feat: add Authentik config for HA OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
@@ -6,7 +6,8 @@
|
||||
}:
|
||||
let
|
||||
cfg = config.my-lxc;
|
||||
sec = import ../config/_matrix_secrets.nix;
|
||||
matrix = import ../config/_matrix_secrets.nix;
|
||||
hass = import ../config/_ha_secrets.nix;
|
||||
in
|
||||
{
|
||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||
@@ -33,11 +34,15 @@ in
|
||||
) cfg
|
||||
)
|
||||
// {
|
||||
home_assistant = {
|
||||
name = "home_assistant";
|
||||
slug = "home_assistant";
|
||||
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
|
||||
};
|
||||
matrix = {
|
||||
name = "matrix";
|
||||
slug = "matrix";
|
||||
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
||||
|
||||
};
|
||||
};
|
||||
authentik_outpost_provider_attachment =
|
||||
@@ -51,17 +56,56 @@ in
|
||||
) cfg
|
||||
)
|
||||
// {
|
||||
home_assistant = {
|
||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
|
||||
};
|
||||
matrix = {
|
||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
||||
};
|
||||
};
|
||||
|
||||
authentik_provider_oauth2.matrix = {
|
||||
name = "matrix";
|
||||
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||
client_id = sec.oidc_client_id;
|
||||
client_secret = sec.oidc_client_secret;
|
||||
authentik_provider_oauth2 = {
|
||||
home_assistant = {
|
||||
name = "home_assistant";
|
||||
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||
client_id = hass.oidc_client_id;
|
||||
client_secret = hass.oidc_client_secret;
|
||||
|
||||
property_mappings = [
|
||||
"\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.app_entitlement.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
||||
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
|
||||
];
|
||||
|
||||
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||
|
||||
allowed_redirect_uris = [
|
||||
{
|
||||
matching_mode = "strict";
|
||||
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
|
||||
}
|
||||
];
|
||||
};
|
||||
matrix = {
|
||||
name = "matrix";
|
||||
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||
client_id = matrix.oidc_client_id;
|
||||
client_secret = matrix.oidc_client_secret;
|
||||
|
||||
allowed_redirect_uris = [
|
||||
{
|
||||
matching_mode = "strict";
|
||||
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
||||
}
|
||||
];
|
||||
};
|
||||
};
|
||||
}
|
||||
|
||||
@@ -25,6 +25,31 @@
|
||||
variable.ak_url.type = "string";
|
||||
variable.ak_token.type = "string";
|
||||
|
||||
data.authentik_certificate_key_pair.generated = {
|
||||
name = "authentik Self-signed Certificate";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.openid_email = {
|
||||
name = "authentik default OAuth Mapping: OpenID 'email'";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.openid_offline_access = {
|
||||
name = "authentik default OAuth Mapping: OpenID 'offline_access'";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.openid_openid = {
|
||||
name = "authentik default OAuth Mapping: OpenID 'openid'";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.openid_profile = {
|
||||
name = "authentik default OAuth Mapping: OpenID 'profile'";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.app_entitlement = {
|
||||
name = "authentik default OAuth Mapping: Application Entitlements";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.authentik_api = {
|
||||
name = "authentik default OAuth Mapping: authentik API access";
|
||||
};
|
||||
data.authentik_property_mapping_provider_scope.proxy_outpost = {
|
||||
name = "authentik default OAuth Mapping: Proxy outpost";
|
||||
};
|
||||
|
||||
provider.proxmox = {
|
||||
pm_api_url = "\${var.pm_api_url}";
|
||||
pm_api_token_id = "\${var.pm_api_token_id}";
|
||||
|
||||
Reference in New Issue
Block a user