diff --git a/config/_ha_secrets.nix b/config/_ha_secrets.nix new file mode 120000 index 0000000..52185c3 --- /dev/null +++ b/config/_ha_secrets.nix @@ -0,0 +1 @@ +/home/xmorel/homelab-private/_ha_secrets.nix \ No newline at end of file diff --git a/modules/containers-terraform-authentik.nix b/modules/containers-terraform-authentik.nix index 7326193..3e3359b 100644 --- a/modules/containers-terraform-authentik.nix +++ b/modules/containers-terraform-authentik.nix @@ -6,7 +6,8 @@ }: let cfg = config.my-lxc; - sec = import ../config/_matrix_secrets.nix; + matrix = import ../config/_matrix_secrets.nix; + hass = import ../config/_ha_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( @@ -33,11 +34,15 @@ in ) cfg ) // { + home_assistant = { + name = "home_assistant"; + slug = "home_assistant"; + protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}"; + }; matrix = { name = "matrix"; slug = "matrix"; protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; - }; }; authentik_outpost_provider_attachment = @@ -51,17 +56,56 @@ in ) cfg ) // { + home_assistant = { + outpost = "\${data.authentik_outpost.embedded.id}"; + protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}"; + }; matrix = { outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; }; }; - authentik_provider_oauth2.matrix = { - name = "matrix"; - authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; - invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; - client_id = sec.oidc_client_id; - client_secret = sec.oidc_client_secret; + authentik_provider_oauth2 = { + home_assistant = { + name = "home_assistant"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = hass.oidc_client_id; + client_secret = hass.oidc_client_secret; + + property_mappings = [ + "\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}" + "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" + "\${data.authentik_property_mapping_provider_scope.openid_email.id}" + "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" + "\${data.authentik_property_mapping_provider_scope.app_entitlement.id}" + "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" + "\${data.authentik_property_mapping_provider_scope.authentik_api.id}" + ]; + + signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; + + allowed_redirect_uris = [ + { + matching_mode = "strict"; + url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback"; + } + ]; + }; + matrix = { + name = "matrix"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = matrix.oidc_client_id; + client_secret = matrix.oidc_client_secret; + + allowed_redirect_uris = [ + { + matching_mode = "strict"; + url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback"; + } + ]; + }; }; } diff --git a/modules/terraform-base.nix b/modules/terraform-base.nix index 097b647..598453e 100644 --- a/modules/terraform-base.nix +++ b/modules/terraform-base.nix @@ -25,6 +25,31 @@ variable.ak_url.type = "string"; variable.ak_token.type = "string"; + data.authentik_certificate_key_pair.generated = { + name = "authentik Self-signed Certificate"; + }; + data.authentik_property_mapping_provider_scope.openid_email = { + name = "authentik default OAuth Mapping: OpenID 'email'"; + }; + data.authentik_property_mapping_provider_scope.openid_offline_access = { + name = "authentik default OAuth Mapping: OpenID 'offline_access'"; + }; + data.authentik_property_mapping_provider_scope.openid_openid = { + name = "authentik default OAuth Mapping: OpenID 'openid'"; + }; + data.authentik_property_mapping_provider_scope.openid_profile = { + name = "authentik default OAuth Mapping: OpenID 'profile'"; + }; + data.authentik_property_mapping_provider_scope.app_entitlement = { + name = "authentik default OAuth Mapping: Application Entitlements"; + }; + data.authentik_property_mapping_provider_scope.authentik_api = { + name = "authentik default OAuth Mapping: authentik API access"; + }; + data.authentik_property_mapping_provider_scope.proxy_outpost = { + name = "authentik default OAuth Mapping: Proxy outpost"; + }; + provider.proxmox = { pm_api_url = "\${var.pm_api_url}"; pm_api_token_id = "\${var.pm_api_token_id}";