From 41d037206d7749081d5b9f46c8ad89c60935204a Mon Sep 17 00:00:00 2001 From: ibizaman Date: Sat, 12 Jul 2025 21:58:50 +0200 Subject: [PATCH] add documentation for lldap and authelia blocks --- docs/blocks.md | 8 + docs/redirects.json | 423 +++++++++++++++++- flake.nix | 2 + modules/blocks/authelia/docs/default.md | 234 ++++++++++ modules/blocks/lldap/docs/default.md | 82 ++++ modules/services/forgejo/docs/default.md | 75 +--- .../services/home-assistant/docs/default.md | 30 +- .../services/nextcloud-server/docs/default.md | 75 +--- modules/services/vaultwarden/docs/default.md | 107 +++-- 9 files changed, 824 insertions(+), 212 deletions(-) create mode 100644 modules/blocks/authelia/docs/default.md create mode 100644 modules/blocks/lldap/docs/default.md diff --git a/docs/blocks.md b/docs/blocks.md index 61f085b..6747c07 100644 --- a/docs/blocks.md +++ b/docs/blocks.md @@ -31,6 +31,14 @@ services you already have deployed. Not all blocks are yet documented. You can find all available blocks [in the repository](@REPO@/modules/blocks). ::: +```{=include=} chapters html:into-file=//blocks-authelia.html +modules/blocks/authelia/docs/default.md +``` + +```{=include=} chapters html:into-file=//blocks-lldap.html +modules/blocks/lldap/docs/default.md +``` + ```{=include=} chapters html:into-file=//blocks-sops.html modules/blocks/sops/docs/default.md ``` diff --git a/docs/redirects.json b/docs/redirects.json index 9647ad9..75159d2 100644 --- a/docs/redirects.json +++ b/docs/redirects.json @@ -47,6 +47,414 @@ "blocks": [ "blocks.html#blocks" ], + "blocks-authelia": [ + "blocks-authelia.html#blocks-authelia" + ], + "blocks-authelia-forward-auth": [ + "blocks-authelia.html#blocks-authelia-forward-auth" + ], + "blocks-authelia-global-setup": [ + "blocks-authelia.html#blocks-authelia-global-setup" + ], + "blocks-authelia-oidc": [ + "blocks-authelia.html#blocks-authelia-oidc" + ], + "blocks-authelia-options": [ + "blocks-authelia.html#blocks-authelia-options" + ], + "blocks-authelia-options-shb.authelia.autheliaUser": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.autheliaUser" + ], + "blocks-authelia-options-shb.authelia.dcdomain": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.dcdomain" + ], + "blocks-authelia-options-shb.authelia.domain": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.domain" + ], + "blocks-authelia-options-shb.authelia.enable": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.enable" + ], + "blocks-authelia-options-shb.authelia.ldapHostname": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapHostname" + ], + "blocks-authelia-options-shb.authelia.ldapPort": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ldapPort" + ], + "blocks-authelia-options-shb.authelia.mount": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.mount" + ], + "blocks-authelia-options-shb.authelia.mount.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.mount.path" + ], + "blocks-authelia-options-shb.authelia.mountRedis": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis" + ], + "blocks-authelia-options-shb.authelia.mountRedis.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.mountRedis.path" + ], + "blocks-authelia-options-shb.authelia.oidcClients": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.authorization_policy" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.client_id": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_id" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.client_name": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_name" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.client_secret": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.source" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.client_secret.transform" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.public": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.public" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.redirect_uris" + ], + "blocks-authelia-options-shb.authelia.oidcClients._.scopes": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.oidcClients._.scopes" + ], + "blocks-authelia-options-shb.authelia.port": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.port" + ], + "blocks-authelia-options-shb.authelia.rules": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.rules" + ], + "blocks-authelia-options-shb.authelia.secrets": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCHMACSecret.result.path" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result" + ], + "blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.result.path" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result" + ], + "blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.jwtSecret.result.path" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result" + ], + "blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.ldapAdminPassword.result.path" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result" + ], + "blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.sessionSecret.result.path" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.group" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.mode" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.owner" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.request.restartUnits" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result" + ], + "blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.secrets.storageEncryptionKey.result.path" + ], + "blocks-authelia-options-shb.authelia.smtp": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.smtp" + ], + "blocks-authelia-options-shb.authelia.ssl": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl" + ], + "blocks-authelia-options-shb.authelia.ssl.paths": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths" + ], + "blocks-authelia-options-shb.authelia.ssl.paths.cert": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.cert" + ], + "blocks-authelia-options-shb.authelia.ssl.paths.key": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.paths.key" + ], + "blocks-authelia-options-shb.authelia.ssl.systemdService": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.ssl.systemdService" + ], + "blocks-authelia-options-shb.authelia.subdomain": [ + "blocks-authelia.html#blocks-authelia-options-shb.authelia.subdomain" + ], + "blocks-authelia-shb-forward-auth": [ + "blocks-authelia.html#blocks-authelia-shb-forward-auth" + ], + "blocks-authelia-shb-oidc": [ + "blocks-authelia.html#blocks-authelia-shb-oidc" + ], + "blocks-authelia-tests": [ + "blocks-authelia.html#blocks-authelia-tests" + ], + "blocks-lldap": [ + "blocks-lldap.html#blocks-lldap" + ], + "blocks-lldap-global-setup": [ + "blocks-lldap.html#blocks-lldap-global-setup" + ], + "blocks-lldap-manage-user-group": [ + "blocks-lldap.html#blocks-lldap-manage-user-group" + ], + "blocks-lldap-options": [ + "blocks-lldap.html#blocks-lldap-options" + ], + "blocks-lldap-options-shb.lldap.backup": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup" + ], + "blocks-lldap-options-shb.lldap.backup.request": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request" + ], + "blocks-lldap-options-shb.lldap.backup.request.excludePatterns": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.excludePatterns" + ], + "blocks-lldap-options-shb.lldap.backup.request.hooks": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks" + ], + "blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.afterBackup" + ], + "blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.hooks.beforeBackup" + ], + "blocks-lldap-options-shb.lldap.backup.request.sourceDirectories": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.sourceDirectories" + ], + "blocks-lldap-options-shb.lldap.backup.request.user": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.request.user" + ], + "blocks-lldap-options-shb.lldap.backup.result": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result" + ], + "blocks-lldap-options-shb.lldap.backup.result.backupService": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.backupService" + ], + "blocks-lldap-options-shb.lldap.backup.result.restoreScript": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.backup.result.restoreScript" + ], + "blocks-lldap-options-shb.lldap.dcdomain": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.dcdomain" + ], + "blocks-lldap-options-shb.lldap.debug": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.debug" + ], + "blocks-lldap-options-shb.lldap.domain": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.domain" + ], + "blocks-lldap-options-shb.lldap.enable": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.enable" + ], + "blocks-lldap-options-shb.lldap.jwtSecret": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.request": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.request.group": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.group" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.request.mode": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.mode" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.request.owner": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.owner" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.request.restartUnits" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.result": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result" + ], + "blocks-lldap-options-shb.lldap.jwtSecret.result.path": