feat(nextcloud): enable OIDC login #186
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
github-actions
bot
added
the
area/kubernetes
--- kubernetes/apps/default/authelia/app Kustomization: flux-system/authelia ConfigMap: default/authelia
+++ kubernetes/apps/default/authelia/app Kustomization: flux-system/authelia ConfigMap: default/authelia
@@ -123,12 +123,22 @@
authorization_policy: two_factor
consent_mode: implicit
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "groups", "email"]
redirect_uris: ["https://minio.18b.haus/oauth_callback"]
userinfo_signed_response_alg: none
+ - id: nextcloud
+ description: Nextcloud
+ secret: "${NEXTCLOUD_OIDC_CLIENT_SECRET_DIGEST}"
+ public: false
+ authorization_policy: two_factor
+ consent_mode: implicit
+ pre_configured_consent_duration: 1y
+ scopes: ["openid", "profile", "groups", "email"]
+ redirect_uris: ["https://cloud.18b.haus/apps/oidc_login/oidc"]
+ userinfo_signed_response_alg: none
kind: ConfigMap
metadata:
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled
labels:
app.kubernetes.io/name: authelia
--- kubernetes/apps/default/nextcloud/app Kustomization: flux-system/nextcloud HelmRelease: default/nextcloud
+++ kubernetes/apps/default/nextcloud/app Kustomization: flux-system/nextcloud HelmRelease: default/nextcloud
@@ -102,18 +102,56 @@
'10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
'default_phone_region' => 'DE',
'auth.bruteforce.protection.enabled' => true,
);
+ sso.config.php: |-
+ <?php
+ $CONFIG = array(
+ 'allow_user_to_change_display_name' => false,
+ 'lost_password_link' => 'disabled',
+ 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+ 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+ 'oidc_login_provider_url' => 'https://auth.18b.haus',
+ 'oidc_login_end_session_redirect' => true,
+ 'oidc_login_logout_url' => 'https://auth.18b.haus/logout?rd=https://cloud.18b.haus/login',
+ 'oidc_login_default_quota' => '1000000000',
+ 'oidc_login_hide_password_form' => true,
+ 'oidc_login_disable_registration' => false,
+ 'oidc_login_webdav_enabled' => true,
+ 'oidc_login_attributes' => array(
+ 'id' => 'sub',
+ 'name' => 'name',
+ 'mail' => 'email',
+ 'groups' => 'groups',
+ ),
+ 'oidc_login_scope' => 'openid profile email groups',
+ 'oidc_login_default_group' => 'oidc',
+ 'oidc_create_groups' => true,
+ 'oidc_login_auto_redirect' => true, //login?noredir=1
+ );
existingSecret:
enabled: true
passwordKey: ADMIN_PASS
secretName: nextcloud-secret
tokenKey: TOKEN
usernameKey: ADMIN_USER
+ extraEnv:
+ - name: TZ
+ value: Europe/Berlin
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
extraInitContainers:
- envFrom:
- secretRef:
name: nextcloud-secret
image: ghcr.io/onedr0p/postgres-init:16.1
name: init-db |
--- HelmRelease: default/nextcloud ConfigMap: default/nextcloud-config
+++ HelmRelease: default/nextcloud ConfigMap: default/nextcloud-config
@@ -15,12 +15,37 @@
'127.0.0.1',
'10.0.0.0/8',
),
'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
'default_phone_region' => 'DE',
'auth.bruteforce.protection.enabled' => true,
+ );
+ sso.config.php: |-
+ <?php
+ $CONFIG = array(
+ 'allow_user_to_change_display_name' => false,
+ 'lost_password_link' => 'disabled',
+ 'oidc_login_client_id' => getenv('OIDC_CLIENT_ID'),
+ 'oidc_login_client_secret' => getenv('OIDC_CLIENT_SECRET'),
+ 'oidc_login_provider_url' => 'https://auth.18b.haus',
+ 'oidc_login_end_session_redirect' => true,
+ 'oidc_login_logout_url' => 'https://auth.18b.haus/logout?rd=https://cloud.18b.haus/login',
