feat(nextcloud): enable OIDC login (#186)

martinohmann · Jan 4, 2024 · 778becf · 778becf
1 parent cac3c8f
commit 778becf
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 4 deletions.
diff --git a/kubernetes/apps/default/authelia/app/resources/configuration.yaml b/kubernetes/apps/default/authelia/app/resources/configuration.yaml
@@ -122,3 +122,13 @@ identity_providers:
         scopes: ["openid", "profile", "groups", "email"]
         redirect_uris: ["https://minio.18b.haus/oauth_callback"]
         userinfo_signed_response_alg: none
+      - id: nextcloud
+        description: Nextcloud
+        secret: "${NEXTCLOUD_OIDC_CLIENT_SECRET_DIGEST}"
+        public: false
+        authorization_policy: two_factor
+        consent_mode: implicit
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris: ["https://cloud.18b.haus/apps/oidc_login/oidc"]
+        userinfo_signed_response_alg: none
diff --git a/kubernetes/apps/default/authelia/app/secret.sops.yaml b/kubernetes/apps/default/authelia/app/secret.sops.yaml
@@ -17,6 +17,7 @@ stringData:
     KUBE_WEB_VIEW_OIDC_CLIENT_SECRET_DIGEST: ENC[AES256_GCM,data:6PW0hVmezW8IkfM80Y8mOP1S9yM9cyjHp+u03vRMV7+FocO1I9HOs1eHen3jMiyah780rofGDYT41QJG3FX8q9NsryHAMmypPKMR1IinjZbjW/KS7/ILFRCRWiAtrFnJ9ndkMMJSbppfk4HkhUw8/EeE+0bmvz8pz8Q5LHYxQkS9B8Q=,iv:ujb5MAUjCduRI58BNkSJjXmYq/4aUXjiZx5KU1K9cjg=,tag:7C9cKOWlTGT5puq+5c/3mg==,type:str]
     WEAVE_GITOPS_OIDC_CLIENT_SECRET_DIGEST: ENC[AES256_GCM,data:TKoioiZNAtUyi0i6qrefZYwdYughQrmZMw8TdvCNQGQ+jqspqemjv/cKyHz4Pr4eODNyiv/fcF1lTEdb0Y34lHJwnIb2ePMOr2LNxsgrcMyy/aKjs/PH4IwM7hEkQfoGlBtAgIq+TvIVOktgpy+Nb5DNPczq25ey+QuXCGq2yZcMma8=,iv:pwLw6E+vU9qcblUJdnL6vKy6XJ68FVfzNdPjW8Gw8hE=,tag:Xf4m3zXqRLIX/Yiklh0kqQ==,type:str]
     MINIO_OIDC_CLIENT_SECRET_DIGEST: ENC[AES256_GCM,data:ud5akoyj07ZRVwzH49apIu6UGa8VWpvheJdOdVh5sGI3zubbmU3geim7hzN0iWRl8La4sdxstUhBX/cYz6tKsX4GEzNz4AwCSg9WPui0x2XtD4NB5Uuhrx8I81U1NNG7vjxPSmyohaVWDpWh4p5nVBKy/1FvfYhNy04fHgFA98EGcgM=,iv:yt9vIE+yBS3hEfByHEAD/ehRx+AKUCHcDAs1f105HfY=,tag:wmgztAV2uvtCR4XbXJDeJw==,type:str]
+    NEXTCLOUD_OIDC_CLIENT_SECRET_DIGEST: ENC[AES256_GCM,data:J4PI67Y18pwmgZBRAOvWMk+BoKtPeViIwIEm8ldiaNtFOoKhavDMoXh/KBxNYICLq+Qlwn0x9kTA/oiSWpI7wQdcGkvuue236ozDK2jLW/S7tETw3R+7j8L4Csu1x24YQ55elbFmZokgVjwuN3M72FUq76KIw8ns5WU7+fSLdwwYrMU=,iv:JI0F8qqVr6YVRZjvTYgbh2C3mzje8owvMX7TnMKcN90=,tag:r3ufrkyihSBaGDeh7sm/zw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -32,8 +33,8 @@ sops:
             ekoxSWY2dmlWK0k3bzhUdmo0ZzdvTzQKlBZSUqKIS0zDPmYiyDX/ynsV++620De6
             FT3clq2Hev74lzkqV2NKjuJNkuPFIxSAPoySw0VYWbrxCS1ztWs8wg==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-29T16:06:01Z"
-    mac: ENC[AES256_GCM,data:vQfoyys/BS1bo52ABCoelORCAkCINUhAGQGXj2UlR5F8iWHEemZ8rSXcRgLufWWLb7ADdZm6X6lu3R/FbVotOmofIWqXxz4b/+AWnUwKCgLiKHkgndu8hvMloumfM4BCbHG3yhgZMCIRUCcTtgtrZEWf9ZzPAhGgIcVYHPwOMtA=,iv:YoAs2w2a625e4+uAqAIlVFeV4PSN4/6y4ibeE8FWekI=,tag:CgqlzBUegkh9U4S8Vs15YA==,type:str]
+    lastmodified: "2024-01-04T21:50:37Z"
+    mac: ENC[AES256_GCM,data:+k2im1UJsG4xx1OAOIRgoNoWGbCe6/00RJubwL/hH7JFWkMKMULEItJXu8d2LPY0odbrMnEyVq04PrhQH+qp/uVrAOhsPYXnSQVxUsWEr9aVdjB1AKiU6mnXEWvhBVgovu7HBT59RA+ypcTP8lvX/038ZPPvuVt1hrXZwqHGajs=,iv:aJmNYCOzi5JWnOsNcmJefTDhKxIY1BkTn2GtMyDqOMA=,tag:Y6+l1/fyQ6AU1o+J+vJwaA==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1
diff --git a/kubernetes/apps/default/nextcloud/app/helmrelease.yaml b/kubernetes/apps/default/nextcloud/app/helmrelease.yaml
@@ -39,6 +39,19 @@ spec:
           envFrom:
             - secretRef:
                 name: *secret
+      extraEnv:
+        - name: TZ
+          value: Europe/Berlin
+        - name: OIDC_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: *secret