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.jwtSecret.result.path" + ], + "blocks-lldap-options-shb.lldap.ldapPort": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapPort" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.request": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.request.group": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.group" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.mode" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.owner" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.request.restartUnits" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.result": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result" + ], + "blocks-lldap-options-shb.lldap.ldapUserPassword.result.path": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ldapUserPassword.result.path" + ], + "blocks-lldap-options-shb.lldap.mount": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.mount" + ], + "blocks-lldap-options-shb.lldap.mount.path": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.mount.path" + ], + "blocks-lldap-options-shb.lldap.restrictAccessIPRange": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.restrictAccessIPRange" + ], + "blocks-lldap-options-shb.lldap.ssl": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl" + ], + "blocks-lldap-options-shb.lldap.ssl.paths": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths" + ], + "blocks-lldap-options-shb.lldap.ssl.paths.cert": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.cert" + ], + "blocks-lldap-options-shb.lldap.ssl.paths.key": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.paths.key" + ], + "blocks-lldap-options-shb.lldap.ssl.systemdService": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.ssl.systemdService" + ], + "blocks-lldap-options-shb.lldap.subdomain": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.subdomain" + ], + "blocks-lldap-options-shb.lldap.webUIListenPort": [ + "blocks-lldap.html#blocks-lldap-options-shb.lldap.webUIListenPort" + ], + "blocks-lldap-restrict-access-by-ip": [ + "blocks-lldap.html#blocks-lldap-restrict-access-by-ip" + ], + "blocks-lldap-ssl": [ + "blocks-lldap.html#blocks-lldap-ssl" + ], + "blocks-lldap-tests": [ + "blocks-lldap.html#blocks-lldap-tests" + ], + "blocks-lldap-troubleshooting": [ + "blocks-lldap.html#blocks-lldap-troubleshooting" + ], "blocks-monitoring": [ "blocks-monitoring.html#blocks-monitoring" ], @@ -2597,15 +3005,18 @@ "services-vaultwarden-options-shb.vaultwarden.subdomain": [ "services-vaultwarden.html#services-vaultwarden-options-shb.vaultwarden.subdomain" ], - "services-vaultwarden-secrets": [ - "services-vaultwarden.html#services-vaultwarden-secrets" - ], - "services-vaultwarden-sso": [ - "services-vaultwarden.html#services-vaultwarden-sso" - ], "services-vaultwarden-usage": [ "services-vaultwarden.html#services-vaultwarden-usage" ], + "services-vaultwarden-usage-configuration": [ + "services-vaultwarden.html#services-vaultwarden-usage-configuration" + ], + "services-vaultwarden-usage-https": [ + "services-vaultwarden.html#services-vaultwarden-usage-https" + ], + "services-vaultwarden-usage-sso": [ + "services-vaultwarden.html#services-vaultwarden-usage-sso" + ], "services-vaultwarden-zfs": [ "services-vaultwarden.html#services-vaultwarden-zfs" ], diff --git a/flake.nix b/flake.nix index 64ba7bb..9ba1248 100644 --- a/flake.nix +++ b/flake.nix @@ -151,6 +151,8 @@ "./usage.md" ]; modules = { + "blocks/authelia" = ./modules/blocks/authelia.nix; + "blocks/lldap" = ./modules/blocks/lldap.nix; "blocks/ssl" = ./modules/blocks/ssl.nix; "blocks/monitoring" = ./modules/blocks/monitoring.nix; "blocks/postgresql" = ./modules/blocks/postgresql.nix; diff --git a/modules/blocks/authelia/docs/default.md b/modules/blocks/authelia/docs/default.md new file mode 100644 index 0000000..2d213a0 --- /dev/null +++ b/modules/blocks/authelia/docs/default.md @@ -0,0 +1,234 @@ +# Authelia Block {#blocks-authelia} + +Defined in [`/modules/blocks/authelia.nix`](@REPO@/modules/blocks/authelia.nix). + +This block sets up an [Authelia][] service for Single-Sign On integration. + +[Authelia]: https://www.authelia.com/ + +## Global Setup {#blocks-authelia-global-setup} + +Authelia cannot work without SSL and LDAP. +So setting up the Authelia block requires to setup the [SSL block][] first +and the [LLDAP block][] first. + +[SSL block]: blocks-ssl.html +[LLDAP block]: blocks-lldap.html + +SSL is required to encrypt the communication and LDAP is used to handle users and group assignments. +Authelia will allow access to a given resource only if the user that is authenticated +is a member of the corresponding LDAP group. + +Afterwards, assuming the LDAP service runs on the