about summary refs log tree commit diff
path: root/nix/hosts/corrino/www/sso.emile.space.nix
diff options
context:
space:
mode:
authorEmile <git@emile.space>2025-04-11 19:37:11 +0200
committerEmile <git@emile.space>2025-04-11 19:37:11 +0200
commit704e0a550c043b7e10d7d101f327cdb685f400d7 (patch)
tree4edb36848e4ce8572f3ab1b193b0016c49a8fed3 /nix/hosts/corrino/www/sso.emile.space.nix
parentb473840956331cca05154af918aa48009836379b (diff)
(corrino/sso) added cookie config with auth for silverbullet
Diffstat (limited to 'nix/hosts/corrino/www/sso.emile.space.nix')
-rw-r--r--nix/hosts/corrino/www/sso.emile.space.nix29


1 files changed, 26 insertions, 3 deletions
diff --git a/nix/hosts/corrino/www/sso.emile.space.nix b/nix/hosts/corrino/www/sso.emile.space.nix
index 44e30bb..6ffff80 100644
--- a/nix/hosts/corrino/www/sso.emile.space.nix
+++ b/nix/hosts/corrino/www/sso.emile.space.nix
@@ -141,9 +141,22 @@ in
         storage.local.path = "/var/lib/authelia-main/db.sqlite";
 
         session = {
-          domain = "sso.emile.space";
-          expiration = 3600; # 1 hour
-          inactivity = 300; # 5 minutes
+          # domain = "sso.emile.space";
+          # expiration = 3600; # 1 hour
+          # inactivity = 300; # 5 minutes
+
+          cookies = [
+            {
+              domain = "emile.space";
+              authelia_url = "https://sso.emile.space";
+              # The period of time the user can be inactive for until the session is destroyed. Useful if you want long session timers but don’t want unused devices to be vulnerable.
+              inactivity = "1h";
+              # The period of time before the cookie expires and the session is destroyed. This is overridden by remember_me when the remember me box is checked.
+              expiration = "1d";
+              # The period of time before the cookie expires and the session is destroyed when the remember me box is checked. Setting this to -1 disables this feature entirely for this session cookie domain
+              remember_me = "3M";
+            }
+          ];
         };
 
         notifier = {
@@ -196,6 +209,16 @@ in
           default_policy = "deny";
           rules = [
             {
+              # silverbullet needs access to these without auth
+              domain = "sb.emile.space";
+              policy = "bypass";
+              resources = [
+                "/.client/manifest.json$"
+                "/.client/[a-zA-Z0-9_-]+.png$"
+                "/service_worker.js$"
+              ];
+            }
+            {
               domain = "*.emile.space";
               policy = "two_factor";
             }

 
  

		

			generated by cgit-pink 1.4.1
		

		

			rss feed of @hanemile@chaos.social mastodon
			lieu webring search engine
			XXIIVV webring
			activitypub