diff --git a/config/_vw_secrets.nix b/config/_vw_secrets.nix new file mode 120000 index 0000000..5e4fc25 --- /dev/null +++ b/config/_vw_secrets.nix @@ -0,0 +1 @@ +/home/xmorel/homelab-private/_vw_secrets.nix \ No newline at end of file diff --git a/config/vault-vaultwarden.nix b/config/vault-vaultwarden.nix index 0aeae24..ee300e7 100644 --- a/config/vault-vaultwarden.nix +++ b/config/vault-vaultwarden.nix @@ -9,6 +9,8 @@ let hostname = tools.build_hostname container; db_host = tools.build_ip "db"; db_password = config.my-lxc.vault.db.password; + oidc = import ./_vw_secrets.nix; + auth_host = tools.build_hostname "auth"; in { services.vaultwarden = { @@ -23,6 +25,17 @@ in WEB_VAULT_ENABLED = true; INVITATIONS_ENABLED = true; ORG_CREATION_USERS = config.globals.master.email; + + SSO_ENABLED = true; + SSO_AUTH_ONLY_NOT_SESSION = true; + SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/"; + SSO_CLIENT_ID = oidc.oidc_client_id; + SSO_CLIENT_SECRET = oidc.oidc_secret_id; + SSO_SCOPES = "openid profile email offline_access"; + SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false; + SSO_CLIENT_CACHE_EXPIRATION = 0; + SSO_ONLY = false; # Set to true to disable email and master password login and require SSO + SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email }; dbBackend = "postgresql"; }; diff --git a/modules/containers-terraform-authentik.nix b/modules/containers-terraform-authentik.nix index 3e3359b..80adaae 100644 --- a/modules/containers-terraform-authentik.nix +++ b/modules/containers-terraform-authentik.nix @@ -8,6 +8,7 @@ let cfg = config.my-lxc; matrix = import ../config/_matrix_secrets.nix; hass = import ../config/_ha_secrets.nix; + vw = import ../config/_vw_secrets.nix; in { authentik_provider_proxy = lib.filterAttrs (_: v: v != { }) ( @@ -44,7 +45,13 @@ in slug = "matrix"; protocol_provider = "\${resource.authentik_provider_oauth2.matrix.id}"; }; + vaultwarden = { + name = "vaultwarden"; + slug = "vaultwarden"; + protocol_provider = "\${resource.authentik_provider_oauth2.vaultwarden.id}"; + }; }; + authentik_outpost_provider_attachment = lib.filterAttrs (_: v: v != { }) ( lib.mapAttrs ( @@ -64,8 +71,25 @@ in outpost = "\${data.authentik_outpost.embedded.id}"; protocol_provider = "\${authentik_provider_oauth2.matrix.id}"; }; + vaultwarden = { + outpost = "\${data.authentik_outpost.embedded.id}"; + protocol_provider = "\${authentik_provider_oauth2.vaultwarden.id}"; + }; }; + authentik_property_mapping_provider_scope = { + vaultwarden_email = { + name = "vaultwarden_email"; + scope_name = "email"; + expression = '' + return { + "email": request.user.email, + "email_verified": True + } + ''; + }; + }; + authentik_provider_oauth2 = { home_assistant = { name = "home_assistant"; @@ -107,5 +131,69 @@ in } ]; }; + vaultwarden = { + name = "vaultwarden"; + authorization_flow = "\${data.authentik_flow.default-authorization-flow.id}"; + invalidation_flow = "\${data.authentik_flow.default-invalidation-flow.id}"; + client_id = vw.oidc_client_id; + client_secret = vw.oidc_secret_id; + + property_mappings = [ + "\${data.authentik_property_mapping_provider_scope.openid_openid.id}" + "\${data.authentik_property_mapping_provider_scope.openid_profile.id}" + "\${data.authentik_property_mapping_provider_scope.openid_offline_access.id}" + "\${authentik_property_mapping_provider_scope.vaultwarden_email.id}" + ]; + + signing_key = "\${data.authentik_certificate_key_pair.generated.id}"; + + allowed_redirect_uris = [ + { + matching_mode = "strict"; + url = "https://vault.plg.m0rel.eu/identity/connect/oidc-signin"; + } + ]; + }; + }; + + authentik_group = { + admins = { + name = "Admin"; + is_superuser = true; + }; + users = { + name = "Utilisateur"; + }; + visitors = { + name = "Visiteur"; + }; + }; + + authentik_user = { + yoru = { + username = "yoru"; + name = "Xavier"; + email = "morelx42@protonmail.com"; + groups = [ + "\${authentik_group.admins.id}" + "\${authentik_group.users.id}" + ]; + }; + shauni = { + username = "shauni"; + name = "Laetitia"; + email = "laetitia.laversin@gmail.com"; + groups = [ + "\${authentik_group.admins.id}" + "\${authentik_group.users.id}" + ]; + }; + lily = { + username = "lily"; + name = "Lily"; + groups = [ + "\${authentik_group.users.id}" + ]; + }; }; }