same machine, +the Authelia configuration can be done with: + +```nix +shb.authelia = { + enable = true; + domain = "example.com"; + subdomain = "auth"; + ssl = config.shb.certs.certs.letsencrypt."example.com"; + + ldapHostname = "127.0.0.1"; + ldapPort = config.shb.lldap.ldapPort; + dcdomain = config.shb.lldap.dcdomain; + + smtp = { + host = "smtp.eu.mailgun.org"; + port = 587; + username = "postmaster@mg.example.com"; + from_address = "authelia@example.com"; + password.result = config.shb.sops.secrets."authelia/smtp_password".result; + }; + + secrets = { + jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result; + ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result; + sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result; + storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result; + identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result; + identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result; + }; +}; + +shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ]; + +shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request; +shb.sops.secrets."authelia/ldap_admin_password" = { + request = config.shb.authelia.secrets.ldapAdminPassword.request; + settings.key = "lldap/user_password"; +}; +shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request; +shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request; +shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request; +shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request; +shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request; +``` + +This assumes secrets are setup with SOPS +as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual. +It's a bit annoying to setup all those secrets but it's only necessary once. +Use `nix run nixpkgs#openssl -- rand -hex 64` to generate them. + +Crucially, the `shb.authelia.secrets.ldapAdminPasswordFile` must be the same +as the `shb.lldap.ldapUserPassword` defined for the [LLDAP block][]. +This is done using Sops' `key` option. + +## SHB OIDC integration {#blocks-authelia-shb-oidc} + +For services [provided by SelfHostBlocks][services] that handle [OIDC integration][OIDC], +integrating with this block is done by configuring the service itself +and linking it to this Authelia block through the `endpoint` option +and by sharing a secret: + +[services]: services.html +[OIDC]: https://openid.net/developers/how-connect-works/ + +```nix +shb..sso = { + enable = true; + endpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; + + secret.result = config.shb.sops.secrets."/sso/secret".result; + secretForAuthelia.result = config.shb.sops.secrets."/sso/secretForAuthelia".result; +}; + +shb.sops.secret."/sso/secret".request = config.shb..sso.secret.request; +shb.sops.secret."/sso/secretForAuthelia" = { + request = config.shb..sso.secretForAuthelia.request; + settings.key = "/sso/secret"; +}; +``` + +To share a secret between the service and Authelia, +we generate a secret with `nix run nixpkgs#openssl -- rand -hex 64` under `/sso/secret` +then we ask Sops to use the same password for `/sso/secretForAuthelia` +thanks to the `settings.key` option. +The difference between both secrets is one if owned by the `authelia` user +while the other is owned by the user of the ` we are configuring. + +## OIDC Integration {#blocks-authelia-oidc} + +To integrate a service handling OIDC integration not provided by SelfHostBlocks with this Authelia block, +the necessary configuration is: + +```nix +shb.authelia.oidcClients = [ + { + client_id = ""; + client_secret.source = shb.sops.secret."/sso/secretForAuthelia".response.path; + scopes = [ "openid" "email" "profile" ]; + redirect_uris = [ + "" + ]; + } +]; + +shb.sops.secret."/sso/secret".request = { + owner = ""; +}; +shb.sops.secret."/sso/secretForAuthelia" = { + request.owner = "authelia"; + settings.key = "/sso/secret"; +}; +``` + +As in the previous section, we create a shared secret using Sops' +`settings.key` option. + +The configuration for the service itself is much dependent on the service itself. +For example for [open-webui][], the configuration looks like so: + +[open-webui]: https://search.nixos.org/options?query=services.open-webui + +```nix +services.open-webui.environment = { + ENABLE_SIGNUP = "False"; + WEBUI_AUTH = "True"; + ENABLE_FORWARD_USER_INFO_HEADERS = "True"; + ENABLE_OAUTH_SIGNUP = "True"; + OAUTH_UPDATE_PICTURE_ON_LOGIN = "True"; + OAUTH_CLIENT_ID = "open-webui"; + OAUTH_CLIENT_SECRET = ""; + OPENID_PROVIDER_URL = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}/.well-known/openid-configuration"; + OAUTH_PROVIDER_NAME = "Single Sign-On"; + OAUTH_SCOPES = "openid email profile"; + OAUTH_ALLOWED_ROLES = "open-webui_user"; + OAUTH_ADMIN_ROLES = "open-webui_admin"; + ENABLE_OAUTH_ROLE_MANAGEMENT = "True"; +}; + +shb.authelia.oidcClients = [ + { + client_id = "open-webui"; + client_secret.source = shb.sops.secret."open-webui/sso/secretForAuthelia".response.path; + scopes = [ "openid" "email" "profile" ]; + redirect_uris = [ + "" + ]; + } +]; + +shb.sops.secret."open-webui/sso/secret".request = { + owner = "open-webui"; +}; +shb.sops.secret."open-webui/sso/secretForAuthelia" = { + request.owner = "authelia"; + settings.key = "open-webui/sso/secret"; +}; +``` + +Here, there is no way to give a path for the `OAUTH_CLIENT_SECRET`, +we are obligated to pass the raw secret which is a very bad idea. +There are ways around this but they are out of scope for this section. +Inspiration can be taken from SelfHostBlocks' source code. + +To access the UI, we will need to create an `open-webui_user` and +`open-webui_admin` LDAP group and assign our user to it. + +## SHB Forward Auth {#blocks-authelia-shb-forward-auth} + +For services provided by SelfHostBlocks that do not handle [OIDC integration][OIDC], +this block can provide [forward authentication][] which still allows the service to be protected by Authelia. + +The user could still be required to authenticate to the service itself, +although some services can automatically users authorized by Authelia. + +[forward authentication]: https://doc.traefik.io/traefik/middlewares/http/forwardauth/ + +Integrating with this block is done with the following code: + +```nix +shb..authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; +``` + +## Forward Auth {#blocks-authelia-forward-auth} + +To integrate a service that does not handle OIDC integration +and which is not provided by SelfHostBlocks with this Authelia block, +the necessary configuration is: + +```nix +shb.nginx.vhosts = [ + { + subdomain = ""; + domain = "example.com"; + ssl = config.shb.certs.certs.letsencrypt."example.com"; + upstream = "http://127.0.0.1:${toString config.services..port}/"; + } +]; +``` + +This configuration assumes usage of the [SSL block][]. + +## Tests {#blocks-authelia-tests} + +Specific integration tests are defined in [`/test/blocks/authelia.nix`](@REPO@/test/blocks/authelia.nix). + +## Options Reference {#blocks-authelia-options} + +```{=include=} options +id-prefix: blocks-authelia-options- +list-id: selfhostblocks-block-authelia-options +source: @OPTIONS_JSON@ +``` diff --git a/modules/blocks/lldap/docs/default.md b/modules/blocks/lldap/docs/default.md new file mode 100644 index 0000000..ee67c07 --- /dev/null +++ b/modules/blocks/lldap/docs/default.md @@ -0,0 +1,82 @@ +# LLDAP Block {#blocks-lldap} + +Defined in [`/modules/blocks/lldap.nix`](@REPO@/modules/blocks/lldap.nix). + +This block sets up an [LLDAP][] service for user and group management +across services. + +[LLDAP]: https://github.com/lldap/lldap + +## Global Setup {#blocks-lldap-global-setup} + +```nix +shb.lldap = { + enable = true; + subdomain = "ldap"; + domain = "example.com"; + dcdomain = "dc=example,dc=com"; + + ldapPort = 3890; + webUIListenPort = 17170; + + jwtSecret.result = config.shb.sops.secret."lldap/jwt_secret".result; + ldapUserPassword.result = config.shb.sops.secret."lldap/user_password".result; +}; +shb.sops.secret."lldap/jwt_secret".request = config.shb.ldap.jwtSecret.request; +shb.sops.secret."lldap/user_password".request = config.shb.ldap.ldapUserPassword.request; +``` + +This assumes secrets are setup with SOPS +as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual. + +## SSL {#blocks-lldap-ssl} + +Using SSL is an important security practice, like always. +Using the [SSL block][], the configuration to add to the one above is: + +[SSL block]: blocks-ssl.html + +```nix +shb.certs.certs.letsencrypt.${domain}.extraDomains = [ + "${config.shb.lldap.subdomain}.${config.shb.lldap.domain}" +]; + +shb.ldap.ssl = config.shb.certs.certs.letsencrypt.${config.shb.lldap.domain}; +``` + +## Restrict Access By IP {#blocks-lldap-restrict-access-by-ip} + +For added security, you can restrict access to the LLDAP UI +by adding the following line: + +```nix +shb.lldap.restrictAccessIPRange = "192.168.50.0/24"; +``` + +## Manage User and Group {#blocks-lldap-manage-user-group} + +Currently, managing users and groups must be done manually. +Work is in progress to make this declarative. + +## Troubleshooting {#blocks-lldap-troubleshooting} + +To increase logging verbosity, add: + +```nix +shb.lldap.debug = true; +``` + +Note that verbosity is truly verbose here +so you will want to revert this at some point. + +## Tests {#blocks-lldap-tests} + +Specific integration tests are defined in [`/test/blocks/lldap.nix`](@REPO@/test/blocks/lldap.nix). + +## Options