hosting/selfhostblocks
1
0
Fork 0
Code Issues Activity

add explicit type for sso rules

Browse source
This commit is contained in:
ibizaman 2023-12-31 00:53:51 -08:00
parent ca6e1e8114
commit 7e227242ba
1 changed files with 120 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

121
modules/blocks/sso.nix
View file

@ -16,6 +16,125 @@ let
rm ${newPath} || : rm ${newPath} || :
sed ${sedPatterns} ${templatePath} > ${newPath} sed ${sedPatterns} ${templatePath} > ${newPath}
''; '';
rulesConfig = lib.types.submodule {
description = ''
Rule to apply a policy to matching requests.
More information can be found at
https://www.authelia.com/configuration/security/access-control
'';
options = {
domains = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
Fully qualified domain names that are used to match this rule. Only one of them must
match.
See https://www.authelia.com/configuration/security/access-control/#domain for more
information.
'';
example = "subdomain.mydomain.com";
};
subjects = lib.mkOption {
type =
let
subjectType = lib.types.submodule {
options = {
type = lib.mkOption {
type = lib.types.enum [ "user" "group" ];
description = "Identify which part of the identity to check.";
};
subject = lib.mkOption {
type = lib.types.str;
description = "Subject to match.";
};
};
};
in
lib.types.listOf (lib.types.listOf subjectType);
description = ''
Subjects used to match this rule. This is a doubly nested list of subjects. The top level
matches one of the items in the list while the second level must match all subjects in the
list.
See https://www.authelia.com/configuration/security/access-control/#subject for more information.
'';
default = [];
example = lib.literalExpression ''
[
[
{ type = "user"; subject = "john"; }
] # OR
[
{ type = "group"; subject = "admin"; } # AND
{ type = "group"; subject = "app-name"; }
] # OR
[
{ type = "group"; subject = "super-admin"; }
]
]
'';
};
methods = lib.mkOption {
type = lib.types.listOf (lib.types.enum [
"GET" "HEAD" "POST" "PUT" "DELETE" "CONNECT"
"OPTIONS" "TRACE" "PATCH" "PROPFIND" "PROPPATCH"
"MKCOL" "COPY" "MOVE" "LOCK" "UNLOCK"
]);
description = ''
Methods to match this rule.
See https://www.authelia.com/configuration/security/access-control/#methods for more information.
'';
default = [];
};
networks = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
Networks to match this rule.
The "internal" network alias is already defined as the list of:
- "10.0.0.0/8"
- "172.16.0.0/12"
- "192.168.0.0/18"
See https://www.authelia.com/configuration/security/access-control/#networks for more information.
'';
example = lib.literalExpression ''
[
"internal"
"112.134.145.167/32"
]
'';
};
resources = lib.mkOption {
type = lib.types.listOf lib.types.str;
description = ''
Resources to match this rule. Matches the path and query of the request using regular expressions.
See https://www.authelia.com/configuration/security/access-control/#resources for more information.
'';
example = lib.literalExpression ''
[
"^/api([/?].*)?$"
]
'';
};
policy = lib.mkOption {
type = lib.types.enum [ "deny" "bypass" "one_factor" "two_factor" ];
description = ''
See https://www.authelia.com/configuration/security/access-control/#policies for more information.
'';
};
};
};
in in
{ {
options.shb.sso = { options.shb.sso = {
@ -132,7 +251,7 @@ in
}; };
rules = lib.mkOption { rules = lib.mkOption {
type = lib.types.listOf lib.types.anything; type = lib.types.listOf rulesConfig;
description = "Rule based clients"; description = "Rule based clients";
default = []; default = [];
}; };