.sops.secrets."<service>/sso/secret".result;
|
||||
secretForAuthelia.result = config.shb.sops.secrets."<service>/sso/secretForAuthelia".result;
|
||||
};
|
||||
|
||||
shb.sops.secret."<service>/sso/secret".request = config.shb.<service>.sso.secret.request;
|
||||
shb.sops.secret."<service>/sso/secretForAuthelia" = {
|
||||
request = config.shb.<service>.sso.secretForAuthelia.request;
|
||||
settings.key = "<service>/sso/secret";
|
||||
};
|
||||
```
|
||||
|
||||
To share a secret between the service and Authelia,
|
||||
we generate a secret with `nix run nixpkgs#openssl -- rand -hex 64` under `<service>/sso/secret`
|
||||
then we ask Sops to use the same password for `<service>/sso/secretForAuthelia`
|
||||
thanks to the `settings.key` option.
|
||||
The difference between both secrets is one if owned by the `authelia` user
|
||||
while the other is owned by the user of the `<service`> we are configuring.
|
||||
|
||||
## OIDC Integration {#blocks-authelia-oidc}
|
||||
|
||||
To integrate a service handling OIDC integration not provided by SelfHostBlocks with this Authelia block,
|
||||
the necessary configuration is:
|
||||
|
||||
```nix
|
||||
shb.authelia.oidcClients = [
|
||||
{
|
||||
client_id = "<service>";
|
||||
client_secret.source = shb.sops.secret."<service>/sso/secretForAuthelia".response.path;
|
||||
scopes = [ "openid" "email" "profile" ];
|
||||
redirect_uris = [
|
||||
"<provided by service documentation>"
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
shb.sops.secret."<service>/sso/secret".request = {
|
||||
owner = "<service_user>";
|
||||
};
|
||||
shb.sops.secret."<service>/sso/secretForAuthelia" = {
|
||||
request.owner = "authelia";
|
||||
settings.key = "<service>/sso/secret";
|
||||
};
|
||||
```
|
||||
|
||||
As in the previous section, we create a shared secret using Sops'
|
||||
`settings.key` option.
|
||||
|
||||
The configuration for the service itself is much dependent on the service itself.
|
||||
For example for [open-webui][], the configuration looks like so:
|
||||
|
||||
[open-webui]: https://search.nixos.org/options?query=services.open-webui
|
||||
|
||||
```nix
|
||||
services.open-webui.environment = {
|
||||
ENABLE_SIGNUP = "False";
|
||||
WEBUI_AUTH = "True";
|
||||
ENABLE_FORWARD_USER_INFO_HEADERS = "True";
|
||||
ENABLE_OAUTH_SIGNUP = "True";
|
||||
OAUTH_UPDATE_PICTURE_ON_LOGIN = "True";
|
||||
OAUTH_CLIENT_ID = "open-webui";
|
||||
OAUTH_CLIENT_SECRET = "<raw secret>";
|
||||
OPENID_PROVIDER_URL = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}/.well-known/openid-configuration";
|
||||
OAUTH_PROVIDER_NAME = "Single Sign-On";
|
||||
OAUTH_SCOPES = "openid email profile";
|
||||
OAUTH_ALLOWED_ROLES = "open-webui_user";
|
||||
OAUTH_ADMIN_ROLES = "open-webui_admin";
|
||||
ENABLE_OAUTH_ROLE_MANAGEMENT = "True";
|
||||
};
|
||||
|
||||
shb.authelia.oidcClients = [
|
||||
{
|
||||
client_id = "open-webui";
|
||||
client_secret.source = shb.sops.secret."open-webui/sso/secretForAuthelia".response.path;
|
||||
scopes = [ "openid" "email" "profile" ];
|
||||
redirect_uris = [
|
||||
"<provided by service documentation>"
|
||||
];
|
||||
}
|
||||
];
|
||||
|
||||
shb.sops.secret."open-webui/sso/secret".request = {
|
||||
owner = "open-webui";
|
||||
};
|
||||
shb.sops.secret."open-webui/sso/secretForAuthelia" = {
|
||||
request.owner = "authelia";
|
||||
settings.key = "open-webui/sso/secret";
|
||||
};
|
||||
```
|
||||
|
||||
Here, there is no way to give a path for the `OAUTH_CLIENT_SECRET`,
|
||||
we are obligated to pass the raw secret which is a very bad idea.
|
||||
There are ways around this but they are out of scope for this section.
|
||||
Inspiration can be taken from SelfHostBlocks' source code.
