Add lldap and use for authelia

2024-11-19 21:36:50 +01:00 · 2024-11-19 21:36:50 +01:00 · fc189c0865
commit fc189c0865
parent 8531d066ad
1 changed files with 37 additions and 0 deletions
--- a/vps-configuration.nix
+++ b/vps-configuration.nix
@ -13,7 +13,9 @@
  };

  environment.systemPackages = with pkgs; [
+    authelia
    curl
+    vim
  ];

  networking.hostName = "tien";
@ -50,6 +52,28 @@
        #file = {
        #  path = "/var/lib/authelia-main/users_database.yml";
        #};
+        password_reset.disable = false;
+        refresh_interval = "1m";
+        ldap = {
+          implementation = "custom";
+          url = "ldap://localhost:3890";
+          timeout = "5s";
+          start_tls = false;
+          base_dn = "dc=accounts,dc=johannes-rothe,dc=de";
+          additional_users_dn = "ou=people";
+          users_filter = "(&({username_attribute}={input})(objectClass=person))";
+          additional_groups_dn = "ou=groups";
+          groups_filter = "(member={dn})";
+          display_name_attribute = "displayName";
+          username_attribute = "uid";
+          group_name_attribute = "cn";
+          mail_attribute = "mail";
+          # "bind_user" should be the username you created for authentication with the "lldap_strict_readonly" permission. It is not recommended to use an actual admin account here.
+          # If you are configuring Authelia to change user passwords, then the account used here needs the "lldap_password_manager" permission instead.
+          user = "uid=bind_user,ou=people,dc=accounts,dc=johannes-rothe,dc=de";
+          # Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+          password = "REPLACE_ME";
+        };
      };

      access_control = {
@ -125,6 +149,9 @@
      "www.johannes-rothe.de".extraConfig = ''
        reverse_proxy base:11112
      '';
+      "accounts.johannes-rothe.de".extraConfig = ''
+        reverse_proxy localhost:9095
+      '';
      "auth.johannes-rothe.de".extraConfig = ''
        reverse_proxy localhost:9091
      '';
@ -154,6 +181,16 @@
    };
  };

+  services.lldap = {
+    enable = true;
+    settings = {
+      http_host = "127.0.0.1";
+      http_port = 9095;
+      http_url = "https://accounts.johannes-rothe.de";
+      ldap_base_dn= "dc=accounts,dc=johannes-rothe,dc=de";
+    };
+  };
+
  services.searx = {
    enable = true;
    redisCreateLocally = true;