onjen/nixos-config
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add lldap and use for authelia

Browse Source
This commit is contained in:
Johannes Rothe 2024-11-19 21:36:50 +01:00
parent 8531d066ad
commit fc189c0865
1 changed files with 37 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

37
vps-configuration.nix
View File

@ -13,7 +13,9 @@
}; };
environment.systemPackages = with pkgs; [ environment.systemPackages = with pkgs; [
authelia
curl curl
vim
]; ];
networking.hostName = "tien"; networking.hostName = "tien";
@ -50,6 +52,28 @@
#file = { #file = {
# path = "/var/lib/authelia-main/users_database.yml"; # path = "/var/lib/authelia-main/users_database.yml";
#}; #};
password_reset.disable = false;
refresh_interval = "1m";
ldap = {
implementation = "custom";
url = "ldap://localhost:3890";
timeout = "5s";
start_tls = false;
base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
additional_users_dn = "ou=people";
users_filter = "(&({username_attribute}={input})(objectClass=person))";
additional_groups_dn = "ou=groups";
groups_filter = "(member={dn})";
display_name_attribute = "displayName";
username_attribute = "uid";
group_name_attribute = "cn";
mail_attribute = "mail";
# "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
# If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
# Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
password = "REPLACE_ME";
};
}; };
access_control = { access_control = {
@ -125,6 +149,9 @@
"www.johannes-rothe.de".extraConfig = '' "www.johannes-rothe.de".extraConfig = ''
reverse_proxy base:11112 reverse_proxy base:11112
''; '';
"accounts.johannes-rothe.de".extraConfig = ''
reverse_proxy localhost:9095
'';
"auth.johannes-rothe.de".extraConfig = '' "auth.johannes-rothe.de".extraConfig = ''
reverse_proxy localhost:9091 reverse_proxy localhost:9091
''; '';
@ -154,6 +181,16 @@
}; };
}; };
services.lldap = {
enable = true;
settings = {
http_host = "127.0.0.1";
http_port = 9095;
http_url = "https://accounts.johannes-rothe.de";
ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
};
};
services.searx = { services.searx = {
enable = true; enable = true;
redisCreateLocally = true; redisCreateLocally = true;