|
||||
|
||||
To access the UI, we will need to create an `open-webui_user` and
|
||||
`open-webui_admin` LDAP group and assign our user to it.
|
||||
|
||||
## SHB Forward Auth {#blocks-authelia-shb-forward-auth}
|
||||
|
||||
For services provided by SelfHostBlocks that do not handle [OIDC integration][OIDC],
|
||||
this block can provide [forward authentication][] which still allows the service to be protected by Authelia.
|
||||
|
||||
The user could still be required to authenticate to the service itself,
|
||||
although some services can automatically users authorized by Authelia.
|
||||
|
||||
[forward authentication]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/
|
||||
|
||||
Integrating with this block is done with the following code:
|
||||
|
||||
```nix
|
||||
shb.<services>.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
```
|
||||
|
||||
## Forward Auth {#blocks-authelia-forward-auth}
|
||||
|
||||
To integrate a service that does not handle OIDC integration
|
||||
and which is not provided by SelfHostBlocks with this Authelia block,
|
||||
the necessary configuration is:
|
||||
|
||||
```nix
|
||||
shb.nginx.vhosts = [
|
||||
{
|
||||
subdomain = "<service>";
|
||||
domain = "example.com";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
upstream = "http://127.0.0.1:${toString config.services.<service>.port}/";
|
||||
}
|
||||
];
|
||||
```
|
||||
|
||||
This configuration assumes usage of the [SSL block][].
|
||||
|
||||
## Tests {#blocks-authelia-tests}
|
||||
|
||||
Specific integration tests are defined in [`/test/blocks/authelia.nix`](@REPO@/test/blocks/authelia.nix).
|
||||
|
||||
## Options Reference {#blocks-authelia-options}
|
||||
|
||||
```{=include=} options
|
||||
id-prefix: blocks-authelia-options-
|
||||
list-id: selfhostblocks-block-authelia-options
|
||||
source: @OPTIONS_JSON@
|
||||
```
|
||||
82
modules/blocks/lldap/docs/default.md
Normal file
82
modules/blocks/lldap/docs/default.md
Normal file
|
|
@ -0,0 +1,82 @@
|
|||
# LLDAP Block {#blocks-lldap}
|
||||
|
||||
Defined in [`/modules/blocks/lldap.nix`](@REPO@/modules/blocks/lldap.nix).
|
||||
|
||||
This block sets up an [LLDAP][] service for user and group management
|
||||
across services.
|
||||
|
||||
[LLDAP]: https://github.com/lldap/lldap
|
||||
|
||||
## Global Setup {#blocks-lldap-global-setup}
|
||||
|
||||
```nix
|
||||
shb.lldap = {
|
||||
enable = true;
|
||||
subdomain = "ldap";
|
||||
domain = "example.com";
|
||||
dcdomain = "dc=example,dc=com";
|
||||
|
||||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
|
||||
jwtSecret.result = config.shb.sops.secret."lldap/jwt_secret".result;
|
||||
ldapUserPassword.result = config.shb.sops.secret."lldap/user_password".result;
|
||||
};
|
||||
shb.sops.secret."lldap/jwt_secret".request = config.shb.ldap.jwtSecret.request;
|
||||
shb.sops.secret."lldap/user_password".request = config.shb.ldap.ldapUserPassword.request;
|
||||
```
|
||||
|
||||
This assumes secrets are setup with SOPS
|
||||
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
|
||||
|
||||
## SSL {#blocks-lldap-ssl}
|
||||
|
||||
Using SSL is an important security practice, like always.
|
||||
Using the [SSL block][], the configuration to add to the one above is:
|
||||
|
||||
[SSL block]: blocks-ssl.html
|
||||
|
||||
```nix
|
||||
shb.certs.certs.letsencrypt.${domain}.extraDomains = [
|
||||
"${config.shb.lldap.subdomain}.${config.shb.lldap.domain}"
|
||||
];
|
||||
|
||||
shb.ldap.ssl = config.shb.certs.certs.letsencrypt.${config.shb.lldap.domain};
|
||||
```
|
||||
|
||||
## Restrict Access By IP {#blocks-lldap-restrict-access-by-ip}
|
||||
|
||||
For added security, you can restrict access to the LLDAP UI
|
||||
by adding the following line:
|
||||
|
||||
```nix
|
||||
shb.lldap.restrictAccessIPRange = "192.168.50.0/24";
|
||||
```
|
||||
|
||||
## Manage User and Group {#blocks-lldap-manage-user-group}
|
||||
|
||||
Currently, managing users and groups must be done manually.
|
||||
Work is in progress to make this declarative.
