feat: add Authentik config for vaultwarden OAuth
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 3s
This commit is contained in:
@@ -9,6 +9,8 @@ let
|
||||
hostname = tools.build_hostname container;
|
||||
db_host = tools.build_ip "db";
|
||||
db_password = config.my-lxc.vault.db.password;
|
||||
oidc = import ./_vw_secrets.nix;
|
||||
auth_host = tools.build_hostname "auth";
|
||||
in
|
||||
{
|
||||
services.vaultwarden = {
|
||||
@@ -23,6 +25,17 @@ in
|
||||
WEB_VAULT_ENABLED = true;
|
||||
INVITATIONS_ENABLED = true;
|
||||
ORG_CREATION_USERS = config.globals.master.email;
|
||||
|
||||
SSO_ENABLED = true;
|
||||
SSO_AUTH_ONLY_NOT_SESSION = true;
|
||||
SSO_AUTHORITY = "https://${auth_host}/application/o/vaultwarden/";
|
||||
SSO_CLIENT_ID = oidc.oidc_client_id;
|
||||
SSO_CLIENT_SECRET = oidc.oidc_secret_id;
|
||||
SSO_SCOPES = "openid profile email offline_access";
|
||||
SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION = false;
|
||||
SSO_CLIENT_CACHE_EXPIRATION = 0;
|
||||
SSO_ONLY = false; # Set to true to disable email and master password login and require SSO
|
||||
SSO_SIGNUPS_MATCH_EMAIL = true; # Match first SSO login to an existing account by email
|
||||
};
|
||||
dbBackend = "postgresql";
|
||||
};
|
||||
|
||||
Reference in New Issue
Block a user