feat: add Authentik config for HA OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s

This commit is contained in:
Xavier Morel
2026-05-28 18:26:41 +02:00
parent 65765357cc
commit 0ec109e39f
3 changed files with 78 additions and 8 deletions
+1
View File
@@ -0,0 +1 @@
/home/xmorel/homelab-private/_ha_secrets.nix
+49 -5
View File
@@ -6,7 +6,8 @@
}: }:
let let
cfg = config.my-lxc; cfg = config.my-lxc;
sec = import ../config/_matrix_secrets.nix; matrix = import ../config/_matrix_secrets.nix;
hass = import ../config/_ha_secrets.nix;
in in
{ {
authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) (
@@ -33,11 +34,15 @@ in
) cfg ) cfg
) )
// { // {
home_assistant = {
name = "home_assistant";
slug = "home_assistant";
protocol_provider = "\${resource.authentik_provider_oauth2.home_assistant.id}";
};
matrix = { matrix = {
name = "matrix"; name = "matrix";
slug = "matrix"; slug = "matrix";
protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}";
}; };
}; };
authentik_outpost_provider_attachment = authentik_outpost_provider_attachment =
@@ -51,17 +56,56 @@ in
) cfg ) cfg
) )
// { // {
home_assistant = {
outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.home_assistant.id}";
};
matrix = { matrix = {
outpost = "\${data.authentik_outpost.embedded.id}"; outpost = "\${data.authentik_outpost.embedded.id}";
protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; protocol_provider = "\${authentik_provider_oauth2.matrix.id}";
}; };
}; };
authentik_provider_oauth2.matrix = { authentik_provider_oauth2 = {
home_assistant = {
name = "home_assistant";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = hass.oidc_client_id;
client_secret = hass.oidc_client_secret;
property_mappings = [
"\${data.authentik_property_mapping_provider_scope.proxy_outpost.id}"
"\${data.authentik_property_mapping_provider_scope.openid_openid.id}"
"\${data.authentik_property_mapping_provider_scope.openid_email.id}"
"\${data.authentik_property_mapping_provider_scope.openid_profile.id}"
"\${data.authentik_property_mapping_provider_scope.app_entitlement.id}"
"\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}"
"\${data.authentik_property_mapping_provider_scope.authentik_api.id}"
];
signing_key = "\${data.authentik_certificate_key_pair.generated.id}";
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://homeassistant.plg.m0rel.eu/auth/oidc/callback";
}
];
};
matrix = {
name = "matrix"; name = "matrix";
authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}";
invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}";
client_id = sec.oidc_client_id; client_id = matrix.oidc_client_id;
client_secret = sec.oidc_client_secret; client_secret = matrix.oidc_client_secret;
allowed_redirect_uris = [
{
matching_mode = "strict";
url = "https://matrix.plg.m0rel.eu/_synapse/client/oidc/callback";
}
];
};
}; };
} }
+25
View File
@@ -25,6 +25,31 @@
variable.ak_url.type = "string"; variable.ak_url.type = "string";
variable.ak_token.type = "string"; variable.ak_token.type = "string";
data.authentik_certificate_key_pair.generated = {
name = "authentik Self-signed Certificate";
};
data.authentik_property_mapping_provider_scope.openid_email = {
name = "authentik default OAuth Mapping: OpenID 'email'";
};
data.authentik_property_mapping_provider_scope.openid_offline_access = {
name = "authentik default OAuth Mapping: OpenID 'offline_access'";
};
data.authentik_property_mapping_provider_scope.openid_openid = {
name = "authentik default OAuth Mapping: OpenID 'openid'";
};
data.authentik_property_mapping_provider_scope.openid_profile = {
name = "authentik default OAuth Mapping: OpenID 'profile'";
};
data.authentik_property_mapping_provider_scope.app_entitlement = {
name = "authentik default OAuth Mapping: Application Entitlements";
};
data.authentik_property_mapping_provider_scope.authentik_api = {
name = "authentik default OAuth Mapping: authentik API access";
};
data.authentik_property_mapping_provider_scope.proxy_outpost = {
name = "authentik default OAuth Mapping: Proxy outpost";
};
provider.proxmox = { provider.proxmox = {
pm_api_url = "\${var.pm_api_url}"; pm_api_url = "\${var.pm_api_url}";
pm_api_token_id = "\${var.pm_api_token_id}"; pm_api_token_id = "\${var.pm_api_token_id}";