|
||||
|
||||
## Troubleshooting {#blocks-lldap-troubleshooting}
|
||||
|
||||
To increase logging verbosity, add:
|
||||
|
||||
```nix
|
||||
shb.lldap.debug = true;
|
||||
```
|
||||
|
||||
Note that verbosity is truly verbose here
|
||||
so you will want to revert this at some point.
|
||||
|
||||
## Tests {#blocks-lldap-tests}
|
||||
|
||||
Specific integration tests are defined in [`/test/blocks/lldap.nix`](@REPO@/test/blocks/lldap.nix).
|
||||
|
||||
## Options Reference {#blocks-lldap-options}
|
||||
|
||||
```{=include=} options
|
||||
id-prefix: blocks-lldap-options-
|
||||
list-id: selfhostblocks-block-lldap-options
|
||||
source: @OPTIONS_JSON@
|
||||
```
|
||||
|
|
@ -98,33 +98,14 @@ We will build upon the [HTTPS](#services-forgejo-usage-https) section,
|
|||
so please follow that first.
|
||||
::::
|
||||
|
||||
We will use the LDAP block provided by Self Host Blocks
|
||||
to setup a [LLDAP](https://github.com/lldap/lldap) service.
|
||||
We will use the [LLDAP block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][LLDAP block setup], add the following configuration:
|
||||
|
||||
[LLDAP block]: blocks-lldap.html
|
||||
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
|
||||
|
||||
```nix
|
||||
shb.lldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "ldap";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
dcdomain = "dc=example,dc=com";
|
||||
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
|
||||
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
|
||||
};
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
|
||||
|
||||
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
|
||||
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
|
||||
```
|
||||
|
||||
We also need to configure the `forgejo` service
|
||||
to talk to the LDAP server we just defined:
|
||||
|
||||
```nix
|
||||
shb.forgejo.ldap
|
||||
shb.forgejo.ldap = {
|
||||
enable = true;
|
||||
host = "127.0.0.1";
|
||||
port = config.shb.lldap.ldapPort;
|
||||
|
|
@ -158,47 +139,11 @@ We will build upon the [LDAP](#services-forgejo-usage-ldap) section,
|
|||
so please follow that first.
|
||||
::::
|
||||
|
||||
We then need to setup the SSO provider,
|
||||
here Authelia thanks to the corresponding SHB block:
|
||||
We will use the [SSO block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][SSO block setup], add the following configuration:
|
||||
|
||||
```nix
|
||||
shb.authelia = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "auth";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
|
||||
ldapHostname = "127.0.0.1";
|
||||
ldapPort = config.shb.lldap.ldapPort;
|
||||
dcdomain = config.shb.lldap.dcdomain;
|
||||
|
||||
secrets = {
|
||||
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
|
||||
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
|
||||
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
|
||||
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
|
||||
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
|
||||
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
|
||||
};
|
||||
};
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
|
||||
|
||||
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
|
||||
shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request;
|
||||
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
|
||||
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
|
||||
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
|
||||
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
|
||||
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
|
||||
```
|
||||
|
||||
The `shb.authelia.secrets.ldapAdminPasswordFile` must be the same
|
||||
as the `shb.lldap.ldapUserPasswordFile` defined in the previous section.
|
||||
The other secrets can be randomly generated
|
||||
with `nix run nixpkgs#openssl -- rand -hex 64`.
|
||||
|
||||
Now, on the forgejo side, you need to add the following options:
|
||||
[SSO block]: blocks-sso.html
|
||||
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
|
||||
|
||||
```nix
|
||||
shb.forgejo.sso = {
|
||||
|
|
|
|||
|
|
@ -115,31 +115,11 @@ We will build upon the [HTTPS](#services-home-assistant-usage-https) section,
|
|||
so please follow that first.
|
||||
::::
|
||||
|
||||
We will use the LDAP block provided by Self Host Blocks
|
||||
to setup a [LLDAP](https://github.com/lldap/lldap) service.
|
||||
First, setup the global ldap block if not done yet:
|
||||
We will use the [LLDAP block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][LLDAP block setup], add the following configuration:
|
||||
|
||||
```nix
|
||||
shb.lldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "ldap";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
dcdomain = "dc=example,dc=com";
|
||||
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
|
||||
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
|
||||
};
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
|
||||
|
||||
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
|
||||
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
|
||||
```
|
||||
|
||||
We then need to configure the `home-assistant` service
|
||||
to talk to the LDAP server we just defined:
|
||||
[LLDAP block]: blocks-lldap.html
|
||||
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
|
||||
|
||||
```nix
|
||||
shb.home-assistant.ldap
|
||||
|
|
@ -157,8 +137,6 @@ create a user and add it to one or both groups.
