diff --git a/modules/nixos/services/authentication/authelia.nix b/modules/nixos/services/authentication/authelia.nix index e706439..9990003 100644 --- a/modules/nixos/services/authentication/authelia.nix +++ b/modules/nixos/services/authentication/authelia.nix @@ -130,6 +130,23 @@ in scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; redirect_uris = [ "http://localhost:3000/api/auth/oauth2/callback/authelia" ]; } + { + client_id = "forgejo"; + client_name = "forgejo"; + # ZPuiW2gpVV6MGXIJFk5P3EeSW8V_ICgqduF.hJVCKkrnVmRqIQXRk0o~HSA8ZdCf8joA4m_F + client_secret = "$pbkdf2-sha512$310000$CzZjvJT75bz5z7MjwxsEtg$JtOiIgaY5/HcLLxJgyX4zvsQV9jIoow0e4JdlFsk/LWRDOJ0kc.PzstlYfw7QERTXtJILoWsDqPzmvpneK5Leg"; + public = false; + require_pkce = true; + pkce_challenge_method = "S256"; + token_endpoint_auth_method = "client_secret_post"; + authorization_policy = "one_factor"; + userinfo_signed_response_alg = "none"; + consent_mode = "implicit"; + scopes = [ "offline_access" "openid" "email" "picture" "profile" "groups" ]; + response_types = [ "code" ]; + grant_types = [ "authorization_code" ]; + redirect_uris = [ "http://localhost:5002/user/oauth2/authelia/callback" ]; + } ]; }; }; diff --git a/modules/nixos/services/development/forgejo/default.nix b/modules/nixos/services/development/forgejo/default.nix index 99b3a28..a773249 100644 --- a/modules/nixos/services/development/forgejo/default.nix +++ b/modules/nixos/services/development/forgejo/default.nix @@ -22,12 +22,20 @@ in HTTP_PORT = 5002; }; - service.DISABLE_REGISTRATION = true; + service = { + DISABLE_REGISTRATION = true; + ALLOW_ONLY_EXTERNAL_REGISTRATION = false; + SHOW_REGISTRATION_BUTTON = false; + }; actions = { ENABLED = true; DEFAULT_ACTIONS_URL = "forgejo"; }; + + session = { + COOKIE_SECURE = true; + }; }; }; @@ -54,6 +62,8 @@ in enable = true; virtualHosts = { "git.kruining.eu".extraConfig = '' + import auth + reverse_proxy http://127.0.0.1:5002 ''; };