+ 'oidc_login_default_quota' => '1000000000',
+ 'oidc_login_hide_password_form' => true,
+ 'oidc_login_disable_registration' => false,
+ 'oidc_login_webdav_enabled' => true,
+ 'oidc_login_attributes' => array(
+ 'id' => 'sub',
+ 'name' => 'name',
+ 'mail' => 'email',
+ 'groups' => 'groups',
+ ),
+ 'oidc_login_scope' => 'openid profile email groups',
+ 'oidc_login_default_group' => 'oidc',
+ 'oidc_create_groups' => true,
+ 'oidc_login_auto_redirect' => true, //login?noredir=1
);
.htaccess: |-
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
--- HelmRelease: default/nextcloud Deployment: default/nextcloud
+++ HelmRelease: default/nextcloud Deployment: default/nextcloud
@@ -24,13 +24,13 @@
labels:
app.kubernetes.io/name: nextcloud
app.kubernetes.io/instance: nextcloud
app.kubernetes.io/component: app
nextcloud-redis-client: 'true'
annotations:
- nextcloud-config-hash: 23cd7edd27c6e4ae0f33ef8294bebc7890c28f5d5049a0df36d838564b296f51
+ nextcloud-config-hash: 315f8fbd0fda3ddf3cdfc1704b5fee6301cc276ae11a464c8c36679a06d2c215
php-config-hash: b42c4841da13ab0c6d450941f1d15997c7ee914e8f09152d25ac1af57d0ccc8c
nginx-config-hash: 18dd8f905a93ed27f032e9ae68084222ed7e5926f7144cda17b979780f4da54b
spec:
containers:
- name: nextcloud
image: public.ecr.aws/docker/library/nextcloud:28.0.1-fpm-alpine
@@ -78,12 +78,24 @@
value: '6379'
- name: REDIS_HOST_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-secret
key: REDIS_PASSWORD
+ - name: TZ
+ value: Europe/Berlin
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
resources:
limits:
memory: 1Gi
requests:
cpu: 200m
memory: 300Mi
@@ -114,12 +126,15 @@
- name: nextcloud-main
mountPath: /var/www/html/themes
subPath: themes
- name: nextcloud-config
mountPath: /var/www/html/config/local.config.php
subPath: local.config.php
+ - name: nextcloud-config
+ mountPath: /var/www/html/config/sso.config.php
+ subPath: sso.config.php
- name: nextcloud-config
mountPath: /var/www/html/config/.htaccess
subPath: .htaccess
- name: nextcloud-config
mountPath: /var/www/html/config/apache-pretty-urls.config.php
subPath: apache-pretty-urls.config.php
@@ -267,12 +282,24 @@
value: '6379'
- name: REDIS_HOST_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-secret
key: REDIS_PASSWORD
+ - name: TZ
+ value: Europe/Berlin
+ - name: OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_ID
+ name: nextcloud-secret
+ - name: OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: OIDC_CLIENT_SECRET
+ name: nextcloud-secret
resources: {}
securityContext:
runAsGroup: 82
volumeMounts:
- name: nextcloud-main
mountPath: /var/www/
@@ -295,12 +322,15 @@
- name: nextcloud-main
mountPath: /var/www/html/themes
subPath: themes
- name: nextcloud-config
mountPath: /var/www/html/config/local.config.php
subPath: local.config.php
+ - name: nextcloud-config
+ mountPath: /var/www/html/config/sso.config.php
+ subPath: sso.config.php
- name: nextcloud-config
mountPath: /var/www/html/config/.htaccess
subPath: .htaccess
- name: nextcloud-config
mountPath: /var/www/html/config/apache-pretty-urls.config.php
subPath: apache-pretty-urls.config.php |
martinohmann
added a commit
that referenced
this pull request
Jan 4, 2024
This reverts commit 778becf. It does not work yet.
martinohmann
added a commit
that referenced
this pull request
Jan 6, 2024
Essentially the same as #186 but for authentik
martinohmann
added a commit
that referenced
this pull request
Jan 6, 2024
Essentially the same as #186 but for authentik
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
No description provided.