|
|||
When that's done, go back to the Home-Assistant server at
|
||||
`http://home-assistant.example.com` and login with that user.
|
||||
|
||||
Work is in progress to make the creation of the LDAP user and group declarative too.
|
||||
|
||||
### With SSO Support {#services-home-assistant-usage-sso}
|
||||
|
||||
:::: {.warning}
|
||||
|
|
|
|||
|
|
@ -149,31 +149,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-ldap).
|
|||
|
||||
We will build upon the [HTTP][] and [HTTPS][] sections,
|
||||
so please read those first.
|
||||
We will use the LDAP block provided by Self Host Blocks to setup a
|
||||
[LLDAP](https://github.com/lldap/lldap) service.
|
||||
If did already configure this for another service, you can skip this snippet.
|
||||
|
||||
```nix
|
||||
shb.lldap = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "ldap";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
ldapPort = 3890;
|
||||
webUIListenPort = 17170;
|
||||
dcdomain = "dc=example,dc=com";
|
||||
ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result;
|
||||
jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result;
|
||||
};
|
||||
We will use the [LLDAP block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][LLDAP block setup], add the following configuration:
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ];
|
||||
|
||||
shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request;
|
||||
shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request;
|
||||
```
|
||||
|
||||
On the `nextcloud` module side, we need to configure it to talk to the LDAP server we
|
||||
just defined:
|
||||
[LLDAP block]: blocks-lldap.html
|
||||
[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup
|
||||
|
||||
```nix
|
||||
shb.nextcloud.apps.ldap = {
|
||||
|
|
@ -219,52 +200,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-sso).
|
|||
|
||||
We will build upon the [HTTP][], [HTTPS][] and [LDAP][] sections,
|
||||
so please read those first.
|
||||
We need to setup the SSO provider, here Authelia, thanks to the corresponding SHB block
|
||||
and we link it to the LDAP server:
|
||||
|
||||
```nix
|
||||
shb.authelia = {
|
||||
enable = true;
|
||||
domain = "example.com";
|
||||
subdomain = "auth";
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
We will use the [SSO block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][SSO block setup], add the following configuration:
|
||||
|
||||
ldapHostname = "127.0.0.1";
|
||||
ldapPort = config.shb.lldap.ldapPort;
|
||||
dcdomain = config.shb.lldap.dcdomain;
|
||||
|
||||
smtp = {
|
||||
host = "smtp.eu.mailgun.org";
|
||||
port = 587;
|
||||
username = "postmaster@mg.example.com";
|
||||
from_address = "authelia@example.com";
|
||||
password.result = config.shb.sops.secrets."authelia/smtp_password".result;
|
||||
};
|
||||
|
||||
secrets = {
|
||||
jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result;
|
||||
ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result;
|
||||
sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result;
|
||||
storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result;
|
||||
identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result;
|
||||
identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result;
|
||||
};
|
||||
};
|
||||
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ];
|
||||
|
||||
shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request;
|
||||
shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request;
|
||||
shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request;
|
||||
shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request;
|
||||
shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request;
|
||||
shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request;
|
||||
shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request;
|
||||
```
|
||||
|
||||
The secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`.
|
||||
|
||||
Now, on the Nextcloud side, you need to add the following options:
|
||||
[SSO block]: blocks-sso.html
|
||||
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
|
||||
|
||||
```nix
|
||||
shb.nextcloud.apps.sso = {
|
||||
|
|
|
|||
|
|
@ -16,48 +16,20 @@ This NixOS module is a service that sets up a [Vaultwarden Server](https://githu
|
|||
|
||||
## Usage {#services-vaultwarden-usage}
|
||||
|
||||
### Secrets {#services-vaultwarden-secrets}
|
||||
### Initial Configuration {#services-vaultwarden-usage-configuration}
|
||||
|
||||
All the secrets should be readable by the vaultwarden user.
|
||||
|
||||
Secrets should not be stored in the nix store. If you're using
|
||||
[sops-nix](https://github.com/Mic92/sops-nix) and assuming your secrets file is located at
|
||||
`./secrets.yaml`, you can define a secret with:
|
||||
The following snippet enables Vaultwarden and makes it available under the `vaultwarden.example.com` endpoint.
