feat: add Authentik config for HA OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
Symlink
+1
@@ -0,0 +1 @@
|
|||||||
|
/home/xmorel/homelab-private/_ha_secrets.nix
|
||||||
@@ -6,7 +6,8 @@
|
|||||||
}:
|
}:
|
||||||
let
|
let
|
||||||
cfg = config.my-lxc;
|
cfg = config.my-lxc;
|
||||||
sec = import ../config/_matrix_secrets.nix;
|
matrix = import ../config/_matrix_secrets.nix;
|
||||||
|
hass = import ../config/_ha_secrets.nix;
|
||||||
in
|
in
|
||||||
{
|
{
|
||||||
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
|
||||||
@@ -33,11 +34,15 @@ in
|
|||||||
) cfg
|
) cfg
|
||||||
)
|
)
|
||||||
// {
|
// {
|
||||||
|
home_assistant = {
|
||||||
|
name = "home_assistant";
|
||||||
|
slug = "home_assistant";
|
||||||
|
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
|
||||||
|
};
|
||||||
matrix = {
|
matrix = {
|
||||||
name = "matrix";
|
name = "matrix";
|
||||||
slug = "matrix";
|
slug = "matrix";
|
||||||
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
|
||||||
|
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
authentik_outpost_provider_attachment =
|
authentik_outpost_provider_attachment =
|
||||||
@@ -51,17 +56,56 @@ in
|
|||||||
) cfg
|
) cfg
|
||||||
)
|
)
|
||||||
// {
|
// {
|
||||||
|
home_assistant = {
|
||||||
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
|
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
|
||||||
|
};
|
||||||
matrix = {
|
matrix = {
|
||||||
outpost = "\${data.authentik_outpost.embedded.id}";
|
outpost = "\${data.authentik_outpost.embedded.id}";
|
||||||
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
||||||
authentik_provider_oauth2.matrix = {
|
authentik_provider_oauth2 = {
|
||||||
|
home_assistant = {
|
||||||
|
name = "home_assistant";
|
||||||
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||||
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||||
|
client_id = hass.oidc_client_id;
|
||||||
|
client_secret = hass.oidc_client_secret;
|
||||||
|
|
||||||
|
property_mappings = [
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.app_entitlement.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
|
||||||
|
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
|
||||||
|
];
|
||||||
|
|
||||||
|
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
|
||||||
|
|
||||||
|
allowed_redirect_uris = [
|
||||||
|
{
|
||||||
|
matching_mode = "strict";
|
||||||
|
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
|
matrix = {
|
||||||
name = "matrix";
|
name = "matrix";
|
||||||
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
|
||||||
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
|
||||||
client_id = sec.oidc_client_id;
|
client_id = matrix.oidc_client_id;
|
||||||
client_secret = sec.oidc_client_secret;
|
client_secret = matrix.oidc_client_secret;
|
||||||
|
|
||||||
|
allowed_redirect_uris = [
|
||||||
|
{
|
||||||
|
matching_mode = "strict";
|
||||||
|
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
|
||||||
|
}
|
||||||
|
];
|
||||||
|
};
|
||||||
};
|
};
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -25,6 +25,31 @@
|
|||||||
variable.ak_url.type = "string";
|
variable.ak_url.type = "string";
|
||||||
variable.ak_token.type = "string";
|
variable.ak_token.type = "string";
|
||||||
|
|
||||||
|
data.authentik_certificate_key_pair.generated = {
|
||||||
|
name = "authentik Self-signed Certificate";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.openid_email = {
|
||||||
|
name = "authentik default OAuth Mapping: OpenID 'email'";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.openid_offline_access = {
|
||||||
|
name = "authentik default OAuth Mapping: OpenID 'offline_access'";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.openid_openid = {
|
||||||
|
name = "authentik default OAuth Mapping: OpenID 'openid'";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.openid_profile = {
|
||||||
|
name = "authentik default OAuth Mapping: OpenID 'profile'";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.app_entitlement = {
|
||||||
|
name = "authentik default OAuth Mapping: Application Entitlements";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.authentik_api = {
|
||||||
|
name = "authentik default OAuth Mapping: authentik API access";
|
||||||
|
};
|
||||||
|
data.authentik_property_mapping_provider_scope.proxy_outpost = {
|
||||||
|
name = "authentik default OAuth Mapping: Proxy outpost";
|
||||||
|
};
|
||||||
|
|
||||||
provider.proxmox = {
|
provider.proxmox = {
|
||||||
pm_api_url = "\${var.pm_api_url}";
|
pm_api_url = "\${var.pm_api_url}";
|
||||||
pm_api_token_id = "\${var.pm_api_token_id}";
|
pm_api_token_id = "\${var.pm_api_token_id}";
|
||||||
|
|||||||
Reference in New Issue
Block a user