Reference {#blocks-lldap-options} + +```{=include=} options +id-prefix: blocks-lldap-options- +list-id: selfhostblocks-block-lldap-options +source: @OPTIONS_JSON@ +``` diff --git a/modules/services/forgejo/docs/default.md b/modules/services/forgejo/docs/default.md index 9ce9817..18fc03c 100644 --- a/modules/services/forgejo/docs/default.md +++ b/modules/services/forgejo/docs/default.md @@ -98,33 +98,14 @@ We will build upon the [HTTPS](#services-forgejo-usage-https) section, so please follow that first. :::: -We will use the LDAP block provided by Self Host Blocks -to setup a [LLDAP](https://github.com/lldap/lldap) service. +We will use the [LLDAP block][] provided by Self Host Blocks. +Assuming it [has been set already][LLDAP block setup], add the following configuration: + +[LLDAP block]: blocks-lldap.html +[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup ```nix -shb.lldap = { - enable = true; - domain = "example.com"; - subdomain = "ldap"; - ssl = config.shb.certs.certs.letsencrypt."example.com"; - ldapPort = 3890; - webUIListenPort = 17170; - dcdomain = "dc=example,dc=com"; - ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result; - jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result; -}; - -shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ]; - -shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request; -shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request; -``` - -We also need to configure the `forgejo` service -to talk to the LDAP server we just defined: - -```nix -shb.forgejo.ldap +shb.forgejo.ldap = { enable = true; host = "127.0.0.1"; port = config.shb.lldap.ldapPort; @@ -158,47 +139,11 @@ We will build upon the [LDAP](#services-forgejo-usage-ldap) section, so please follow that first. :::: -We then need to setup the SSO provider, -here Authelia thanks to the corresponding SHB block: +We will use the [SSO block][] provided by Self Host Blocks. +Assuming it [has been set already][SSO block setup], add the following configuration: -```nix -shb.authelia = { - enable = true; - domain = "example.com"; - subdomain = "auth"; - ssl = config.shb.certs.certs.letsencrypt."example.com"; - - ldapHostname = "127.0.0.1"; - ldapPort = config.shb.lldap.ldapPort; - dcdomain = config.shb.lldap.dcdomain; - - secrets = { - jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result; - ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result; - sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result; - storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result; - identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result; - identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result; - }; -}; - -shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ]; - -shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request; -shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request; -shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request; -shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request; -shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request; -shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request; -shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request; -``` - -The `shb.authelia.secrets.ldapAdminPasswordFile` must be the same -as the `shb.lldap.ldapUserPasswordFile` defined in the previous section. -The other secrets can be randomly generated -with `nix run nixpkgs#openssl -- rand -hex 64`. - -Now, on the forgejo side, you need to add the following options: +[SSO block]: blocks-sso.html +[SSO block setup]: blocks-sso.html#blocks-sso-global-setup ```nix shb.forgejo.sso = { diff --git a/modules/services/home-assistant/docs/default.md b/modules/services/home-assistant/docs/default.md index c191774..378cf24 100644 --- a/modules/services/home-assistant/docs/default.md +++ b/modules/services/home-assistant/docs/default.md @@ -115,31 +115,11 @@ We will build upon the [HTTPS](#services-home-assistant-usage-https) section, so please follow that first. :::: -We will use the LDAP block provided by Self Host Blocks -to setup a [LLDAP](https://github.com/lldap/lldap) service. -First, setup the global ldap block if not done yet: +We will use the [LLDAP block][] provided by Self Host Blocks. +Assuming it [has been set already][LLDAP block setup], add the following configuration: -```nix -shb.lldap = { - enable = true; - domain = "example.com"; - subdomain = "ldap"; - ssl = config.shb.certs.certs.letsencrypt."example.com"; - ldapPort = 3890; - webUIListenPort = 17170; - dcdomain = "dc=example,dc=com"; - ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result; - jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result; -}; - -shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ]; - -shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request; -shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request; -``` - -We then need to configure the `home-assistant` service -to talk to the LDAP server we just defined: +[LLDAP block]: blocks-lldap.html +[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup ```nix shb.home-assistant.ldap @@ -157,8 +137,6 @@ create a user and add it to one or both groups. When that's done, go back to the Home-Assistant server at `http://home-assistant.example.com` and login with that user. -Work is in progress to make the creation of the LDAP user and group declarative too. - ### With SSO Support {#services-home-assistant-usage-sso} :::: {.warning} diff --git a/modules/services/nextcloud-server/docs/default.md b/modules/services/nextcloud-server/docs/default.md index b9d116c..ea1ee0c 100644 --- a/modules/services/nextcloud-server/docs/default.md +++ b/modules/services/nextcloud-server/docs/default.md @@ -149,31 +149,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-ldap). We will build upon the [HTTP][] and [HTTPS][] sections, so please read those first. -We will use the LDAP block provided by Self Host Blocks to setup a -[LLDAP](https://github.com/lldap/lldap) service. -If did already configure this for another service, you can skip this snippet. -```nix -shb.lldap = { - enable = true; - domain = "example.com"; - subdomain = "ldap"; - ssl = config.shb.certs.certs.letsencrypt."example.com"; - ldapPort = 3890; - webUIListenPort = 17170; - dcdomain = "dc=example,dc=com"; - ldapUserPassword.result = config.shb.sops.secrets."ldap/userPassword".result; - jwtSecret.result = config.shb.sops.secrets."ldap/jwtSecret".result; -}; +We will use the [LLDAP block][] provided by Self Host Blocks. +Assuming it [has been set already][LLDAP block setup], add the following configuration: -shb.certs.certs.letsencrypt."example.com".extraDomains = [ "ldap.example.com" ]; - -shb.sops.secrets."ldap/userPassword".request = config.shb.lldap.userPassword.request; -shb.sops.secrets."ldap/jwtSecret".request = config.shb.lldap.jwtSecret.request; -``` - -On the `nextcloud` module side, we need to configure it to talk to the LDAP server we -just defined: +[LLDAP block]: blocks-lldap.html +[LLDAP block setup]: blocks-lldap.html#blocks-lldap-global-setup ```nix shb.nextcloud.apps.ldap = { @@ -219,52 +200,12 @@ demo](demo-nextcloud-server.html#demo-nextcloud-deploy-sso). We will build upon the [HTTP][], [HTTPS][] and [LDAP][] sections, so please read those first. -We need to setup the SSO provider, here Authelia, thanks to the corresponding SHB block -and we link it to the LDAP server: -```nix -shb.authelia = { - enable = true; - domain = "example.com"; - subdomain = "auth"; - ssl = config.shb.certs.certs.letsencrypt."example.com"; +We will use the [SSO block][] provided by Self Host Blocks. +Assuming it [has been set already][SSO block setup], add the following configuration: - ldapHostname = "127.0.0.1"; - ldapPort = config.shb.lldap.ldapPort; - dcdomain = config.shb.lldap.dcdomain; - - smtp = { - host = "smtp.eu.mailgun.org"; - port = 587; - username = "postmaster@mg.example.com"; - from_address = "authelia@example.com"; - password.result = config.shb.sops.secrets."authelia/smtp_password".result; - }; - - secrets = { - jwtSecret.result = config.shb.sops.secrets."authelia/jwt_secret".result; - ldapAdminPassword.result = config.shb.sops.secrets."authelia/ldap_admin_password".result; - sessionSecret.result = config.shb.sops.secrets."authelia/session_secret".result; - storageEncryptionKey.result = config.shb.sops.secrets."authelia/storage_encryption_key".result; - identityProvidersOIDCHMACSecret.result = config.shb.sops.secrets."authelia/hmac_secret".result; - identityProvidersOIDCIssuerPrivateKey.result = config.shb.sops.secrets."authelia/private_key".result; - }; -}; - -shb.certs.certs.letsencrypt."example.com".extraDomains = [ "auth.example.com" ]; - -shb.sops.secrets."authelia/jwt_secret".request = config.shb.authelia.secrets.jwtSecret.request; -shb.sops.secrets."authelia/ldap_admin_password".request = config.shb.authelia.secrets.ldapAdminPassword.request; -shb.sops.secrets."authelia/session_secret".request = config.shb.authelia.secrets.sessionSecret.request; -shb.sops.secrets."authelia/storage_encryption_key".request = config.shb.authelia.secrets.storageEncryptionKey.request; -shb.sops.secrets."authelia/hmac_secret".request = config.shb.authelia.secrets.identityProvidersOIDCHMACSecret.request; -shb.sops.secrets."authelia/private_key".request = config.shb.authelia.secrets.identityProvidersOIDCIssuerPrivateKey.request; -shb.sops.secrets."authelia/smtp_password".request = config.shb.authelia.smtp.password.request; -``` - -The secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`. - -Now, on the Nextcloud side, you need to add the following options: +[SSO block]: blocks-sso.html +[SSO block setup]: blocks-sso.html#blocks-sso-global-setup ```nix shb.nextcloud.apps.sso = { diff --git a/modules/services/vaultwarden/docs/default.md b/modules/services/vaultwarden/docs/default.md index 4ad4a4f..ed671cd 100644 --- a/modules/services/vaultwarden/docs/default.md +++ b/modules/services/vaultwarden/docs/default.md @@ -16,48 +16,20 @@ This NixOS module is a service that sets up a [Vaultwarden Server](https://githu ## Usage {#services-vaultwarden-usage} -### Secrets {#services-vaultwarden-secrets} +### Initial Configuration {#services-vaultwarden-usage-configuration} -All the secrets should be readable by the vaultwarden user. - -Secrets should not be stored in the nix store. If you're using -[sops-nix](https://github.com/Mic92/sops-nix) and assuming your secrets file is located at -`./secrets.yaml`, you can define a secret with: +The following snippet enables Vaultwarden and makes it available under the `vaultwarden.example.com` endpoint. ```nix -sops.secrets."vaultwarden/db" = { - sopsFile = ./secrets.yaml; - mode = "0400"; - owner = "vaultwarden"; - group = "postgres"; - restartUnits = [ "vaultwarden.service" ]; -}; -``` - -Then you can use that secret: - -```nix -shb.vaultwarden.databasePasswordFile = config.sops.secrets."vaultwarden/db".path; -``` - -### SSO {#services-vaultwarden-sso} - -To protect the `/admin` endpoint, we use SSO. -This requires the SSL, LDAP and SSO block to be configured. -Follow those links first if needed. - -```nix -let - domain = <...>; -in shb.vaultwarden = { enable = true; - inherit domain; + domain = "example.com"; subdomain = "vaultwarden"; - ssl = config.shb.certs.certs.letsencrypt.${domain}; + port = 8222; - authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; - databasePasswordFile = config.sops.secrets."vaultwarden/db".path; + + databasePassword.result = config.shb.sops.secrets."vaultwarden/db".result; + smtp = { host = "smtp.eu.mailgun.org"; port = 587; @@ -67,22 +39,61 @@ shb.vaultwarden = { }; }; -sops.secrets."vaultwarden/db" = { - sopsFile = ./secrets.yaml; - mode = "0440"; - owner = "vaultwarden"; - group = "postgres"; - restartUnits = [ "vaultwarden.service" "postgresql.service" ]; -}; -sops.secrets."vaultwarden/smtp" = { - sopsFile = ./secrets.yaml; - mode = "0400"; - owner = "vaultwarden"; - group = "vaultwarden"; - restartUnits = [ "vaultwarden.service" ]; +shb.sops.secret."vaultwarden/db".request = config.shb.vaultwarden.databasePassword.request; +shb.sops.secret."vaultwarden/smtp".request = config.shb.vaultwarden.smtp.password.request; +``` + +This assumes secrets are setup with SOPS +as mentioned in [the secrets setup section](usage.html#usage-secrets) of the manual. +Secrets can be randomly generated with `nix run nixpkgs#openssl -- rand -hex 64`. + +The SMTP configuration is needed to invite users to Vaultwarden. + +### HTTPS {#services-vaultwarden-usage-https} + +If the `shb.ssl` block is used (see [manual](blocks-ssl.html#usage) on how to set it up), +the instance will be reachable at `https://vaultwarden.example.com`. + +Here is an example with Let's Encrypt certificates, validated using the HTTP method: + +```nix +shb.certs.certs.letsencrypt."example.com" = { + domain = "example.com"; + group = "nginx"; + reloadServices = [ "nginx.service" ]; + adminEmail = "myemail@mydomain.com"; }; ``` +Then you can tell Vaultwarden to use those certificates. + +```nix +shb.certs.certs.letsencrypt."example.com".extraDomains = [ "vaultwarden.example.com" ]; + +shb.forgejo = { + ssl = config.shb.certs.certs.letsencrypt."example.com"; +}; +``` + +### SSO {#services-vaultwarden-usage-sso} + +To protect the `/admin` endpoint and avoid needing a secret passphrase for it, we can use SSO. + +We will use the [SSO block][] provided by Self Host Blocks. +Assuming it [has been set already][SSO block setup], add the following configuration: + +[SSO block]: blocks-sso.html +[SSO block setup]: blocks-sso.html#blocks-sso-global-setup + +```nix +shb.vaultwarden.authEndpoint = "https://${config.shb.authelia.subdomain}.${config.shb.authelia.domain}"; +``` + +Now, go to the LDAP server at `https://ldap.example.com`, +create the `vaultwarden_admin` group and add a user to that group. +When that's done, go back to the Vaultwarden server at +`https://vaultwarden.example.com/admin` and login with that user. + ### ZFS {#services-vaultwarden-zfs} Integration with the ZFS block allows to automatically create the relevant datasets.