|
||||
|
||||
```nix
|
||||
sops.secrets."vaultwarden/db" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0400";
|
||||
owner = "vaultwarden";
|
||||
group = "postgres";
|
||||
restartUnits = [ "vaultwarden.service" ];
|
||||
};
|
||||
```
|
||||
|
||||
Then you can use that secret:
|
||||
|
||||
```nix
|
||||
shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
|
||||
```
|
||||
|
||||
### SSO {#services-vaultwarden-sso}
|
||||
|
||||
To protect the `/admin` endpoint, we use SSO.
|
||||
This requires the SSL, LDAP and SSO block to be configured.
|
||||
Follow those links first if needed.
|
||||
|
||||
```nix
|
||||
let
|
||||
domain = <...>;
|
||||
in
|
||||
shb.vaultwarden = {
|
||||
enable = true;
|
||||
inherit domain;
|
||||
domain = "example.com";
|
||||
subdomain = "vaultwarden";
|
||||
ssl = config.shb.certs.certs.letsencrypt.${domain};
|
||||
|
||||
port = 8222;
|
||||
authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
databasePasswordFile = config.sops.secrets."vaultwarden/db".path;
|
||||
|
||||
databasePassword.result = config.shb.sops.secrets."vaultwarden/db".result;
|
||||
|
||||
smtp = {
|
||||
host = "smtp.eu.mailgun.org";
|
||||
port = 587;
|
||||
|
|
@ -67,22 +39,61 @@ shb.vaultwarden = {
|
|||
};
|
||||
};
|
||||
|
||||
sops.secrets."vaultwarden/db" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0440";
|
||||
owner = "vaultwarden";
|
||||
group = "postgres";
|
||||
restartUnits = [ "vaultwarden.service" "postgresql.service" ];
|
||||
};
|
||||
sops.secrets."vaultwarden/smtp" = {
|
||||
sopsFile = ./secrets.yaml;
|
||||
mode = "0400";
|
||||
owner = "vaultwarden";
|
||||
group = "vaultwarden";
|
||||
restartUnits = [ "vaultwarden.service" ];
|
||||
shb.sops.secret."vaultwarden/db".request = config.shb.vaultwarden.databasePassword.request;
|
||||
shb.sops.secret."vaultwarden/smtp".request = config.shb.vaultwarden.smtp.password.request;
|
||||
```
|
||||
|
||||
This assumes secrets are setup with SOPS
|
||||
as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual.
|
||||
Secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`.
|
||||
|
||||
The SMTP configuration is needed to invite users to Vaultwarden.
|
||||
|
||||
### HTTPS {#services-vaultwarden-usage-https}
|
||||
|
||||
If the `shb.ssl` block is used (see [manual](blocks-ssl.html#usage) on how to set it up),
|
||||
the instance will be reachable at `https://vaultwarden.example.com`.
|
||||
|
||||
Here is an example with Let's Encrypt certificates, validated using the HTTP method:
|
||||
|
||||
```nix
|
||||
shb.certs.certs.letsencrypt."example.com" = {
|
||||
domain = "example.com";
|
||||
group = "nginx";
|
||||
reloadServices = [ "nginx.service" ];
|
||||
adminEmail = "myemail@mydomain.com";
|
||||
};
|
||||
```
|
||||
|
||||
Then you can tell Vaultwarden to use those certificates.
|
||||
|
||||
```nix
|
||||
shb.certs.certs.letsencrypt."example.com".extraDomains = [ "vaultwarden.example.com" ];
|
||||
|
||||
shb.forgejo = {
|
||||
ssl = config.shb.certs.certs.letsencrypt."example.com";
|
||||
};
|
||||
```
|
||||
|
||||
### SSO {#services-vaultwarden-usage-sso}
|
||||
|
||||
To protect the `/admin` endpoint and avoid needing a secret passphrase for it, we can use SSO.
|
||||
|
||||
We will use the [SSO block][] provided by Self Host Blocks.
|
||||
Assuming it [has been set already][SSO block setup], add the following configuration:
|
||||
|
||||
[SSO block]: blocks-sso.html
|
||||
[SSO block setup]: blocks-sso.html#blocks-sso-global-setup
|
||||
|
||||
```nix
|
||||
shb.vaultwarden.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}";
|
||||
```
|
||||
|
||||
Now, go to the LDAP server at `https://ldap.example.com`,
|
||||
create the `vaultwarden_admin` group and add a user to that group.
|
||||
When that's done, go back to the Vaultwarden server at
|
||||
`https://vaultwarden.example.com/admin` and login with that user.
|
||||
|
||||
### ZFS {#services-vaultwarden-zfs}
|
||||
|
||||
Integration with the ZFS block allows to automatically create the relevant datasets.
|
||||
|
|
|
|||
Loading…
Reference in a new issue