+              key: OIDC_CLIENT_ID
+        - name: OIDC_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: *secret
+              key: OIDC_CLIENT_SECRET
       existingSecret:
         enabled: true
         secretName: *secret
@@ -59,6 +72,31 @@ spec:
             'default_phone_region' => 'DE',
             'auth.bruteforce.protection.enabled' => true,
           );
+        sso.config.php: |-
+          <?php
+          $CONFIG = array(
+            'allow_user_to_change_display_name' => false,
+            'lost_password_link' => 'disabled',
+            'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+            'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+            'oidc_login_provider_url' => 'https://auth.18b.haus',
+            'oidc_login_end_session_redirect' => true,
+            'oidc_login_logout_url' => 'https://auth.18b.haus/logout?rd=https://cloud.18b.haus/login',
+            'oidc_login_default_quota' => '1000000000',
+            'oidc_login_hide_password_form' => true,
+            'oidc_login_disable_registration' => false,
+            'oidc_login_webdav_enabled' => true,
+            'oidc_login_attributes' => array(
+              'id' => 'sub',
+              'name' => 'name',
+              'mail' => 'email',
+              'groups' => 'groups',
+            ),
+            'oidc_login_scope' => 'openid profile email groups',
+            'oidc_login_default_group' => 'oidc',
+            'oidc_create_groups' => true,
+            'oidc_login_auto_redirect' => true, //login?noredir=1
+          );
       phpConfigs:
         uploadLimit.ini: |
           upload_max_filesize = 16G

diff --git a/kubernetes/apps/default/nextcloud/app/secret.sops.yaml b/kubernetes/apps/default/nextcloud/app/secret.sops.yaml
@@ -12,6 +12,8 @@ stringData:
     INIT_POSTGRES_USER: ENC[AES256_GCM,data:kb+VY73vUTAF,iv:a3aiSBSuGa4eqPbYN/29/3jsMzEru4JIypSQ177kYDc=,tag:c7ZPf8JnlQxei+6Xbfs2dg==,type:str]
     INIT_POSTGRES_PASS: ENC[AES256_GCM,data:8p7b7jH8p0Tdtx59D7bF2ItKHpG28hZR,iv:7KySD3YDUuoSXT85zILJCgGKs/xgo+lfy/Oz2QfJ5uQ=,tag:4YSPVboUa7JqUg+UiW9nmw==,type:str]
     INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:ijgg7cq8owIuHaM0/Q/p9APDgfc1zf016ZUDu91TfjvN,iv:LF7gPCp7blRAZzYUFYH/05ItSGddEvVNYtmZcGedt+I=,tag:mmrI/srSBYL9cEh6db4i3w==,type:str]
+    OIDC_CLIENT_ID: ENC[AES256_GCM,data:LdUhNAT3b59A,iv:7+53hVEDLq9yLtFbTR1ftGBOGqqduUrpi8+BYbG+ijQ=,tag:Pa+MTsN4Xqlzmk08JxD1zA==,type:str]
+    OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:ZHP+schhYlqYK0+FOXMcRYK665ZADJIvl/QYh2RIyDPQzUffEP4l3E2jdUknHDE20iX86CVy4Xd3mLMdCHXFo0yHxGsqluns,iv:GNX2hNk1bzb3maMsPQNCBvmdGjxsWdwFffziipV0DvU=,tag:ln4WOrSFzJDjC/rwtCqbhQ==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -27,8 +29,8 @@ sops:
             dmlkR0oxVWxLM1RCbms3S0xRVGhmSFUKe4Me3LNNHQ2PXoyfa5R6BHZzkSuIIGq0
             eZRlbFmYSPbGwriihaD0f9kb6qiJoABRLCEDZsyGw7tTfi/IHBQ6Ng==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-30T22:54:28Z"
-    mac: ENC[AES256_GCM,data:Ugzx9tKhEl3prm0kYVYKiprHhtos8s2CwtM2HCeOqi/kCi055XVac/EKxw2MiFZzFO2JDkMMA1grSpRIR/ef6pNxr/72zPeW+okUUvkL8yw3KeyjEZ4zvBL8I5UhNkyPDR9b0eOmeOsZA0KLTr8dmltfyYp9tEM8GhOL7H+ckJQ=,iv:XA98Sm/sRuXxxLKj8ECxzu4ubEeGPgCzCto/xjgmt5Y=,tag:r3Lqgt32LZTCmBEBpy1VVQ==,type:str]
+    lastmodified: "2024-01-04T21:51:21Z"
+    mac: ENC[AES256_GCM,data:FKlUOHLIEDo8dp4CHcY6SJaYH8uEk5hesxXEOUsQtf40EBPXyIkg/SRMTYb5HZhxuzOczHzSO3QbFIuqFmsW+o9WHPCMTCiVtEq6lCm537WqshTSFrhOSRMhGo3pnfOLs/f2pIfZPBHaoEUfp8B3amBTjDM7t5BfpUcI0zcjTLs=,iv:J2rwRcT3vI8FG5262ZyQIonFx2Fb0Z+65oMzLedCaeY=,tag:lLiPKel+zE/BpcwnC2fipg==,type:str]
     pgp: []
     encrypted_regex: ^(data|stringData)$
     version: 3.8.1